berbew | 3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
Size

97KB
MD5

dd2b95f2ef0a071afc0352bffd959125
SHA1

4b2fef0fd69d3c73fc451d4ada473bdbbda7f8b6
SHA256

3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952
SHA512

140603587291816ed9ebc849e1bb7772da5f2bb114de48bdbd228b5566bf12cf47744d86ca30fd92fceda3777941aade2a63ee80e9c1e08894f6bbafb0cb9519
SSDEEP

1536:ea1FhSKpagZK8StOUi41meChpfABZ5Ja9tXUwXfzwE57pvJXeYZc:eAmmUt7ChmZ5095Pzwm7pJXeKc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 26 IoCs

pid	Process
2556	Cjinkg32.exe
1372	Cabfga32.exe
3728	Chmndlge.exe
2760	Cnffqf32.exe
3200	Ceqnmpfo.exe
1932	Cjmgfgdf.exe
2052	Cagobalc.exe
516	Cdfkolkf.exe
2696	Cjpckf32.exe
2328	Cmnpgb32.exe
1936	Cajlhqjp.exe
1708	Cffdpghg.exe
4588	Cmqmma32.exe
3216	Cegdnopg.exe
3364	Dopigd32.exe
4396	Ddmaok32.exe
1524	Dfknkg32.exe
1560	Daqbip32.exe
4920	Dfnjafap.exe
1144	Dmgbnq32.exe
1860	Dfpgffpm.exe
2964	Dmjocp32.exe
4520	Deagdn32.exe
4056	Dddhpjof.exe
3940	Dknpmdfc.exe
4392	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3660	4392	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 2556	208	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe	83
PID 208 wrote to memory of 2556	208	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe	83
PID 208 wrote to memory of 2556	208	3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe	83
PID 2556 wrote to memory of 1372	2556	Cjinkg32.exe	84
PID 2556 wrote to memory of 1372	2556	Cjinkg32.exe	84
PID 2556 wrote to memory of 1372	2556	Cjinkg32.exe	84
PID 1372 wrote to memory of 3728	1372	Cabfga32.exe	85
PID 1372 wrote to memory of 3728	1372	Cabfga32.exe	85
PID 1372 wrote to memory of 3728	1372	Cabfga32.exe	85
PID 3728 wrote to memory of 2760	3728	Chmndlge.exe	86
PID 3728 wrote to memory of 2760	3728	Chmndlge.exe	86
PID 3728 wrote to memory of 2760	3728	Chmndlge.exe	86
PID 2760 wrote to memory of 3200	2760	Cnffqf32.exe	87
PID 2760 wrote to memory of 3200	2760	Cnffqf32.exe	87
PID 2760 wrote to memory of 3200	2760	Cnffqf32.exe	87
PID 3200 wrote to memory of 1932	3200	Ceqnmpfo.exe	88
PID 3200 wrote to memory of 1932	3200	Ceqnmpfo.exe	88
PID 3200 wrote to memory of 1932	3200	Ceqnmpfo.exe	88
PID 1932 wrote to memory of 2052	1932	Cjmgfgdf.exe	89
PID 1932 wrote to memory of 2052	1932	Cjmgfgdf.exe	89
PID 1932 wrote to memory of 2052	1932	Cjmgfgdf.exe	89
PID 2052 wrote to memory of 516	2052	Cagobalc.exe	90
PID 2052 wrote to memory of 516	2052	Cagobalc.exe	90
PID 2052 wrote to memory of 516	2052	Cagobalc.exe	90
PID 516 wrote to memory of 2696	516	Cdfkolkf.exe	91
PID 516 wrote to memory of 2696	516	Cdfkolkf.exe	91
PID 516 wrote to memory of 2696	516	Cdfkolkf.exe	91
PID 2696 wrote to memory of 2328	2696	Cjpckf32.exe	92
PID 2696 wrote to memory of 2328	2696	Cjpckf32.exe	92
PID 2696 wrote to memory of 2328	2696	Cjpckf32.exe	92
PID 2328 wrote to memory of 1936	2328	Cmnpgb32.exe	93
PID 2328 wrote to memory of 1936	2328	Cmnpgb32.exe	93
PID 2328 wrote to memory of 1936	2328	Cmnpgb32.exe	93
PID 1936 wrote to memory of 1708	1936	Cajlhqjp.exe	94
PID 1936 wrote to memory of 1708	1936	Cajlhqjp.exe	94
PID 1936 wrote to memory of 1708	1936	Cajlhqjp.exe	94
PID 1708 wrote to memory of 4588	1708	Cffdpghg.exe	95
PID 1708 wrote to memory of 4588	1708	Cffdpghg.exe	95
PID 1708 wrote to memory of 4588	1708	Cffdpghg.exe	95
PID 4588 wrote to memory of 3216	4588	Cmqmma32.exe	96
PID 4588 wrote to memory of 3216	4588	Cmqmma32.exe	96
PID 4588 wrote to memory of 3216	4588	Cmqmma32.exe	96
PID 3216 wrote to memory of 3364	3216	Cegdnopg.exe	97
PID 3216 wrote to memory of 3364	3216	Cegdnopg.exe	97
PID 3216 wrote to memory of 3364	3216	Cegdnopg.exe	97
PID 3364 wrote to memory of 4396	3364	Dopigd32.exe	98
PID 3364 wrote to memory of 4396	3364	Dopigd32.exe	98
PID 3364 wrote to memory of 4396	3364	Dopigd32.exe	98
PID 4396 wrote to memory of 1524	4396	Ddmaok32.exe	99
PID 4396 wrote to memory of 1524	4396	Ddmaok32.exe	99
PID 4396 wrote to memory of 1524	4396	Ddmaok32.exe	99
PID 1524 wrote to memory of 1560	1524	Dfknkg32.exe	100
PID 1524 wrote to memory of 1560	1524	Dfknkg32.exe	100
PID 1524 wrote to memory of 1560	1524	Dfknkg32.exe	100
PID 1560 wrote to memory of 4920	1560	Daqbip32.exe	101
PID 1560 wrote to memory of 4920	1560	Daqbip32.exe	101
PID 1560 wrote to memory of 4920	1560	Daqbip32.exe	101
PID 4920 wrote to memory of 1144	4920	Dfnjafap.exe	102
PID 4920 wrote to memory of 1144	4920	Dfnjafap.exe	102
PID 4920 wrote to memory of 1144	4920	Dfnjafap.exe	102
PID 1144 wrote to memory of 1860	1144	Dmgbnq32.exe	103
PID 1144 wrote to memory of 1860	1144	Dmgbnq32.exe	103
PID 1144 wrote to memory of 1860	1144	Dmgbnq32.exe	103
PID 1860 wrote to memory of 2964	1860	Dfpgffpm.exe	104

C:\Users\Admin\AppData\Local\Temp\3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe
"C:\Users\Admin\AppData\Local\Temp\3f12fb837229e72681ee662b073fd8a3b7ae64eca4ff1c9bac810b97c4189952.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\Cjinkg32.exe
  C:\Windows\system32\Cjinkg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\Cabfga32.exe
    C:\Windows\system32\Cabfga32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\SysWOW64\Chmndlge.exe
      C:\Windows\system32\Chmndlge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 408
        28⤵
        Program crash
        
        PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4392 -ip 4392
1⤵
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cabfga32.exe

Filesize
97KB

MD5
fdcacef00f90e8c366d7f47707737a41

SHA1
1000450c45dd28187788ce0a918c9be1ff393a39

SHA256
d1b7fc5ec8a374e55a6bf6d0e0ef52bd13404f90d25be614bbbdc4edc33f9cdb

SHA512
543c901a5b019e22aeeddaf6bdbea82bab448d3495cf9b0ceddd5af1927718b93ced6354c4c05f68b47410d93e2c92fbfbf2e681b5b1ffb0c59ffd1fcc2b098d

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
97KB

MD5
3b2f93b3bc1bdd269d3b6c29c24db179

SHA1
03376df1eef4a536deb6e7dbcc6c0d2657972630

SHA256
c59c3bd8012b23bda5f40bf6bf0b4bf0bc7572486ad313da230a10a95083377c

SHA512
87b1313ecb4a3f7d3565a0f35fafa5f3509c2fd8f858b60a1950041fa74fd75ddc6b07b5d0813bc0e76de6fb83e4363f414605b4ca3376f7a27d8f1022641939

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
97KB

MD5
66ce882503083a843b39450263353ede

SHA1
0da6ba8904a19046384e7c864d7ecaf8957ad1bb

SHA256
f59abe45cf6db43b694ad704a6e656ebf22fb08f9d33d7dcf1cf7677f2c9e7f4

SHA512
2344a61155d3595bfa6c447dba467fbc69034f33a9ac3ce3dd489ac3c21b82a5af9c5dc7e5ab6ef58cb652db8bc9675b3c9ea9998ef8cb60aac6eec54a05640a

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
97KB

MD5
b5b8ee3e00ffae4028eeb953297c6593

SHA1
61c9d3c59688c75d1d79c03c656491ce53fc4f04

SHA256
c081fb8ff4c81111e8c42013edc41c68872fcdb6f4154706b89722ad64ffaf1d

SHA512
108fcb1bc071afe0996791dc66760366648f8beeda028f6e3074f7909075572332fe7b32f824efbdf4c3af8cbf80a46dcb733db487e1ed78847035c81d2b7ef5

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
97KB

MD5
1ead89bd7649d1fcc45423aab207c24e

SHA1
ee61f2d87288c98cdf6605a55d2e346c2180db26

SHA256
05f20d91c6682f7dcd5cf6a184a0c0907b38d94f11e22319baf3e81a0dda7a86

SHA512
6b52d915bf21281b6cfa2085b227608b3d728dc76249dd311a4142a93055234fc5ead9a2c1f696cfcb430444dfed5ce56d959000ec5edbdf7dda9893b3a3c0f6

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
97KB

MD5
50aeeb1658522772b6faf466b31437a7

SHA1
cefa8073b69c90ebe1e9820a672aead119ac8187

SHA256
7d7bac34fb92d78c00fc0ff5bf9c560529f2b97d2ab6b2fbd24f4a7da37e7af2

SHA512
c833d174ace8a9d2866cc40bc672edfe976c3914497be890e1d0762bb25d21c16115d8aa1785bec2deda1ba1b93506f2e65f651187b5ed71a80fb6d3340f6f71

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
97KB

MD5
f92b13186aadf4a3e529dcc9fe4cbb9c

SHA1
6077c5769cd0e6c22038810de67f4391e12d3d65

SHA256
9c678c336db8e05eb54225c0ba8e5dc16c0582a66992c37d757d6959938fdb92

SHA512
44cfa9643ac91a2eca8b3ba04e31e16c60faae9ec79d33f819b85fb2d17977f6a2c4f9d19e5bd5b970fec192ee6cd6a893b0c45b1035c044bd2396a074169886

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
97KB

MD5
1e440104f673097cd513cbad8de43fea

SHA1
a50d2df5d75482985efb7175107ce1d354ab7047

SHA256
87fca39464f25bd32e64e3265fc595d88648f72b1375101aab321c58d2cc9ff2

SHA512
416fee07c4d4f56f3ec9cf401df9628124abbd4ad039acaf2094d6038bfb88ab5559aaec25aa73d6991570cf2b843673805c7a8a4fc2fcbdeda6a54ed9684e1b

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
97KB

MD5
82021c5b49ab1ff0e6a8a8aa6eefdd22

SHA1
c3a4028fc897d406faf68fd44abfd7f0944f5c9e

SHA256
d546822ebd26de18103a1a5d23f7717fe4ef6dcf4ef5a5e96d2047cd958f0bf9

SHA512
7e082302de17a97e1593b9493c3002e91a6f7f10ac8c34b262c82b0662ea20ddf43df5f3e1dd9468df6af4ca47a898ff3651de5156c5270e60fa1cf7d9ca4449

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
97KB

MD5
b45f37877a34b48868e1074311c98f4d

SHA1
e0c6bfa6d05161247af75cfc3721bd1582f10662

SHA256
dce3b1c0e7d1970211153b5f5800e2d7f484c430bc02253e3426d3d82ac12b3f

SHA512
3355db222809ca42754fe83d672518167c593700238af994525dd7c37d3d58f63c2f95000171b0098649356c86b9a158271fdbba90314a0dd0317724a1b56abf

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
97KB

MD5
31536778de5e532add0cf4f895226802

SHA1
482322cc05b4c186451e83a0ee152ff3eeb8eea8

SHA256
c12c6c5255411f81855b528454894f2cc289886d87637f0cd646e5ae70bcbb36

SHA512
701c993a4fddf0120a90f8ebe485906fb987ae8aec94a8c38d1748b8434dd9c48e1d88a8e27a909d1eed32abfad6f23567fdac76455a9b994ad15ddc954f7e6a

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
97KB

MD5
9211483915b33c8a05db0cb1bd93726f

SHA1
86d2d5f62acba4f60e2ddaee34147daf5b9bf355

SHA256
d1de559b0db47f70d8c8dff6729d21b54d741a97f864fae9f59df64f588f9756

SHA512
f21b97a2e8f52c2ce089ece27a87c765385169f323a2c8856cc1b13a75d8955cb746d68e8f4621df4761129211c38293ae5c8f46d7d8f276051a644649f40765

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
97KB

MD5
aca3fea35b80b430af523c7b3c60ec2d

SHA1
5938fc5f1893afd15c15ecb9295f86679a81d465

SHA256
a7c5e136d1d424e1c6864d22630abf0eb40c08fbde44580ebadfa776fd9b72c2

SHA512
0aaff5faf6e371e8ca8e8b7d7af56b51fbd9e21b17e4e84838d9d6d928ff6aaec70ef654fc19faa21dc30d208321a765eb60ccab8552000bdb6f94c17506e4d1

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
97KB

MD5
600efb52d1b6abfc5bbd2f241382dd9e

SHA1
dac07de4d12499bd6f8c4346ff282175806c8522

SHA256
79a8a9a770136db14ac300dacfa718b37490f7e68b8a292c007950d786f8a0a6

SHA512
c8a0effce7ee5653a684a9e264b6c95c95dd0b6f47bd45b573bb11add3245a5721db2ee2e3877d58ffa3621afd2f8d1fa8a1367067ac2810a313ebd3f8a491f9

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
97KB

MD5
68c6895db3ec7844f3b267dd0c512bf4

SHA1
d138acc0795e4e70ddc272c6e5ca9a3b42e37776

SHA256
bbc186353f05eaa77cd152cef78e7f6f9d5bfe3c760a8a15c5e95f8295af4d10

SHA512
eeb7d3fc2a12406337043207fb2c463879e00fc3ffb0feffa48b122d3f18bbbc1fa8c66ce81e994426b2d15c7b562a5832f6a7574f286f0d53417dd1b89730aa

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
97KB

MD5
870a02096b62d53d133fa6f0aa3bde90

SHA1
6cd4da2a5a4a71fd0ae307290fe02a7f95e87ad6

SHA256
e7bd19664670d09f9c7555c0cc368b086c9df2f5fcc5247d867263e07c3ad20a

SHA512
cf7c9d94f2442dc3a66daeb2889e3a4e61d43a555c75bbee3fce59ba59df4aadf7c728a048180f033e054b5544089b838ca990da28c6ef5bdfd465639c56342b

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
97KB

MD5
c75b3af43a9699ef1d8a4a05b7e3bc94

SHA1
87993cee8e952f9edfb032494289deef8519b02e

SHA256
64159fd3e7542063b9d06c02d6e88d101341047d11399ee2138d367ec0ba764b

SHA512
3a598725ad0da489def6299bd1ab4dd7606dd6cf1ecdcbe695799bf9ddbe8c529d882d59aa60b308564b3c947faed587a9d79103555e26142edc6352c47a2731

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
97KB

MD5
2170fbe6de514cd35e635ffac0e69d00

SHA1
0dadaa0ae975b2f09afb799c4803a0f7e191326e

SHA256
8a22593be3449936a98bd4543d986c9307a767a38ac0323b4c0ea1242eb7a463

SHA512
e7905bee70769c9afd8074b24f02a0bdac0bec6356cec83363a766c7b18dfa9dd8e4b62527a844436e40fea349250f58e39b028f42a09ae60cfd424ecf45f92e

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
97KB

MD5
c26aa108a46620bd00db542132079b68

SHA1
b728cef788da97fe1f2507cee968fb8c8c14d1a6

SHA256
32dcaed36cfe65521212b29e7d95d5e29e38025acd0b1e732a3fdfa395bfcbf7

SHA512
9393f3ad4934341ce35f05eb0bb331ba63eeda44d62ce6a868e326484e2d24cd2331f8bc04621b63601366740778afb11896a6d1246d48911f28d284cd3fd2ea

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
97KB

MD5
d0e428e5f151d9f78533a5af0c90bb20

SHA1
33e6ec216c4d67aba996f1931c535f168728a064

SHA256
bd234d08b75ec0d03bd53e288e2595001b068bbc368d711210859d3ca2cdb927

SHA512
75cafbdab636cf87d4e561205e74372043d8eafb9686c9e092e04d5c807bb9073bc3a3fc3fe5bb0e83fc859895d1b24978aa6dab757b1d9448e1e45130b092ee

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
97KB

MD5
b7697fc08553cac66589aa46b91db366

SHA1
dd635cecf619eab842a7e7afdbac47a107e870a2

SHA256
a5704207b7bea3bdb3482088eff25d7547d04b57e0ce897046092195cc14fc00

SHA512
98e74336d9bc18edc190b4970db25532566c7c4660bde99620f98fd25cb5c014036dd583e463324dade6bb84c7642a9ed7b39ca5281ed0487f006f9fb35f885d

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
97KB

MD5
47880c88109a4f164d93e84db95ee14b

SHA1
dc55028924014cff8b964ad15f0a3e9b931d1c98

SHA256
3e4a1176facf4484ba10dfaa02f26bb1c384813bb09878031674f791d209806a

SHA512
71c7628692d7cebc858cd10b9cc17ba256d9fa5bb300cc8120ace1d4e7b522d6f4262a49e8c1582dfdfe4e06e72f3071c2b73fb44bbd3ad8ba817b135d03b22f

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
97KB

MD5
e3c729d8cbbc6898302e98b4a42de7cf

SHA1
c99ef889b0bf449a4a808034a47b55d5f5220717

SHA256
7ed07e9b5251329dcf29b143904bffd6bcff9cb73eaf7bb39c9dbfabeba7e01a

SHA512
f918b2b6401ff34b26b7f095207afd18a9cee4f86837f2996847fb347378e4e953b1fde02b04a63e8229d51b36db2f5a3ae3885868fc1d85e461ad422701f668

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
97KB

MD5
9b34b131aedcb61bbc06d6dba190b351

SHA1
5703c06e8b6adeb03be6d37ff1b05e1b0b650ef9

SHA256
81efb17da922edc53ef1564e0ede2c347c8f836857c9128938c8a4416ae3e510

SHA512
21eb3af317136ce7ff415caa23f2c92ae6396641db84d29a40dc1c7c71ffb7b501616df34d601d61497c0690613c101d38b8d41385020577c4e3221e24b16160

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
97KB

MD5
e5f2e11de792fd60c959a0da7813f54c

SHA1
9a85c8800e397265206c14c3c92d6097f348cb36

SHA256
348e21d3a4c89b7d16b76c9af8abc9ddf5ff3cf592ae30c7414390e396b5b5a9

SHA512
f5b7bcd1080c2a1ae7f70a6ded657611b30f603172aab1037d543f4fd900302215d526b6918e40f7d25c5007c16117ab10cc192810a6d9bd5c716b414621a541

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
97KB

MD5
62f54931891c7ee68c735f95feeda28b

SHA1
1b25e13b71861b030b2fdba12bd4a43025dde0d8

SHA256
f25143de995096e0b5e50684bc8266252d4d38fdbdb6bc6a193623b950f598cc

SHA512
d4a3b209f62bc9925617b9497eed53cf37e7b7291468a5f941012a5ed61d7f8a2078808fa74743970854db86e6136f9323a0acec7f87bdddbe01bff0e956ec14

Download Submit
memory/208-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/208-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3200-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3200-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3364-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3364-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads