berbew | 6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe
Size

337KB
MD5

e408b5ae659242544df2d0f08479b950
SHA1

674dd29821383ec5abc4019fa012760afb814dce
SHA256

6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8
SHA512

1a5beeac64fc44217d9d7866012e65c91fe32a651728ce86e45d9a31b1ea7cfb176badfc87ba0976e6fbb5084b841e58a7f92be27cb92b67c96e4be0b2ffec65
SSDEEP

3072:i2zyX1tsp1ZLkBwWqgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:3zyl21ZTWq1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 25 IoCs

pid	Process
1508	Bgcknmop.exe
1120	Bmpcfdmg.exe
3660	Bgehcmmm.exe
4744	Banllbdn.exe
3460	Bfkedibe.exe
4324	Bapiabak.exe
340	Ceqnmpfo.exe
2236	Cnicfe32.exe
2128	Ceckcp32.exe
1224	Cnkplejl.exe
184	Cdhhdlid.exe
2972	Cnnlaehj.exe
3680	Dhfajjoj.exe
3400	Dmcibama.exe
3704	Ddmaok32.exe
4652	Dobfld32.exe
4468	Ddonekbl.exe
4352	Dodbbdbb.exe
4676	Daconoae.exe
2164	Ddakjkqi.exe
2960	Dhmgki32.exe
4976	Daekdooc.exe
2636	Dddhpjof.exe
3040	Dgbdlf32.exe
3956	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	3956	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1508	2644	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe	83
PID 2644 wrote to memory of 1508	2644	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe	83
PID 2644 wrote to memory of 1508	2644	6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe	83
PID 1508 wrote to memory of 1120	1508	Bgcknmop.exe	84
PID 1508 wrote to memory of 1120	1508	Bgcknmop.exe	84
PID 1508 wrote to memory of 1120	1508	Bgcknmop.exe	84
PID 1120 wrote to memory of 3660	1120	Bmpcfdmg.exe	85
PID 1120 wrote to memory of 3660	1120	Bmpcfdmg.exe	85
PID 1120 wrote to memory of 3660	1120	Bmpcfdmg.exe	85
PID 3660 wrote to memory of 4744	3660	Bgehcmmm.exe	86
PID 3660 wrote to memory of 4744	3660	Bgehcmmm.exe	86
PID 3660 wrote to memory of 4744	3660	Bgehcmmm.exe	86
PID 4744 wrote to memory of 3460	4744	Banllbdn.exe	87
PID 4744 wrote to memory of 3460	4744	Banllbdn.exe	87
PID 4744 wrote to memory of 3460	4744	Banllbdn.exe	87
PID 3460 wrote to memory of 4324	3460	Bfkedibe.exe	88
PID 3460 wrote to memory of 4324	3460	Bfkedibe.exe	88
PID 3460 wrote to memory of 4324	3460	Bfkedibe.exe	88
PID 4324 wrote to memory of 340	4324	Bapiabak.exe	89
PID 4324 wrote to memory of 340	4324	Bapiabak.exe	89
PID 4324 wrote to memory of 340	4324	Bapiabak.exe	89
PID 340 wrote to memory of 2236	340	Ceqnmpfo.exe	90
PID 340 wrote to memory of 2236	340	Ceqnmpfo.exe	90
PID 340 wrote to memory of 2236	340	Ceqnmpfo.exe	90
PID 2236 wrote to memory of 2128	2236	Cnicfe32.exe	91
PID 2236 wrote to memory of 2128	2236	Cnicfe32.exe	91
PID 2236 wrote to memory of 2128	2236	Cnicfe32.exe	91
PID 2128 wrote to memory of 1224	2128	Ceckcp32.exe	92
PID 2128 wrote to memory of 1224	2128	Ceckcp32.exe	92
PID 2128 wrote to memory of 1224	2128	Ceckcp32.exe	92
PID 1224 wrote to memory of 184	1224	Cnkplejl.exe	93
PID 1224 wrote to memory of 184	1224	Cnkplejl.exe	93
PID 1224 wrote to memory of 184	1224	Cnkplejl.exe	93
PID 184 wrote to memory of 2972	184	Cdhhdlid.exe	94
PID 184 wrote to memory of 2972	184	Cdhhdlid.exe	94
PID 184 wrote to memory of 2972	184	Cdhhdlid.exe	94
PID 2972 wrote to memory of 3680	2972	Cnnlaehj.exe	95
PID 2972 wrote to memory of 3680	2972	Cnnlaehj.exe	95
PID 2972 wrote to memory of 3680	2972	Cnnlaehj.exe	95
PID 3680 wrote to memory of 3400	3680	Dhfajjoj.exe	96
PID 3680 wrote to memory of 3400	3680	Dhfajjoj.exe	96
PID 3680 wrote to memory of 3400	3680	Dhfajjoj.exe	96
PID 3400 wrote to memory of 3704	3400	Dmcibama.exe	97
PID 3400 wrote to memory of 3704	3400	Dmcibama.exe	97
PID 3400 wrote to memory of 3704	3400	Dmcibama.exe	97
PID 3704 wrote to memory of 4652	3704	Ddmaok32.exe	98
PID 3704 wrote to memory of 4652	3704	Ddmaok32.exe	98
PID 3704 wrote to memory of 4652	3704	Ddmaok32.exe	98
PID 4652 wrote to memory of 4468	4652	Dobfld32.exe	99
PID 4652 wrote to memory of 4468	4652	Dobfld32.exe	99
PID 4652 wrote to memory of 4468	4652	Dobfld32.exe	99
PID 4468 wrote to memory of 4352	4468	Ddonekbl.exe	100
PID 4468 wrote to memory of 4352	4468	Ddonekbl.exe	100
PID 4468 wrote to memory of 4352	4468	Ddonekbl.exe	100
PID 4352 wrote to memory of 4676	4352	Dodbbdbb.exe	101
PID 4352 wrote to memory of 4676	4352	Dodbbdbb.exe	101
PID 4352 wrote to memory of 4676	4352	Dodbbdbb.exe	101
PID 4676 wrote to memory of 2164	4676	Daconoae.exe	102
PID 4676 wrote to memory of 2164	4676	Daconoae.exe	102
PID 4676 wrote to memory of 2164	4676	Daconoae.exe	102
PID 2164 wrote to memory of 2960	2164	Ddakjkqi.exe	103
PID 2164 wrote to memory of 2960	2164	Ddakjkqi.exe	103
PID 2164 wrote to memory of 2960	2164	Ddakjkqi.exe	103
PID 2960 wrote to memory of 4976	2960	Dhmgki32.exe	104

C:\Users\Admin\AppData\Local\Temp\6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe
"C:\Users\Admin\AppData\Local\Temp\6c8ce57804ad79b8cbf2a09603c92818508d1a46d36c9f00bdcad99d8e1a2cd8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\Bgcknmop.exe
  C:\Windows\system32\Bgcknmop.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\Bmpcfdmg.exe
    C:\Windows\system32\Bmpcfdmg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SysWOW64\Bgehcmmm.exe
      C:\Windows\system32\Bgehcmmm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 396
        27⤵
        Program crash
        
        PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3956 -ip 3956
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
337KB

MD5
b5978a7e08b163a13bbf3adb2c216cd0

SHA1
953f72bc2ff2f334c450c56b183e2becd533d320

SHA256
b3572ce097042dd4b2fbea3814a88143a080f284d14942dd53b29f7907c339d5

SHA512
08f35bb7a8362a1952e6c7f5d980c90f8820402ebe99a3ca89af1664e1ea0ce135173aeaaaa6c38844e5d76624abb6a30821d2d5a3821a6ae88461c3e522768f

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
337KB

MD5
993d56019d5d8fcf182c7dc7f98182e6

SHA1
ab3c6ee679579f962d0d467fe664dac086397d3a

SHA256
67e8ade0fc7806fd2de4fa9d84365516266f49b3b5637e6428e89b883633d403

SHA512
2a2c843aa80782dbabc5a854147f078172af8261fdf17fe04ed0db0878bf02e6dac382e08cbf502576c1c982c36b0727d1742fbfa20a90a2f97d44bd1ebe2b74

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
337KB

MD5
0e080a76b93a2864aa22d15d16f92d94

SHA1
4601ff232b895dfec4bae3cec708a792d5925cb9

SHA256
d7b04d9813d7897928bff833e34443e940a54323e761abb711a0c371a65cdd56

SHA512
525d51ca046a4b58d2487bd9bf3bfc474b5f1fe49b27f6b5a85ed9507edd8c41113cef2994b946a0e5ddc4b2d2f9db1b2026fcc611e0fbb12cf2cd15c162714e

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
337KB

MD5
01d8ad49c149bea2533a15cc8045c829

SHA1
43eeda1f625bc99e093cda6c829e0f3701c1bf16

SHA256
e6a9ccbc1f9813b41b3f5a7231315f52b8162a24f05b4536877924e1f9ec49b1

SHA512
a10635b0e6b77fedafde88a593f1b4b5f47bd0d82b44831e96d81ac16f6158c1fd4eac0809c805d3d88e92a9432e248ce70046e5742c8d665e2141b3b057d0cb

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
337KB

MD5
be24b6104fba2e25e1a1189b185fd4c4

SHA1
7e0e088a37b3888c8e1755e27353d8e711a87fe1

SHA256
7850d2c5c01ffed259f4f77263740f61e0e4959a5527c76ba1d88ad3b51ea39a

SHA512
91f17dd957bfa65bd05dd5b95a005b50f733fbcdd076c0898303da0eca4aadd12e2bfcab39f39bfad70f465a1f35ec6a0ea341a607f97e4e4cc878f59e0692d7

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
337KB

MD5
f32ac399f95b1c5c6328c41e15c0295d

SHA1
183de22a398d357e5f4ae8481dc0c13fc74b3e5c

SHA256
d365210ef6c790bc6b9628085a2d66ca1647c9a199e7e1b78127a1b68336ebe3

SHA512
c1e17ac9c777070f0f02f6051bd9c923b217111fa57de8cc151142aec7297a5807f242eeafe1f1b157225d7f712655ba88d951b8ba95633a57fb7fd10b7e8e2c

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
337KB

MD5
122e753f34229de60e458997a0b272fe

SHA1
516a94216925a6f6e5465d82cc71a76e6a9c4faf

SHA256
e4a4616bd3641ba9a68955faa638cd0d387578391ad96b906e9d01da287dcdb1

SHA512
f0732e314d69aa91a5ff6c5145112dcde39bf9ae776e686b1644cf5d73cc23ffa0427d89385693433353c1a6bedc7b0666163024977578540c0efff18f9d048b

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
337KB

MD5
e076163195826165c055a0d630710986

SHA1
9a3777ded96cdccd4d350542cc5aeab6bfe08773

SHA256
ecc2a61acd39a2dd2fb1999949f071b79e7b497101aaa23278b7c7b385055c0d

SHA512
6f59c2443e7f5d6daec47e7a2989583aa61c74d0825aff14ed5b65bcf8d87ab5ae9ff9fb2486b8f2bf00d2cb69f04677d8f3fb1817cce132311a191bf52bf1c4

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
337KB

MD5
b2508663768e9350eef8b05bc01c1aed

SHA1
18690e54f9bee5f0b664ea0a0536a3c450ffdf10

SHA256
f3d79be114ecfb1ed59487313f9a7123f6e43a1efaae015b0fa2fd8af924e9e3

SHA512
172abb807eb22b6b5798725a410a62fc74b6179f7c4a2ad63bc2fecdf4e2b7dbf2a0360e2b671b48d8a416740a885b0c432b1253038ec302f4622b24a06a0eaf

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
337KB

MD5
441104786339b2081f475a1eb9388aee

SHA1
cf66b947f2dfe2fc068d7fa306356b4f1de890f9

SHA256
c9c20faea06cdf1f304ac88216937aa93f277c9cb860f743e75d4dbb62bf308d

SHA512
5776fd634f771873d7f6be96b1271617d21957a30bccc6a7f7f0dc346d355277a07371a3fa8b5669b611929a6725de62262b854674e24cdabf138164f9370334

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
337KB

MD5
449e628c3aa246082aa8a60b0b2d96fe

SHA1
78acd0c732a694a720dc2dac60d5106ceb38f367

SHA256
9224676754b0c3e90e8348f35417542e798824665449bd28747c7d568775ae65

SHA512
01fbef099140353c7cb4fe0025f9ff14b8db7f0822f0bfe0fd5d6f66cb20e5cc01e9e6d9c62f9608c07e672937fe87e32f9fcac664fbf595e0e6635e94dd4c31

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
337KB

MD5
c63dfea17885bdc2bf64c4b3d5a2ead4

SHA1
90231888acd59cfe3d2629e741d95648c50589b0

SHA256
457c264bd3d0dbf7f4f2fe8e0ac945f2335790d58b275c3b1e872a71ab51c6a6

SHA512
93a1811c79546fbd757c90f13acc00fb86cc4e7e9d94b1805f094341946a98be93ee011e1871767d9f7e69de17f307e76c624bf585a544609cde709f94841252

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
337KB

MD5
9642ca6935f2946d1f77c3fd011f68e2

SHA1
4cdecb9ed42e16fafc720b7427746bc1a6a717ab

SHA256
0549548d2baf48aed59cccbe359b424474b4692950b38ce334c0ef10d139b9e0

SHA512
9e888faeb250318904bbb90467414864a4fdd49870ab1af46af4d93a586bf0dff9ecf45ba7f9172f36519702c7e2118c4846236dd9990e645bd69f75f0b6ddd5

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
337KB

MD5
b0dba0efe671b727e52c8a04640094c7

SHA1
c98958ea4f3d87ed62eac8a479ae0a12fac40954

SHA256
7ddedf125b4dfcd93898698d075e870b06e3b3920e6ce3113c5c067afc484c4c

SHA512
dc20a367e71e426bc58863c4510d5660bc49f1691baf4dff60fbb1acc95ee234f0f2e2d7aaa52d5c5c951817cc35bde1665de61b88b555854856e1b014016e71

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
337KB

MD5
c1afea73e2b7c87464a1e7623e70c20e

SHA1
c135864d9519f4ad407180dae41881b1e775dbde

SHA256
44cce72c4c0119b8ffa111b39d900f770753bfaa76ace68e0ffb6e767bcafecf

SHA512
3c0dfa3204b4f69b0842f6e14006c50094363d5c57686866c7ff37982e06e74299a49f398b3cf3958852106be35709de0971f78dd3778b33859abc89d8d6c675

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
337KB

MD5
14168cb66c52be23891171874d6dcaf7

SHA1
ba7ca7609a5a5d4d575c29be931e3020582d144a

SHA256
92bb8964974a9a7beb09a0053b6590b667a991d3dba19a3208dd903ba01567f4

SHA512
48525640e475d441fd5998a552e7a9fe4745e2ad91e9a8d99be99edf7ef19da63ccbf72decfe326b1db794957c585e9e5750b8468b31e226418c6442dadea5a6

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
337KB

MD5
6cc40d0ecfc0aebf23ad9132b967e327

SHA1
c8ea7e7790e5814adb9263c68c6cf3bb1548c950

SHA256
a721774cde5a3cef6520f511e2e2833aea6a4809c9ea774f1123582fb5fa59b2

SHA512
a92424263f11b3d69e64e5c9bfb2a8735653ed60c07565d8e5d585856fd0983b2e6ff7430b95d095953fb1408a70067f71b24856c5e037e71da8c5205aef1bdb

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
337KB

MD5
d2fba44be1a299b973ca079468311838

SHA1
fa9f5afa4715b03c0c25ff8d91e885802ef9e1eb

SHA256
372486759b4361bf5b268d10da042096ab29a5381f6647ee85f4d886ada095ca

SHA512
23752e8a459f5ecd7a77e7f165dc0c02f2c0952efd9834af9abb949a77d198b3cf9d61f05cac76f52fe2496e89830cba47234d5e8a55d6fb1ee55ac209fe6ee0

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
337KB

MD5
b5e38842925e8b8b3522f8a23cc2d12d

SHA1
81379cc96aed9316b3925c2478f3f53467f8fe60

SHA256
cf3d0ee21a5ecd277a32b30f8669bfc22204732f2ca20539cb48709fd323d3cb

SHA512
a2798e3256d458514d68ef686c80a12ede287a16934e11ab82c53fc7d43add6353553df9a78d74a50c9b6e830faf6c0f8e77ba9d4c2b7f36e234fd90910f9310

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
337KB

MD5
75de2a70c9fc1c57509e7916861c5d40

SHA1
30570b3159db066a245aedd382c72cff212c8424

SHA256
0b640281faa037961b5e15bca0961ad989831059b7fdc0b599416084e3757705

SHA512
b0d977984210421fadd09d77ea3672d9fd6c945079c8f996358d918bb488b0b34c7a4147465cab42e108f35415aa62d6ab484ac445d8f8ede91cd87d12620a19

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
337KB

MD5
7cba44bc1c28d2b74066398a5bed433a

SHA1
f52bbeb9068b064befc8ef81af407d34120fc649

SHA256
72d3a4dbaf215dca26848efc136618540df9f80416374b584d2959e7753cbda2

SHA512
9fdea85445253057d097d2cc74bd35b0accfc08f555ffb5c9307ffa2757e44d258628b8bfb284b74f19b59d9702e98014cf968f0b14dc023d29f0d795367c627

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
337KB

MD5
5d986a630f9f21a7cf3d0e7d54ae72cd

SHA1
9001be900027c9c815f42110ec7f46e31056666e

SHA256
15ea3b4d2704265f6640e99c6e035b8646be8624cf93f0dc2e431131777ec202

SHA512
bf7e8fdd7498afa531b1c3fb296be99ff2a1cb7225c86d102785d0753447606b9c1f403b6ecdaa08c660bb49a7d57bcc99c307d26b52b37ee74c8ca0b2696b25

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
337KB

MD5
07cef968b5457abcccc5597afb6975a0

SHA1
c9fc94f11c9cc0bd998cab88762ac9146ac46d8d

SHA256
1eff7f330a54fecc7783b5628ea1ba899a3b94b94b103c934add5cbb05011729

SHA512
c08914cd7b3a070f9c426614f81efc13191d44447f3e915d47337d9c757a1cd04c130f0a77a1e89f06bcd60a6fe6e100ff3e21f198ebd41c121399439d0a9af8

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
337KB

MD5
86c312c2e9d13040fe593723613f3f95

SHA1
e5e607313cc811ce97108ef285b3e528b5a13174

SHA256
7090d6b4bc4ce58ca7e8295d0ff21512d810aa7dcd7d43a53b5ae7d7d1904ffa

SHA512
65b3996d31d8ca2792bc968ed08f6261bb5387859811ebae0b06c1b6ee3905f77417ed55f84fd4b788b8668e07dd093d18c9a0ff47978e6dd1ef555a035006ff

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
337KB

MD5
4ab7c1ad0f271a9d9db94e8f64fefdb0

SHA1
cad8297f2d066ca92ab71b99b036fc760a45469c

SHA256
96dbd11d44846ba62efc5588a349bcc83c3199e3f2360b4d321ddd4590044f46

SHA512
07f7d08bf7d56258360fb13eb289af4a17db5d2769a57dbe79be092a9484e6797716bc4ca55bc87253f3ed0b71a21408cdea10a28c7f30cd671aed2f1e2de20e

Download Submit
memory/184-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/184-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/340-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/340-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2960-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads