berbew | 84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12

Analysis

max time kernel
96s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
Size

93KB
MD5

68bb3322bec3964bfa0c7b70f4372940
SHA1

e2f75275a8f8b7140f7f922fc14bd3890181a2d2
SHA256

84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12
SHA512

f9a2dac2c7bfca1b3307dcd741421d5944ce6b2e8dab9ae88c41bf31c84328a789b8dc074ccffd3409141cb8579e4299148af9f9b1ede9dd30905240c9627f5c
SSDEEP

1536:GRCOhVCGZGGYpdtKFQvMqnanmvhe/QlO7uXcNvvm5yw/Lb0OUrrQ35wNBUyVVM:WhMGgPtKnqnanmvhe/T7usluTXp6UZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 27 IoCs

pid	Process
4924	Bmemac32.exe
2536	Belebq32.exe
2320	Cjinkg32.exe
4888	Cndikf32.exe
772	Cenahpha.exe
4592	Cfpnph32.exe
1708	Cmiflbel.exe
752	Cdcoim32.exe
3008	Cnicfe32.exe
3596	Ceckcp32.exe
4008	Cfdhkhjj.exe
5000	Cmnpgb32.exe
3588	Chcddk32.exe
216	Cnnlaehj.exe
1312	Ddjejl32.exe
2612	Dfiafg32.exe
3904	Danecp32.exe
4636	Djgjlelk.exe
4796	Daqbip32.exe
3508	Dhkjej32.exe
3740	Dfnjafap.exe
4408	Daconoae.exe
2460	Deokon32.exe
428	Dhmgki32.exe
2760	Daekdooc.exe
5044	Dgbdlf32.exe
3120	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dhmgki32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4564	3120	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4924	2856	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe	83
PID 2856 wrote to memory of 4924	2856	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe	83
PID 2856 wrote to memory of 4924	2856	84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe	83
PID 4924 wrote to memory of 2536	4924	Bmemac32.exe	84
PID 4924 wrote to memory of 2536	4924	Bmemac32.exe	84
PID 4924 wrote to memory of 2536	4924	Bmemac32.exe	84
PID 2536 wrote to memory of 2320	2536	Belebq32.exe	85
PID 2536 wrote to memory of 2320	2536	Belebq32.exe	85
PID 2536 wrote to memory of 2320	2536	Belebq32.exe	85
PID 2320 wrote to memory of 4888	2320	Cjinkg32.exe	86
PID 2320 wrote to memory of 4888	2320	Cjinkg32.exe	86
PID 2320 wrote to memory of 4888	2320	Cjinkg32.exe	86
PID 4888 wrote to memory of 772	4888	Cndikf32.exe	87
PID 4888 wrote to memory of 772	4888	Cndikf32.exe	87
PID 4888 wrote to memory of 772	4888	Cndikf32.exe	87
PID 772 wrote to memory of 4592	772	Cenahpha.exe	88
PID 772 wrote to memory of 4592	772	Cenahpha.exe	88
PID 772 wrote to memory of 4592	772	Cenahpha.exe	88
PID 4592 wrote to memory of 1708	4592	Cfpnph32.exe	89
PID 4592 wrote to memory of 1708	4592	Cfpnph32.exe	89
PID 4592 wrote to memory of 1708	4592	Cfpnph32.exe	89
PID 1708 wrote to memory of 752	1708	Cmiflbel.exe	90
PID 1708 wrote to memory of 752	1708	Cmiflbel.exe	90
PID 1708 wrote to memory of 752	1708	Cmiflbel.exe	90
PID 752 wrote to memory of 3008	752	Cdcoim32.exe	91
PID 752 wrote to memory of 3008	752	Cdcoim32.exe	91
PID 752 wrote to memory of 3008	752	Cdcoim32.exe	91
PID 3008 wrote to memory of 3596	3008	Cnicfe32.exe	92
PID 3008 wrote to memory of 3596	3008	Cnicfe32.exe	92
PID 3008 wrote to memory of 3596	3008	Cnicfe32.exe	92
PID 3596 wrote to memory of 4008	3596	Ceckcp32.exe	93
PID 3596 wrote to memory of 4008	3596	Ceckcp32.exe	93
PID 3596 wrote to memory of 4008	3596	Ceckcp32.exe	93
PID 4008 wrote to memory of 5000	4008	Cfdhkhjj.exe	94
PID 4008 wrote to memory of 5000	4008	Cfdhkhjj.exe	94
PID 4008 wrote to memory of 5000	4008	Cfdhkhjj.exe	94
PID 5000 wrote to memory of 3588	5000	Cmnpgb32.exe	95
PID 5000 wrote to memory of 3588	5000	Cmnpgb32.exe	95
PID 5000 wrote to memory of 3588	5000	Cmnpgb32.exe	95
PID 3588 wrote to memory of 216	3588	Chcddk32.exe	96
PID 3588 wrote to memory of 216	3588	Chcddk32.exe	96
PID 3588 wrote to memory of 216	3588	Chcddk32.exe	96
PID 216 wrote to memory of 1312	216	Cnnlaehj.exe	97
PID 216 wrote to memory of 1312	216	Cnnlaehj.exe	97
PID 216 wrote to memory of 1312	216	Cnnlaehj.exe	97
PID 1312 wrote to memory of 2612	1312	Ddjejl32.exe	98
PID 1312 wrote to memory of 2612	1312	Ddjejl32.exe	98
PID 1312 wrote to memory of 2612	1312	Ddjejl32.exe	98
PID 2612 wrote to memory of 3904	2612	Dfiafg32.exe	99
PID 2612 wrote to memory of 3904	2612	Dfiafg32.exe	99
PID 2612 wrote to memory of 3904	2612	Dfiafg32.exe	99
PID 3904 wrote to memory of 4636	3904	Danecp32.exe	100
PID 3904 wrote to memory of 4636	3904	Danecp32.exe	100
PID 3904 wrote to memory of 4636	3904	Danecp32.exe	100
PID 4636 wrote to memory of 4796	4636	Djgjlelk.exe	101
PID 4636 wrote to memory of 4796	4636	Djgjlelk.exe	101
PID 4636 wrote to memory of 4796	4636	Djgjlelk.exe	101
PID 4796 wrote to memory of 3508	4796	Daqbip32.exe	102
PID 4796 wrote to memory of 3508	4796	Daqbip32.exe	102
PID 4796 wrote to memory of 3508	4796	Daqbip32.exe	102
PID 3508 wrote to memory of 3740	3508	Dhkjej32.exe	103
PID 3508 wrote to memory of 3740	3508	Dhkjej32.exe	103
PID 3508 wrote to memory of 3740	3508	Dhkjej32.exe	103
PID 3740 wrote to memory of 4408	3740	Dfnjafap.exe	104

C:\Users\Admin\AppData\Local\Temp\84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe
"C:\Users\Admin\AppData\Local\Temp\84dce1608fcc26b18deab1834a1c44e8c5c6a0dab261da946f0c87914494fd12N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Bmemac32.exe
  C:\Windows\system32\Bmemac32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\Belebq32.exe
    C:\Windows\system32\Belebq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\Cjinkg32.exe
      C:\Windows\system32\Cjinkg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
      - C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 396
        29⤵
        Program crash
        
        PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3120 -ip 3120
1⤵
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Belebq32.exe

Filesize
93KB

MD5
eb30e850df8dfab607ee2fd0c548ac54

SHA1
28a29c4f13fc93b888519fb16a836732309a6396

SHA256
fb85c689abed7d47b9fba414cd22e6aea865165addb8fe2ee4a4156928e0fad8

SHA512
99a53f7c6b0afb1c69b20b282fe01b767ac3760eba6bf72568849ab9065e0b682c4228daf2a0563b0a492c3ee28a701b6e28eb3ad93e892ca3c0629f6045df36

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
93KB

MD5
7ee59a4a950b9e1e1b787db2fcc85dde

SHA1
dd094eca01509afa82e809636057bb212327bed3

SHA256
c70fd11e0b47e916689ee80de651f1f9a209d24f5cb75f57487fdfd9c11a5423

SHA512
5c31ae5476e756bbe19ed6b78c310ce82c83044a51310691d26f3181a80b7d88cc25d63e04dc5c549310de70c8ceb463c17ab5dff27c9b5438324cfab592b2e4

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
93KB

MD5
57baae43400f87dcc05b184cadd4510b

SHA1
8b8421e6e97af669dd6f5c28613c246787b29769

SHA256
adfc0523eab2340563a83cab1ee2af2b5116b691782c23b7f9e5615d361bcfcc

SHA512
2783a79fea6c99449c17a1d2ea6f34aa85f9313d406f84e9ff0cb130fb6b04c5d09ae6a82215ffe43d7b5d27c5f74a6f0c74ebe63ed8c861fee0489bad54ed67

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
93KB

MD5
c73ca430ebc0d6c04b72782658069fbe

SHA1
43f8e3fde02ebe9bbf31cc006479659967f2346d

SHA256
1b0bc659e67eb1f2cee49984d59af1a86af8965a52d1adc667feaf18fbe8ff76

SHA512
0d10850bde05a2339bf13d1ead0b55cdb0e37d0125ced183e653342da319d18442c8e06fd0efc1e7fd6dd91f7b3da4715c80189fd0b7c45aae91d6ab6eb65356

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
93KB

MD5
034e33e2844417fe61e0a8e940d2f3b2

SHA1
31c84589f6d4bce2debe73514d278e70215174a2

SHA256
a291751a452d421afebfb69b63f5a3ae4aa2819cc7c4228cb068fb0e67c72dd2

SHA512
756899d87d5996795c1b79d631b586b99204998b1f9541691e8984377540539088ff58ab994d2f817a890e7bfa278a9f2f6a3c185afd7c78f7debde520736a25

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
93KB

MD5
709e69ba683cb2c912c3943f238cb532

SHA1
89d81dc3ae2f02a86c5c899161f34f81918435ed

SHA256
290efdb711226b26fb27c7858d66baf8ac31261ada48127bdd8d9c0e5e6fbe5b

SHA512
88d460cbb429259d425642dd175b2027f725333e2afbde7811177f7e369a1fd62d693452d0a3c1ce7dd8cfd82ef377a80fa56f3875e39d47f963a9b55bf54c41

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
93KB

MD5
eb6d21f4fc7d244e2c56322c911ecf77

SHA1
2f99bde5fa32bb93135cbcb56967d224f43bb742

SHA256
3167e3286f4eac0343c71a4d02eb261c878d24f469405929ee8c1a918c32c9cf

SHA512
d954a001573103e3ded8f3e6a4fc918c70a5edd49ececb214ac38f8e5bf3bc350bf15c958c42203cb0159cfbfd96b552284218f13b14afd027c89b0a3263359d

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
93KB

MD5
59ec93e745f37ca427ed9c99abb3530a

SHA1
881ba79acb325bd83e26abefbd00c07407f2cb0c

SHA256
f1db3908393e4004a4d93e236f5c6faaa81081c740ebb0d9658c351cd2dc3d41

SHA512
a06f4010ed894c7ab6374c094f7fcdb587ad12272bdd98ca16547dbb972f4354762c771c03151d6bee0510fecdef38002da2d23a974d7758f7dc22c3d1a7d467

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
93KB

MD5
85c99703a96272107274cfcb0831a68d

SHA1
a5a8aa4b9bc823d38d6a40b4f64debce30880fff

SHA256
713b730c730f16033fa454eb3a18d7798df5050ef33ce2f21d8224adf3fc1726

SHA512
f7f1e0f833ddee011316f29357666c8fc368468bea474eb2bc569c10b314470b33f31bf3296fa5313d657b4321da4a8db5ad8505059d3fabfc50d91585498caa

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
93KB

MD5
b00da5ba2980a0a0acd822fa275057a1

SHA1
49767d173f1f95fe921520f3f887d94b646293b9

SHA256
61705b44fe587c4907434ab4adb59a3c89e5fa0924c3b299146ab05a0f11a7d8

SHA512
17f8bfe3ca3d94aa0032dd7cd1d32d1197c20895b7144d33a7d75230c44f934f4abf4b3172c07c163067ad63bfbace4e768817b1d5eb259e4120a9fa69c28d4b

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
93KB

MD5
32a4bca6e94e216f95c47bd7c42529af

SHA1
7f311aaa5630571e76df0e4ef1285f84dd2c747b

SHA256
0e3eb317f9dea7c840519e5a0b5dbd6aaf4cf034a5d467fbe38f1e3bd5b7304b

SHA512
a8d74b3917490cdef7483771ddf1883d8186f0d799f98d65115f38b7ac0caf506c6224056a72eb35079ba959bb9368f506a54523355ce038c704717070a6beb7

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
93KB

MD5
c069acc9dc1a18be11a8a680fbc367b2

SHA1
e0a67ce2f6decdf954c484db48a827984e9b5e0f

SHA256
d5ab3aed0d1ef067abdf7d13f616d86eade7d8a7b5f2f111417bbc6271e60953

SHA512
74cc247d86e50437fe8a0a46fc41f2fcd68e1f0976b41238ae8e20a0176b2b533bb819721ba650798b431925464b8ab0ba5932bab5ae2440dfbcad2651e84286

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
93KB

MD5
761ac3ab5008c7fa7a50f63ef7e0da4d

SHA1
7a71119eabcfc6bc442db1e61ec77d0b32f2bade

SHA256
4bdb7257401e17c0bba88999c5c98fca96f4c307dfb39c3697b0830ec9b56439

SHA512
baf5bd7b7bccaa8b9607409aec4d11a93b26840ba57673737a7f93aa26e610a79c6d26749bf725b42ce08cbd905d50ba6a6c2f8c8d6d5c6619c77f2e50ac0b85

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
93KB

MD5
0fa4dcbb6148b10f0b23f76ce7125fd7

SHA1
5266b16df1f4ee198b737a6a9531376f141f8cba

SHA256
b84f3119db30ec4fc938c656bceec21fc74b013d3ae65c0df5bc19a1d32d394d

SHA512
ce32539de695363ecfde1666f514ce5997bf7ce4d1873b3c751f6c06fe71b8a2880ad5fdfadddf4767da1c35a1766bb3b30335f42161762e23580747229e42f9

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
93KB

MD5
8e5dadb3ed51214de0747fdd79f0f056

SHA1
739fcfd3c77b659d0c6defe9176c8b4f3d98112d

SHA256
c986ac3175ce22d3f6a78544d052e2c9274fa54b6022093ba28de3c63e2c8b83

SHA512
82a47e2cd60356d5eadd2c482bd084f0fddc751c1cc583d127fec298b877e07bd93b5c4981e857bb3ed0be7e478ed98cf3eb8b661b29eb3b2d4b3d51d5c7e11b

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
93KB

MD5
f39f91a46cfe196aa7090917f042081f

SHA1
e539f87625e548f3b8e2ace2aa191fd5e7e4d400

SHA256
220cac8b764b95d5e84ca80515e333b39f5e19c5e0bccf14bb99ef6c401be325

SHA512
4646543f69169cb642fd668a096cca0a0142a700e1da08309bf258be00c2b44fb74b3de9cc59309bd771e5cf1a134c9d61a75f3aef217e9f2b023e73f5c241b1

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
93KB

MD5
f6364c36d0014c33765cdfc289bddeea

SHA1
c143c339306ea2acb075811f568f21fefb6b6140

SHA256
63a8aa544a2a702d93ee75f900c7218f13e4157d6bf5c0ebc47f6a4fbc77ebe6

SHA512
173e3d31445299e2178bbbb281ae1f516e8fa29d6f66d22ea1d362eb0a5c03daeadd84dfe931b3ced9d9462dfa6d9bc7f67df21d7ee2f5d621d4417349a71f73

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
93KB

MD5
a58a22898e7a3865d8d5beec040e5c7c

SHA1
181522bb2fac749f0cf56e96fb2e04f578120115

SHA256
00cd6f6d0e1e85005f119bb2294fdc9c99adbfedf70a51586e2bbafc4fb8c0db

SHA512
14212b7733884be3499b45dbda1c4ddcc7b52e5746adf8e8e7631770f3352fbf29cb402ff4b995a1318f9f162bb7d56437b49ec299d9e34588d0761b68b01ecc

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
93KB

MD5
fc272687429b79e106e34903557a710c

SHA1
f35e647309b984d0f2ed842238d590d14f3ead23

SHA256
2a3725661ce1aa4b8737e07d9cb15b08034b27c1452a45351060e738d768af49

SHA512
ba654277c36ebdbddb0e8df2f9f92135381cf74d869d927676ac65ab153db064399d4aab983c740276d3031581998cfb7aad7a992ba0407d0a4a87a9bc15afcd

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
222d7cb9a6bfce69ad1d873044e098e7

SHA1
e8fd08e2e20565612eaae48b4b3fcc691c8d15cf

SHA256
9934e98f4194807f3f46c06348e87d6822a20266ba6e614513cd684d263a5029

SHA512
fdf1097b81121beda98af8f46cef3ccfc6a0898bf2a615c2377b09f156839c68c583dfccfbcb8551c25caa4ecbcecd99330e566b4ea198455a24b32cce9ff9c0

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
93KB

MD5
4a404206fc6fafeb73b33bcccb993335

SHA1
aef15d36783145d013afc4a92807c2b44d31f124

SHA256
1ad1d03ed24dbb4149848ac3e00774b3a360fa69e912fbddf6eb5eef06467f65

SHA512
94597601b76f0e1ef1040a56128d6c1bd8d1100179c8c9f20303d340383e5ce2071f47b35830040a760ccf6497cb69cdaa372325040a58de3e1172b6aaa66a39

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
93KB

MD5
1008145e290b498e5102fe357d044535

SHA1
89ac1f0b9052793ee45cc17bbbe9f686a7d28577

SHA256
da0092995f0b24c41d41ad771e7eaea671925956faa67471248fadd072212337

SHA512
ed88ff3ac99b5cefb1fe089a0495c3853d4f62a59c0a754a7c38947a71c5e63c2d3dc93d6d3fa54f824bc17c30274920925547a969ddca1cf6405fbdaff750b6

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
93KB

MD5
69eb2e9138fd2e4799cb817e4d38a370

SHA1
dafd422098dd5d8d8b91002bf34f638788454d40

SHA256
9554759c889c32687a8a137e95c256275b85ea53a662edabd221933134bb7dfe

SHA512
57e124eeb5b66f2becb278ac429b97bc7efa472ec0cfcb7d15d6893075e76578d9deadc947385c6672fd8131c4dc2fb39c587b853153be59e76710ae7f8aa2d6

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
93KB

MD5
198aaee50f77d657ee323a3ab60394bf

SHA1
ee0db5d919db1d21182052439724b718f422dcab

SHA256
6f2797771ced4bdd26c44b7d2d65dfedcd98e7e6bba5529ef3094701a1291bc4

SHA512
2b9258c5d5775756f7d2200558151dea49e2190b1618d05348e11e1ce3875d85f2b7d78bd89798011e7eb1641c3ef693d4ac902a068ecf2ae182189c53cdaa41

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
93KB

MD5
1100c6db861b73289d874742eafa0b98

SHA1
b90332dbf3c3bdfa481b70f7d7631d15e01d559f

SHA256
d96d1e00a1569e2f4eb9406a6061786fb3ce06c5e09d33080b88ce9196d0eb6b

SHA512
db3bcabf348d3d023cee876d62ce723f669e177f37a5e808e3992e6e0f14342bb680900f966bb00e65a5b76bfc8bb154e12ef1765a21a1b6004a6dee134c1758

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
93KB

MD5
d0cf64ec7b7e9120e136155c9a076521

SHA1
037961c27921f91515fbc537dcd69c15c46a7711

SHA256
edf2a29198772dccc8c4913bd973fa6d0d593f3811f801d55ea93850b740743c

SHA512
90b2c41656e303671a2aa285b0445ff6626e904949a7073670358f27ab265efbf33207ed2e2d2391d4d8333258f30ab342a72736b9b6a65801680427cbc6ae1a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
4fc89aa312a0e7fea96b5328155be5af

SHA1
10b56d704cdebbfca9b140edd495ef92b53e2403

SHA256
51644f653f783434750fb1faf3995c185ef9fe77a1c6b02b3f607834f5923f0f

SHA512
3ca28ede94d3ebd874a6b55babec0100a76f4a7c2a54925196c97babef20982b11fdeb8124dff5c6223017e80da4e317b3283a901e00c637f72833c3d87606d1

Download Submit
memory/216-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/216-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1312-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1312-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4008-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4008-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads