berbew | c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
Size

80KB
MD5

6741de6d75ef867417d6b628553504ef
SHA1

b3e0f8efcc0ea74c70ad5e729a5ec1035b1bfc4b
SHA256

c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998
SHA512

a70629a81924a79a6a460dea49fd96efd69d97b55d85b3857611e9aabd6edfbb018cf903e5962a62280737e09aae4850a2428183675f38fdcaa8b875dc6d82a3
SSDEEP

1536:6gHVUY5TcL/xFSoVm5jTrGE2LlJ9VqDlzVxyh+CbxMa:T0HSoVejT6dlJ9IDlRxyhTb7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 25 IoCs

pid	Process
3640	Chjaol32.exe
4496	Cndikf32.exe
4844	Cdabcm32.exe
3660	Chmndlge.exe
5024	Cmiflbel.exe
2456	Chokikeb.exe
3472	Cnicfe32.exe
1312	Cagobalc.exe
2704	Cfdhkhjj.exe
516	Cmnpgb32.exe
2532	Ceehho32.exe
3912	Chcddk32.exe
3928	Cmqmma32.exe
4728	Ddjejl32.exe
4368	Djdmffnn.exe
696	Danecp32.exe
1120	Djgjlelk.exe
1664	Daqbip32.exe
3876	Dfnjafap.exe
4548	Dmgbnq32.exe
3888	Ddakjkqi.exe
60	Dogogcpo.exe
552	Deagdn32.exe
2832	Dgbdlf32.exe
2176	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4444	2176	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 3640	3652	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe	83
PID 3652 wrote to memory of 3640	3652	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe	83
PID 3652 wrote to memory of 3640	3652	c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe	83
PID 3640 wrote to memory of 4496	3640	Chjaol32.exe	84
PID 3640 wrote to memory of 4496	3640	Chjaol32.exe	84
PID 3640 wrote to memory of 4496	3640	Chjaol32.exe	84
PID 4496 wrote to memory of 4844	4496	Cndikf32.exe	85
PID 4496 wrote to memory of 4844	4496	Cndikf32.exe	85
PID 4496 wrote to memory of 4844	4496	Cndikf32.exe	85
PID 4844 wrote to memory of 3660	4844	Cdabcm32.exe	86
PID 4844 wrote to memory of 3660	4844	Cdabcm32.exe	86
PID 4844 wrote to memory of 3660	4844	Cdabcm32.exe	86
PID 3660 wrote to memory of 5024	3660	Chmndlge.exe	87
PID 3660 wrote to memory of 5024	3660	Chmndlge.exe	87
PID 3660 wrote to memory of 5024	3660	Chmndlge.exe	87
PID 5024 wrote to memory of 2456	5024	Cmiflbel.exe	88
PID 5024 wrote to memory of 2456	5024	Cmiflbel.exe	88
PID 5024 wrote to memory of 2456	5024	Cmiflbel.exe	88
PID 2456 wrote to memory of 3472	2456	Chokikeb.exe	89
PID 2456 wrote to memory of 3472	2456	Chokikeb.exe	89
PID 2456 wrote to memory of 3472	2456	Chokikeb.exe	89
PID 3472 wrote to memory of 1312	3472	Cnicfe32.exe	90
PID 3472 wrote to memory of 1312	3472	Cnicfe32.exe	90
PID 3472 wrote to memory of 1312	3472	Cnicfe32.exe	90
PID 1312 wrote to memory of 2704	1312	Cagobalc.exe	91
PID 1312 wrote to memory of 2704	1312	Cagobalc.exe	91
PID 1312 wrote to memory of 2704	1312	Cagobalc.exe	91
PID 2704 wrote to memory of 516	2704	Cfdhkhjj.exe	92
PID 2704 wrote to memory of 516	2704	Cfdhkhjj.exe	92
PID 2704 wrote to memory of 516	2704	Cfdhkhjj.exe	92
PID 516 wrote to memory of 2532	516	Cmnpgb32.exe	93
PID 516 wrote to memory of 2532	516	Cmnpgb32.exe	93
PID 516 wrote to memory of 2532	516	Cmnpgb32.exe	93
PID 2532 wrote to memory of 3912	2532	Ceehho32.exe	94
PID 2532 wrote to memory of 3912	2532	Ceehho32.exe	94
PID 2532 wrote to memory of 3912	2532	Ceehho32.exe	94
PID 3912 wrote to memory of 3928	3912	Chcddk32.exe	95
PID 3912 wrote to memory of 3928	3912	Chcddk32.exe	95
PID 3912 wrote to memory of 3928	3912	Chcddk32.exe	95
PID 3928 wrote to memory of 4728	3928	Cmqmma32.exe	96
PID 3928 wrote to memory of 4728	3928	Cmqmma32.exe	96
PID 3928 wrote to memory of 4728	3928	Cmqmma32.exe	96
PID 4728 wrote to memory of 4368	4728	Ddjejl32.exe	97
PID 4728 wrote to memory of 4368	4728	Ddjejl32.exe	97
PID 4728 wrote to memory of 4368	4728	Ddjejl32.exe	97
PID 4368 wrote to memory of 696	4368	Djdmffnn.exe	98
PID 4368 wrote to memory of 696	4368	Djdmffnn.exe	98
PID 4368 wrote to memory of 696	4368	Djdmffnn.exe	98
PID 696 wrote to memory of 1120	696	Danecp32.exe	99
PID 696 wrote to memory of 1120	696	Danecp32.exe	99
PID 696 wrote to memory of 1120	696	Danecp32.exe	99
PID 1120 wrote to memory of 1664	1120	Djgjlelk.exe	100
PID 1120 wrote to memory of 1664	1120	Djgjlelk.exe	100
PID 1120 wrote to memory of 1664	1120	Djgjlelk.exe	100
PID 1664 wrote to memory of 3876	1664	Daqbip32.exe	101
PID 1664 wrote to memory of 3876	1664	Daqbip32.exe	101
PID 1664 wrote to memory of 3876	1664	Daqbip32.exe	101
PID 3876 wrote to memory of 4548	3876	Dfnjafap.exe	102
PID 3876 wrote to memory of 4548	3876	Dfnjafap.exe	102
PID 3876 wrote to memory of 4548	3876	Dfnjafap.exe	102
PID 4548 wrote to memory of 3888	4548	Dmgbnq32.exe	103
PID 4548 wrote to memory of 3888	4548	Dmgbnq32.exe	103
PID 4548 wrote to memory of 3888	4548	Dmgbnq32.exe	103
PID 3888 wrote to memory of 60	3888	Ddakjkqi.exe	104

C:\Users\Admin\AppData\Local\Temp\c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe
"C:\Users\Admin\AppData\Local\Temp\c3f616781005b043c53b1968245265074b58b44b548c19d58d175bf255390998.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\Chjaol32.exe
  C:\Windows\system32\Chjaol32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\Cndikf32.exe
    C:\Windows\system32\Cndikf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\Cdabcm32.exe
      C:\Windows\system32\Cdabcm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 404
        27⤵
        Program crash
        
        PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2176 -ip 2176
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
80KB

MD5
c5f3cc224c53fc2564bb6ef84367ea7a

SHA1
af1a11e0b5d6f548bdb9ae41994c275ff260a029

SHA256
42accf6d963007324165e44045ceb55ab1de71935d0477556a9c06f38e7ea4c9

SHA512
e14d1729a207db3c56031dd97c2d523b772587866ce045595d5f397db85b2c91915a63c3e50f17efb6c11e47a63c6b844ba56e52b420eb61c91919054b8befdd

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
80KB

MD5
459e3d3c9107016df565cc3e4c9a9449

SHA1
82c065f39ea24a835e4f79ffa8dca1a51d529b59

SHA256
a25c8a5737321b3bbfd88d48338bd842184851c736c9239e5fbd882ecc0619a6

SHA512
d83473a1cb854e6eabb2b221647b268c5d48fc74b5847ef86a432424070ca6ba94e2bf069e450e966ca4f6fb7116d743b71fe1addd96653f8a273596494ea2c2

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
80KB

MD5
8efc2d3ff8530314a910ec63ec6bf23f

SHA1
a86e91b1262855829f5734506f115f0fca01c1d6

SHA256
706c4a5d82b71fa20824a59297d86e322f1a0982ff88bfab4d545b4be2a26742

SHA512
f469530483ca92015b141293d9415f4dbc75c64aeb6eb84c065c7430b2a6f096c0f43c01ce365bb0c9f72134bc02b096125b125d8fabe4ab15017d6310c0257b

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
80KB

MD5
eb818866f506bdc90642e25e0cc6f8be

SHA1
c5234a1a0c899283eadb4b3961984d50514455f3

SHA256
87b458ea78d5b1f97b72e1829328e432a1bcab6e6aabe86a16d0dd751b07e17e

SHA512
bb3fdc64bb231eda3a4980708320001ab53e4259c02e3de30a14eb5fb2e770166cb4fdc9adda9cb52179f62f0347e215a6d01c98e53850286f190feece7e2302

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
80KB

MD5
6a53096ca9905e5b16f34218391126b7

SHA1
15ed53f448c45096eadcaad12d28e9e2cbb7f786

SHA256
4ca8515f83b7ab741b68976220de03720e13f4307cb049542728a18c29767159

SHA512
8b35f3e7fcc3561793bc98a42405183d6a8d957dddf001976fad9ae62d97db9b2d71492c369a824b9fc4a2dd2cbd1295113b4092e2c03baca42cc3c50cd4bddf

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
80KB

MD5
53e1286fff9dde792b468c1b138aadf0

SHA1
3cf09392dae60e4822417854c9dbec9d8b39d2a3

SHA256
4b617d3de04e466048f7c92644068989f10dc091abb233da5d475202b62a1e3a

SHA512
30d99c68d4506c52764d3511b728fae8f3aa65b94ad13dc4eae7fa8df86f22d59b1499f4ae6c1506cbdcbf11b37f7bc9499f20a8ccf9dcbcace7c2fc0754ce6d

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
80KB

MD5
65d9bcce0a0b7a5b556c854791e67bc9

SHA1
52fd688617fb661e97e8ef7eca65a258873f93e8

SHA256
b09cb659507cecb919310b7285339a059480c4b18065a6e6d9a13518b1eacc27

SHA512
2d4d9c51ba4ab0478903a0b37abb65a1781f374f9a24ea6cd0fd6c8507e20509409c5757c57fb5467d6678af3fb10ef43962d54067d8888d7ac44f0bba0c7162

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
80KB

MD5
4dbb5dd5c9afa586a083a83014f63518

SHA1
c09dddedd5eee326d4e57c0d98860f583c438731

SHA256
3ee2668e8d73c606ca9bf97c076aaa6e8eba9412af975cc4da59c754e20619b5

SHA512
cc28c26bf254ce7ab6be0b9e3a37621599bda9e30da3dc3f4eccbd5c465da96e4a27c2bb344c3a7033b9a0bab07027bcfc38d3f1f630b920a874fb3207ce72cb

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
80KB

MD5
7292be5b6d05ea2529d116190975b486

SHA1
12c3b4fcf9abe94678678b1ea947521b5d603d1e

SHA256
a1a4459a3a1efde112ab14ea13f93d5ea2e57abf010418146105238e919b572e

SHA512
7213618065a2ea735a5041d22488ae34436f5112c813463ee15504719da7f0dfe0f0b684d4b24a90aea9572dfc7ead17e9162fc5f42914bbc281fd307eaf6fbd

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
80KB

MD5
9de29cd1fe57189937d3cab0247d1dd4

SHA1
1d7c89e413594912dd435d891b2d31c3f195dd73

SHA256
d47ce3eb54a2248ac67407f27202bd12b654eff44f5b46ff93555f0128963d84

SHA512
4a707dc3318dabf231d090a3b392a37bfe65b1be1999364705b2df3e90a4ac3a50948092718426c84447a54a70f6dac7e7429ca62c69e1ed7914fc50237f8302

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
80KB

MD5
09c46a27a9d5565f7dbc471f76902792

SHA1
467106500d36495c11b83c811d1d39ee7543f9f9

SHA256
ae57eca9e29108a74d47e442b4e8503c71416518bd0e6285e993634aa9f12ec3

SHA512
a0c286240dd40c93d4df1587e0c2658d4e9bbc92d8ef801ce424aa7dd9ff3fe0437199b4f76978256d8fb181e59dcc3826a707d2fc4bc32b0dfc14f20bbf9ffb

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
80KB

MD5
525dc56c68b8a1c6f7758b1190a54e45

SHA1
377db54cab1211f1fe80bffa08608bbc158b1dae

SHA256
bb51742e0c0d1278c8c5e01feb38429404c7de11542731103721c685aa6b9796

SHA512
de288de6e09f29553c9567bb38be6fa234c55f0c82f7174a33449d80ea006ffa37a7cec75a840dfa4e2abd01aac3ee9429c0bc5d34ec9333c15e0eaf9efb0ed9

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
80KB

MD5
7f9aff1a5a78a665d4ba0f3fd9642f41

SHA1
4a0dee1fa441d5a00fed337cdd26d61a23024657

SHA256
0089b19f6951a00b9f6a05c3413cf8423f75033fa0edd109a7d23da34fb48d15

SHA512
548ccb54862e197cb7a05a9f54090291028d563494b65d72f23df8463cdb2d049667eddb2623ce65e4c3c51437c8dc939d39d354c6e4acfa84704b1a89ea0c29

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
80KB

MD5
2b5be25df77f357c6cfc1c41deda95cd

SHA1
88354e294962c9d6205270e3222377bd70349212

SHA256
8d877c988006a746202be8276694aab648192f459a59dcdc3bb65b2e27b4a3da

SHA512
e87fcce120862904d107c0f4c20455f3647122bb9cf65ae5f1219c8eaeab53c3dbe1cf26d6e3cf7796a4a2a69cdb3c8b0a03f456feba5a4f2592a43975290170

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
80KB

MD5
95cf0becc2d7ded06fd02ba0aaf0341a

SHA1
efc56ab7e74f7ae3298b7da08fb5fef642c85e47

SHA256
253102c84d7b74a836b9c2a88ccd6aaeb593f6b2ea46c4929c9ebbfec5904455

SHA512
fbc358330398267db133eb0d83757eabc17036ac13f62472c539a76781e191e4b6f37b49e2be40eff0c0e024e3d31a20d50dff8829c8a3c96096a49d2faeb6aa

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
80KB

MD5
5c95cf4f4f03db8b55b21ac4cbe7712e

SHA1
39f67022c0ace96f3b2d8d1d68a32d250ae56d50

SHA256
729c093cdd449e51c2644feff1020e0cc4f484b0f0184793d1c16225d231df79

SHA512
faf76dc83775d1f1fa7164893966b3faa464790ecbcd3f32d975684d7b47b3845e8944a63b5c1e515ab870c46a301b4a96be159fca6a900a150b41727aef7e2e

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
80KB

MD5
f7ae7397c44347d97760a0d833ea842a

SHA1
de86441892d660a61be2bb1404a92863dde3dfac

SHA256
657ed7c295497dd4ec9112717879f6752f21928c61ca77933ad04aa591b52cba

SHA512
7f806cd2f45fbd29c8126301bce0b2403528363673ff21cc7a08d72307fe84225a43185866c6fc22c01c8c180e56a902bc8d73a10a1ae80ebd46a2dc38c7f5c9

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
80KB

MD5
00141d82f72c6dc57f6e07151d00c1d3

SHA1
ce8f7b5b3ecabd05a879f06312bb32a93c1c609c

SHA256
f5fe870b4572d898dc672de42d79a5d8361d30d77de9b9481791dc65f38a0e3c

SHA512
d32203545d80ffbba0549bc036b247c53d89b16e641e05e9a41b10e945098d8d0c4306251fc5428850d56b4b9b7dbcb21a3cefc57a53ac6ff4c7b87867910812

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
80KB

MD5
84bb150f60fa0d462992759d05ec78c7

SHA1
781063cbfd4bda235ad1b2c55233763f1c41d692

SHA256
0257a7f3a8d8c255126e06db45c9f4ff3e508312b53f0e6eef1b104bf2861737

SHA512
643410dad40146d798f16c2f8e7de5059732af5d783da1a4dd830ab585842e3322aa901503d3f75d50e1c7fef96739ef75a94cb0fa8623d27ba1770ef697a626

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
80KB

MD5
f82e31f806b8f364eee009b4f27775af

SHA1
b3ac56bcd4be1f8f1bfd3e45cbc99fd5bc8c5295

SHA256
e14f654897f133f2259d44cb764e061e821e6bbdf29b6a9b3529a4a1729b715d

SHA512
ad8bc52de6f073024ee9c1a019109a7f67d5fb7594474714a8e3e09044281df9a91a0dce06242bbba0be03e02c6d496b4b4aa8c4520bca3fa7206cf6d96b54f1

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
80KB

MD5
ad645858921f0fa1a4df57784575aeed

SHA1
bd84cc4cc57ebd39eea8720a94a20f6ef3e0cf01

SHA256
14a6eafda7f897d8f884d0ec1df7bfbd4ce75cdb8498175e43cf0b64f222904b

SHA512
4873c99a6d1751ccd15792168d4181b87ce75fb1e33e083f5f1d411ea3b46ce655a5037ce13699042fd4a8008cf74c01b2ee0eb206646b26cb95bfe192c4ac0a

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
80KB

MD5
a01184bff99e366211aa21ffb784850c

SHA1
3b739397b4cc0af03781cab16554f8a3200c3542

SHA256
ce011d3764847df059c5097ab3efdeb325536acf395624bad1c733fb0d4b35af

SHA512
a53eedb65ecd694f48fe7e71e98292164fa4edd3772ff4a388a21da1a9eb120b251e0199979c719abd58cd9239239ac27961eb838f39dae92a0720899b2a1f08

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
80KB

MD5
8ed80c308ec576b9d93fb55c484fee00

SHA1
6b3dcc568205553728efa73f36f8ddae47801eb0

SHA256
3a2dc657b5b543bdd145cb1a69f38164692c73e6380ce7e1250b56e6ed336610

SHA512
77256fbeff16754586dcf8022666f6bdeabbad71ea1f7cd5f64425c4ab0d596c036a92aea88dcd8528e36fb0b9c1fcf89476b58b346a5156c6c375ea06e3cc1f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
95a4222afa92a14a8cfec7878cbf3409

SHA1
69d49d7fe2d7e0e87641ec22b38acfc4b3b65d2e

SHA256
5b17f57b5caa7177e2de53f5c52ecc1cdfa7f312fa16271f59fe69a7b663a32b

SHA512
a5f9d6f70a146b1fa34e05242ddf86318c80a5ef41f7b747b1623c0f1a5c127558650a1f7bb00743abfdd247188173fe83c097105767f8cbb9b0ddaad242f404

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
80KB

MD5
5038a21ca2f04c24a0e747ec1507ffbd

SHA1
1bc3d0dfc94f5624d413f2cb9e2d25478ab5d1e1

SHA256
476f92237e2b32a1a11767093a0d5d0c8c6f48c3ca1e669e70496ab9ed7f3b6e

SHA512
eca2c60d5367e6ac87851c05fbcc22e77afd1eb11fc964c3e4028d6563fb11e85b96cb53a26a379066b34bf556954147e80820829feaa998efef231fee94bce0

Download Submit
memory/60-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/60-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/516-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/516-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/552-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/552-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/696-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/696-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3652-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3652-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3652-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3876-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3876-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3912-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3912-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads