berbew | ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80c

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
Size

194KB
MD5

ba263471be06f0dc6bb403fefdfd9500
SHA1

5531ce1e453c6e638ff29d9a106b1c7207df7b0e
SHA256

ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80c
SHA512

5f178cc3d5e2646f5d448140b8fe45ee3f989120d537afafd1df21de1a910306e4af3b3daba4c2cee3df2156653657c97ac3a8b820cea3bf5df4dad144a92514
SSDEEP

1536:58yNlbVN4JanHgbIFEoeOaJbZatMIM/5/KEatMIGuatMIc/zT4a5GV:ZlbVN4oQJNmMIM/kEmMIGumMIc/1GV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 26 IoCs

pid	Process
2380	Bhhdil32.exe
3856	Bjfaeh32.exe
556	Bapiabak.exe
4764	Bcoenmao.exe
788	Cenahpha.exe
4572	Cjkjpgfi.exe
3952	Ceqnmpfo.exe
3896	Cfbkeh32.exe
3568	Cagobalc.exe
5080	Cdfkolkf.exe
2164	Cnkplejl.exe
704	Ceehho32.exe
3500	Cjbpaf32.exe
5092	Cmqmma32.exe
640	Calhnpgn.exe
4384	Dopigd32.exe
2248	Dhhnpjmh.exe
2668	Dobfld32.exe
2588	Ddonekbl.exe
2240	Dfnjafap.exe
2052	Dodbbdbb.exe
4520	Deokon32.exe
1576	Dogogcpo.exe
544	Dddhpjof.exe
460	Dgbdlf32.exe
1968	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4468	1968	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 2380	4316	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe	83
PID 4316 wrote to memory of 2380	4316	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe	83
PID 4316 wrote to memory of 2380	4316	ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe	83
PID 2380 wrote to memory of 3856	2380	Bhhdil32.exe	84
PID 2380 wrote to memory of 3856	2380	Bhhdil32.exe	84
PID 2380 wrote to memory of 3856	2380	Bhhdil32.exe	84
PID 3856 wrote to memory of 556	3856	Bjfaeh32.exe	85
PID 3856 wrote to memory of 556	3856	Bjfaeh32.exe	85
PID 3856 wrote to memory of 556	3856	Bjfaeh32.exe	85
PID 556 wrote to memory of 4764	556	Bapiabak.exe	86
PID 556 wrote to memory of 4764	556	Bapiabak.exe	86
PID 556 wrote to memory of 4764	556	Bapiabak.exe	86
PID 4764 wrote to memory of 788	4764	Bcoenmao.exe	87
PID 4764 wrote to memory of 788	4764	Bcoenmao.exe	87
PID 4764 wrote to memory of 788	4764	Bcoenmao.exe	87
PID 788 wrote to memory of 4572	788	Cenahpha.exe	88
PID 788 wrote to memory of 4572	788	Cenahpha.exe	88
PID 788 wrote to memory of 4572	788	Cenahpha.exe	88
PID 4572 wrote to memory of 3952	4572	Cjkjpgfi.exe	89
PID 4572 wrote to memory of 3952	4572	Cjkjpgfi.exe	89
PID 4572 wrote to memory of 3952	4572	Cjkjpgfi.exe	89
PID 3952 wrote to memory of 3896	3952	Ceqnmpfo.exe	90
PID 3952 wrote to memory of 3896	3952	Ceqnmpfo.exe	90
PID 3952 wrote to memory of 3896	3952	Ceqnmpfo.exe	90
PID 3896 wrote to memory of 3568	3896	Cfbkeh32.exe	91
PID 3896 wrote to memory of 3568	3896	Cfbkeh32.exe	91
PID 3896 wrote to memory of 3568	3896	Cfbkeh32.exe	91
PID 3568 wrote to memory of 5080	3568	Cagobalc.exe	92
PID 3568 wrote to memory of 5080	3568	Cagobalc.exe	92
PID 3568 wrote to memory of 5080	3568	Cagobalc.exe	92
PID 5080 wrote to memory of 2164	5080	Cdfkolkf.exe	93
PID 5080 wrote to memory of 2164	5080	Cdfkolkf.exe	93
PID 5080 wrote to memory of 2164	5080	Cdfkolkf.exe	93
PID 2164 wrote to memory of 704	2164	Cnkplejl.exe	94
PID 2164 wrote to memory of 704	2164	Cnkplejl.exe	94
PID 2164 wrote to memory of 704	2164	Cnkplejl.exe	94
PID 704 wrote to memory of 3500	704	Ceehho32.exe	95
PID 704 wrote to memory of 3500	704	Ceehho32.exe	95
PID 704 wrote to memory of 3500	704	Ceehho32.exe	95
PID 3500 wrote to memory of 5092	3500	Cjbpaf32.exe	96
PID 3500 wrote to memory of 5092	3500	Cjbpaf32.exe	96
PID 3500 wrote to memory of 5092	3500	Cjbpaf32.exe	96
PID 5092 wrote to memory of 640	5092	Cmqmma32.exe	97
PID 5092 wrote to memory of 640	5092	Cmqmma32.exe	97
PID 5092 wrote to memory of 640	5092	Cmqmma32.exe	97
PID 640 wrote to memory of 4384	640	Calhnpgn.exe	98
PID 640 wrote to memory of 4384	640	Calhnpgn.exe	98
PID 640 wrote to memory of 4384	640	Calhnpgn.exe	98
PID 4384 wrote to memory of 2248	4384	Dopigd32.exe	99
PID 4384 wrote to memory of 2248	4384	Dopigd32.exe	99
PID 4384 wrote to memory of 2248	4384	Dopigd32.exe	99
PID 2248 wrote to memory of 2668	2248	Dhhnpjmh.exe	100
PID 2248 wrote to memory of 2668	2248	Dhhnpjmh.exe	100
PID 2248 wrote to memory of 2668	2248	Dhhnpjmh.exe	100
PID 2668 wrote to memory of 2588	2668	Dobfld32.exe	101
PID 2668 wrote to memory of 2588	2668	Dobfld32.exe	101
PID 2668 wrote to memory of 2588	2668	Dobfld32.exe	101
PID 2588 wrote to memory of 2240	2588	Ddonekbl.exe	102
PID 2588 wrote to memory of 2240	2588	Ddonekbl.exe	102
PID 2588 wrote to memory of 2240	2588	Ddonekbl.exe	102
PID 2240 wrote to memory of 2052	2240	Dfnjafap.exe	103
PID 2240 wrote to memory of 2052	2240	Dfnjafap.exe	103
PID 2240 wrote to memory of 2052	2240	Dfnjafap.exe	103
PID 2052 wrote to memory of 4520	2052	Dodbbdbb.exe	104

C:\Users\Admin\AppData\Local\Temp\ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe
"C:\Users\Admin\AppData\Local\Temp\ecea81a9eb59456b6888fee3de15a77daf72494d03b90db4a674a573e94ef80cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\Bhhdil32.exe
  C:\Windows\system32\Bhhdil32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\Bjfaeh32.exe
    C:\Windows\system32\Bjfaeh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Windows\SysWOW64\Bapiabak.exe
      C:\Windows\system32\Bapiabak.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
      - C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 404
        28⤵
        Program crash
        
        PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1968 -ip 1968
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
194KB

MD5
02f5e4c819e16ebdd10c32fddef5801d

SHA1
5de8e549c8388d109975a4a7716db5e2467c6f8f

SHA256
57aded5297a7cb4e664599ad51b3c826e2323a021e4989f5c6ea577e52051137

SHA512
ce8ee23d207ae2f5da6ad27934dbbd801ef8256bf78653d58909fa95314817f0e299eead49ed96933820c0077d5185525e900d73311c9d3c4f3d7f20fe79cb5f

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
194KB

MD5
0ed96581003901be692555c2dbc08173

SHA1
3fa1483a6c94affe513d0b1673ea76ae4919b38d

SHA256
52e30fa7c13337cbab1e00239011483c56ea44dde8c11836427c3df5949385ee

SHA512
30b4857c2c87d0d3d6bb41bf93bc988ace190fcb21e0c05a94d35c387b8de2d5c04b1b177cd5c304906006eea4ac138c878ee22b12799cea077fe00df6dbf278

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
194KB

MD5
47ffc789abadccc6b445fa9c07ef65f6

SHA1
66cd75be487aff9b118fe4a67059c7ac102755e9

SHA256
d19d0c7831997763251d87a7359263d3def889128af862c06781fd1da6cd2aee

SHA512
5bc4a6e0c87384bed842756fccd499713f7b7937146499b88e899c638e8757f0738ee96d86c17b0b835c0dcc6ef055c515d1177e1f485f4cd2ef41a56d4cabbd

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
194KB

MD5
133aa787b56ff69eb1105fa45718781a

SHA1
153585043827fa4f624edf44561598eefa63da62

SHA256
fde8c4d0701a8d1c8f879cc55af901a831b9717824b983dd65120ec06d038859

SHA512
f705a8b3f912ad2ad1654065b0dd74b9c1cba7ed76070bbf34ac6ca651e6654e4a5498defc510797859e78fda7345f8652001e50ceb2749a8953ea07cbb78b87

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
194KB

MD5
1d8807623f79bce595388cffe0e90c0e

SHA1
3c42c9949ba205e6b5f76ec3f05c2ed0a802c27d

SHA256
0dae704e973e8812db49f83391ca3af7a59a6d7aba6857112e581e44d5c4d57b

SHA512
99841e4990a6002e92399b0b669d5013e4153b63039eebd8d471719b3cb63e1faf11e9deeccc40ba4262b47194186e11b83519aa5a388c1025f075b6243040c3

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
194KB

MD5
0455cb7f7db489128e22de8c18bb12c7

SHA1
bd02641bbabc18fd706bcb447f4bdc8943301cff

SHA256
7aa2d386d1ac1918243c8bdc9820b44569df2172d1bf7466e1fc0fce19b914dc

SHA512
1b5124c920d4a3384f78d2711316d77ec5299d34835ae88fee4b098ca732d67fc33b9217bd8e32520cf628969e0a1cb3564e2ed52629bd4241181a0431a05756

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
194KB

MD5
c48b1c9e39e3d85680a67e8d927cc607

SHA1
6ca1261d3426b6106bb2b67e0d9476be9bc65c2b

SHA256
6faa23a7044ca4eb833d2e1d2099e67006e4f3fd6acab426e6179c9494e65551

SHA512
9e151700cf174ed0db75b0947a6109dde18f42f2e15e15fb2d329c2c3247f7f6477891d44db2e4dfcf084bc94f5a8ebd5d82b687fc225c9276af496717851e1f

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
194KB

MD5
333a67cb009f6239b483189113428dc6

SHA1
a0a411a2def164e2fde26781ea5285222490dea8

SHA256
ed7b3bd023ceb532ef40ca35ad791af4dd5a1cbad8e75528b3535344ac893bd5

SHA512
08972fc062fbb715669b1fa0b5c2c9b9c617c934f955ac7d11052b58f3c8b0c89f764058cb3d0ba91a852f564a1809f3dd19db1919a9db736d73b27e5efdd283

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
194KB

MD5
c710bdf1b28e0fb86a7ac02a8eaf107f

SHA1
bd8af081666aa802faee95d1ed382e7338e8d3ec

SHA256
2cb4fc8b560dd33a340398f82ed5719d93cbd00eb7f59665c33a0dc27a4ab4cf

SHA512
f95c9d5fe89a950335ae63260abe23915f1fc915089f5736c07766a6918addb7075e317ee6970c6059269bcc21ba6767fb7b9fd7816d91a4a19ec2c07700b3f2

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
194KB

MD5
12b1c4cc06c57a314bb4a342524c8bf5

SHA1
778768b9b07f24fe79e20b415be657b3584dc0df

SHA256
a44a85398c9eb0ce7b40c15c0fba331f589069e3b52069d8c27fe754997be2f6

SHA512
c28f73f719ac8e270beb79478d3364809b98fd603b9f5e520b6491759ba27f3e67b330a0ff1e9b0edb4165976bca3415a043a027366f0500423ccd7825647e07

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
194KB

MD5
c3b6235d5ff62af1adfef4661eb8051b

SHA1
8fed19560be06ed78a8a802251904232f134786d

SHA256
5f9aa11b9a300d9d7024dba0d73f56a1cae66d23dc163215842666388ff34ec2

SHA512
8a426ffdb91c38a578380d9242d14a70998ff53bde3c39ff3e0751ff4544b49c9f37151ee9268f82280ee4eb38117dd62ba91a0a30cde9ed3ca2e032d0680725

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
194KB

MD5
451646a54a75eb3e0e7472b3e57d3951

SHA1
4a25ecc21c5eb91cca44b1a6d58df2e083e66aa0

SHA256
f37c9c32c70920b6128b815448ecf3f124c91d6e64714d1e4a06f512021201b5

SHA512
6396e142798d862ce3fe2eb44a27466d403529f9305e67d47f8c8e453f8370d8065e4c11c0503db6c2318faaed2927963adcc88eb1c8b2b5e2636a336fca6a0d

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
194KB

MD5
f8aaa2c216835500e51e15cd65055c1e

SHA1
65c55c1d609f8c0bdc24940c969f603bc817ef21

SHA256
6fd9602baa450595bf905faab39792724122cc658c09e540ac74c09d0c7d9e9e

SHA512
7124f2c0eef482d8b8e61a41cd4d5f0e995d8a95611e1e93b1d5e3631909764ac8aa2b6bffab4f464dc862a0015d47f7fcb8ee8258671ed615281da82343e0af

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
194KB

MD5
65b097752ff5713fba2dfabbbfda4470

SHA1
2f14e26315a46322f4c0d563f6daa68438d78b85

SHA256
44b836a201064cc3e8bd2174cd2a83f4f9d9f79a89d9d9cea865410c8160ddd1

SHA512
4bb59eadd9f7160afe4d06022d5d6e30420c224dfed88470af92befcd4874c9854cfe7711228f597a6182de26e2b42d0be15402d945a7a5bb5cae2e2083f8536

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
194KB

MD5
7a054fd9776efe46646f982e204924c7

SHA1
30e38f6e7532ad285a18c88b8181e1af409b531f

SHA256
0255d1ab3c6394efd807b8c9084c0dd01169778230f8cbe7db528d61f1a20d46

SHA512
bf0d6dd71c7acd98969fe9badbf1bc6a965b79fa000aa8360dfe47e90f5e08b425d12a464a650b71cb0eaacf88db9ac8057cbe8a128599538f2248263188e26f

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
194KB

MD5
013e9ffd120bd57efc5e75cea8d902e6

SHA1
631ba54d9093fcad8ad849c86a8c18b28c18cd5e

SHA256
4fba9ec73697149e29cee99323df4c1c190d232c9af36b620a5c4e61075df635

SHA512
bad9bc1da8b845afdde8f07c7d4b18bb99100ccdd9a1adbcad7adb2179b8e7220e1755f0a3c73f82d4e65080648ef33228b4d20f11336639d9a1a5a943aa29eb

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
194KB

MD5
0a323e2fee5292e49559277da088bc5a

SHA1
8457676b9e0bfa456735eb1acee051dbc8c779a2

SHA256
5e9b8c1d378b101e2f332b6315682d8f3d44c59df75820f13a678c0498ebf29e

SHA512
71c1e5d1d5d8ce246afc7432f94f7d371a611fe1c4c70511c18fd3139c6bb155d7ba30221a7309d060d96f2ac494187223a4f67ee914aa2018217abb97dfc43c

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
194KB

MD5
2f187ad203e7a8e838341b4d67ef55cc

SHA1
666e258f7d7c1dcba78672f840515fa91ea00ae2

SHA256
ba668fbfed97a6695e656a37832432fd754e5cf1835c96fe09942db0849ba263

SHA512
92245ecf5bbf9f1bd09807ccdbcba0bb70d923333fd1a485fd3b09bf28ff86c152888d9eed0ce4b79b6f840277d57ea975d3833234112f5791582772feefd5d1

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
194KB

MD5
24a363dad783f2f0e6b0880c18a889d3

SHA1
0150ba6a00a4ba576a4fda37c97db2be708c871b

SHA256
d78b495a8ba1178e8c64721ff160ea8fe5a155da2e4e63e612a71eeed98fd163

SHA512
8c8e172038b80ffa172143c5f1f89313d11f7ea1321c1798ab8585ba91c165a0e532980803146234a4eadaea95da63ee0c4135c11a1ebb1b039f6c5aa2a5c149

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
194KB

MD5
e567bbd29148a2a2eacf9c2242a46af6

SHA1
89271f04498f53a576ec1ccd937b9d4c08fbc060

SHA256
7a03aab252cbd8d51c8917b42a0c14f91e08535ced933c6ce40b1c1e6751ecd5

SHA512
65785a98e4ef6092c563f691c554bdf7f2c688a5e04b57a0783d4581cc218208c8374f2e2a1d989bc59dc599d19e09912c3147c3af83237752de660571608ee3

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
194KB

MD5
a34d5ee2895a10c81cd68d376f8f6723

SHA1
4687c054cbee4c39baad3b565606d8cef116844b

SHA256
60529bceb5b9b13e04117e2a26dd802d54e196ecdc69125ddaa8a5220738a5d0

SHA512
7dd782deaa4d6f95efd50c66848620106b3359cb68f2d95d59220b0f787fcdc4496c0c889441b69b8f7beb1a6640ed5af55435be6fb556faa8360069fb45c612

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
194KB

MD5
7efe12cefb9a6de022492eac42eb39fb

SHA1
f6b754a4abe483bba9b83a6066ecddd012838496

SHA256
484e88a5d49e6b34695eef6a12eae359a4e3e2ccef1fa01b177f2a8f6eab6c9d

SHA512
cfb55bd9761ed7d2f997e596bfb400166e72880dd61abcb0e0575661cd230f40b351507f8472b6593b3ff41a0e8d191d71adb2c0cbae90820d2c5e38d810dd76

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
194KB

MD5
e7e9a2d65b407d781cf4aa6971465c35

SHA1
69c5f3c4b559c169ea26574683873375a6b88051

SHA256
84f9183292a76d7cceacfd46eb2ef7f48119444b8cdcdbbc17456b814859a0bc

SHA512
146bbea8ed50aa05bbff88ff7924cedb3f8e3e744ca7942b2b3bba6f83f3a38e461b90ea40e59877b60eeb3fe05d378766fd4e9488632c19c984eb91eb1d3ff9

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
194KB

MD5
11db4e54a5b5bb156af0a2654b3d34ea

SHA1
4b68896a518ffb9454a5584464605d77d1487db3

SHA256
b5282a8285e2f9f3770c752d2c6ae602f3a06a1d585e98ecb1ba6e3c87339fff

SHA512
4dcb1b95fbee1f8f0b7b831475d87f5754ae8c2f377e1db2ccde82786436a24b2b8ac6e7a584cabdcebaf3b301aee036d02fba10b9de06b19ef2e4a0fd2f9583

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
194KB

MD5
1f7aa0ef3afaa0404bf00b039937e45b

SHA1
d26e7257479598d560a3728f27431a92c9e8d550

SHA256
afdc8497b816a42ee2eaa345a55a34cc7a03c0e2b5b137b3532d68a1d9f28bf6

SHA512
f16445155fc144c378e8281254cc55778e233240ca3f1aa7425570e082b33d72c9a64c4d34ec6aeb3bd14066bc27805e557b708df22e8eb2e169d503e2a1fd1d

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
194KB

MD5
d6dc2b8607e6bc3629e37a3852bd60cc

SHA1
2d9199704fc4e34f90732f135f234e9cd71887c0

SHA256
9707fb5cc95475a6b500e02ef61d3efe6798300cfca0e0fd0f836e7146456ab6

SHA512
1773a41a0fa58eded11e7cfdb74434ca65ee4860542020b41ef981dd9709530a54629ba105191fde201acd57d485d747dcb26caf2ae8a1148315fbea50fde0a3

Download Submit
memory/460-200-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/460-212-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/544-214-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/544-196-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/556-255-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/556-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/640-231-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/640-119-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/704-237-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/704-96-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/788-39-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/788-251-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1576-183-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1576-216-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1968-208-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1968-211-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2052-168-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2052-219-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2164-239-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2164-88-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2240-160-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2240-262-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2248-135-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2248-227-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2380-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2380-259-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2588-223-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2588-151-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2668-143-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2668-225-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3500-103-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3500-235-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3568-243-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3568-71-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3856-257-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3856-20-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3896-245-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3896-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3952-247-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3952-55-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4316-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4316-261-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4384-127-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4384-229-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4520-221-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4520-176-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4572-47-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4572-249-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4764-253-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4764-32-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5080-241-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5080-80-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5092-233-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5092-112-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads