berbew | b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971

Analysis

max time kernel
33s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
Size

96KB
MD5

154d66eba661cdbe234fc1a35b81ebd0
SHA1

3d66c17189f93feff606c542f8c77593bd862767
SHA256

b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971
SHA512

a1a6187eb890b3ff3cb4e1aa12f0e50bb9452d63ea0cf1e7ff4f4ba9f52f4d2ce556cd3563bfea3fc17523b5c394e7fb77945b6efab08e218e2d7883938ed55e
SSDEEP

1536:sMiBUOjbSHBpENEC3Pe701gZRctFteCMbN2Le7RZObZUUWaegPYAS:3iBUYGMECG70+mtneCGeeClUUWaef

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejhlgaeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emkaol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidoim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emnndlod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dookgcij.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 23 IoCs

pid	Process
2732	Dbhnhp32.exe
2780	Ddgjdk32.exe
2852	Dlnbeh32.exe
2520	Dkqbaecc.exe
2944	Dookgcij.exe
692	Ebmgcohn.exe
1488	Ehgppi32.exe
2828	Ejhlgaeh.exe
2004	Endhhp32.exe
1700	Ednpej32.exe
1140	Ejkima32.exe
1916	Eqdajkkb.exe
2176	Edpmjj32.exe
2508	Ejmebq32.exe
3064	Emkaol32.exe
2180	Eqgnokip.exe
1484	Egafleqm.exe
2120	Emnndlod.exe
2268	Eplkpgnh.exe
1056	Effcma32.exe
2144	Fjaonpnn.exe
1756	Fidoim32.exe
1996	Fkckeh32.exe

Loads dropped DLL 50 IoCs

pid	Process
3032	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
3032	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
2732	Dbhnhp32.exe
2732	Dbhnhp32.exe
2780	Ddgjdk32.exe
2780	Ddgjdk32.exe
2852	Dlnbeh32.exe
2852	Dlnbeh32.exe
2520	Dkqbaecc.exe
2520	Dkqbaecc.exe
2944	Dookgcij.exe
2944	Dookgcij.exe
692	Ebmgcohn.exe
692	Ebmgcohn.exe
1488	Ehgppi32.exe
1488	Ehgppi32.exe
2828	Ejhlgaeh.exe
2828	Ejhlgaeh.exe
2004	Endhhp32.exe
2004	Endhhp32.exe
1700	Ednpej32.exe
1700	Ednpej32.exe
1140	Ejkima32.exe
1140	Ejkima32.exe
1916	Eqdajkkb.exe
1916	Eqdajkkb.exe
2176	Edpmjj32.exe
2176	Edpmjj32.exe
2508	Ejmebq32.exe
2508	Ejmebq32.exe
3064	Emkaol32.exe
3064	Emkaol32.exe
2180	Eqgnokip.exe
2180	Eqgnokip.exe
1484	Egafleqm.exe
1484	Egafleqm.exe
2120	Emnndlod.exe
2120	Emnndlod.exe
2268	Eplkpgnh.exe
2268	Eplkpgnh.exe
1056	Effcma32.exe
1056	Effcma32.exe
2144	Fjaonpnn.exe
2144	Fjaonpnn.exe
1756	Fidoim32.exe
1756	Fidoim32.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Clialdph.dll	Dookgcij.exe
File opened for modification	C:\Windows\SysWOW64\Ejkima32.exe	Ednpej32.exe
File created	C:\Windows\SysWOW64\Qffmipmp.dll	Ejkima32.exe
File created	C:\Windows\SysWOW64\Egafleqm.exe	Eqgnokip.exe
File opened for modification	C:\Windows\SysWOW64\Emnndlod.exe	Egafleqm.exe
File created	C:\Windows\SysWOW64\Eplkpgnh.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Khknah32.dll	Fjaonpnn.exe
File opened for modification	C:\Windows\SysWOW64\Dlnbeh32.exe	Ddgjdk32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqbaecc.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Ehgppi32.exe	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Aabagnfc.dll	Ejhlgaeh.exe
File created	C:\Windows\SysWOW64\Bpbbfi32.dll	Endhhp32.exe
File created	C:\Windows\SysWOW64\Ejmebq32.exe	Edpmjj32.exe
File opened for modification	C:\Windows\SysWOW64\Dbhnhp32.exe	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
File opened for modification	C:\Windows\SysWOW64\Ddgjdk32.exe	Dbhnhp32.exe
File created	C:\Windows\SysWOW64\Eqdajkkb.exe	Ejkima32.exe
File opened for modification	C:\Windows\SysWOW64\Egafleqm.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Ddgjdk32.exe	Dbhnhp32.exe
File opened for modification	C:\Windows\SysWOW64\Dookgcij.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Geemiobo.dll	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Edpmjj32.exe	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Effcma32.exe	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Dkqbaecc.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Cgllco32.dll	Ejmebq32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Fidoim32.exe
File created	C:\Windows\SysWOW64\Dlnbeh32.exe	Ddgjdk32.exe
File created	C:\Windows\SysWOW64\Ejkima32.exe	Ednpej32.exe
File opened for modification	C:\Windows\SysWOW64\Emkaol32.exe	Ejmebq32.exe
File created	C:\Windows\SysWOW64\Jaqddb32.dll	Emkaol32.exe
File created	C:\Windows\SysWOW64\Affcmdmb.dll	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Ckgkkllh.dll	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Ejhlgaeh.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Endhhp32.exe	Ejhlgaeh.exe
File opened for modification	C:\Windows\SysWOW64\Eqdajkkb.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Pmdgmd32.dll	Eqdajkkb.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	Emkaol32.exe
File created	C:\Windows\SysWOW64\Emnndlod.exe	Egafleqm.exe
File created	C:\Windows\SysWOW64\Ebmgcohn.exe	Dookgcij.exe
File opened for modification	C:\Windows\SysWOW64\Ehgppi32.exe	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Nnfbei32.dll	Ddgjdk32.exe
File opened for modification	C:\Windows\SysWOW64\Eplkpgnh.exe	Emnndlod.exe
File opened for modification	C:\Windows\SysWOW64\Fidoim32.exe	Fjaonpnn.exe
File created	C:\Windows\SysWOW64\Ednpej32.exe	Endhhp32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ednpej32.exe	Endhhp32.exe
File opened for modification	C:\Windows\SysWOW64\Ejhlgaeh.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Jkhgfq32.dll	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Pgicjg32.dll	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Dhhlgc32.dll	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Mmjale32.dll	Ednpej32.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	Emkaol32.exe
File created	C:\Windows\SysWOW64\Ahoanjcc.dll	Emnndlod.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File created	C:\Windows\SysWOW64\Dookgcij.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Oakomajq.dll	Dbhnhp32.exe
File opened for modification	C:\Windows\SysWOW64\Ebmgcohn.exe	Dookgcij.exe
File opened for modification	C:\Windows\SysWOW64\Ejmebq32.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Emkaol32.exe	Ejmebq32.exe
File opened for modification	C:\Windows\SysWOW64\Effcma32.exe	Eplkpgnh.exe
File opened for modification	C:\Windows\SysWOW64\Fjaonpnn.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Edekcace.dll	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
File opened for modification	C:\Windows\SysWOW64\Endhhp32.exe	Ejhlgaeh.exe
File opened for modification	C:\Windows\SysWOW64\Edpmjj32.exe	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Illjbiak.dll	Edpmjj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2116	1996	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhnhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgjdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqbaecc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehgppi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejhlgaeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Endhhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egafleqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dookgcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebmgcohn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ednpej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnndlod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqdajkkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edpmjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejmebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emkaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eplkpgnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjaonpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlnbeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejkima32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgnokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Effcma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidoim32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll"	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll"	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Endhhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakomajq.dll"	Dbhnhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll"	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjale32.dll"	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll"	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll"	Endhhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll"	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Endhhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgjdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll"	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll"	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll"	Eqdajkkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll"	Ejkima32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll"	Emkaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll"	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll"	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejkima32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clialdph.dll"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll"	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll"	Dlnbeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2732	3032	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe	30
PID 3032 wrote to memory of 2732	3032	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe	30
PID 3032 wrote to memory of 2732	3032	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe	30
PID 3032 wrote to memory of 2732	3032	b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe	30
PID 2732 wrote to memory of 2780	2732	Dbhnhp32.exe	31
PID 2732 wrote to memory of 2780	2732	Dbhnhp32.exe	31
PID 2732 wrote to memory of 2780	2732	Dbhnhp32.exe	31
PID 2732 wrote to memory of 2780	2732	Dbhnhp32.exe	31
PID 2780 wrote to memory of 2852	2780	Ddgjdk32.exe	32
PID 2780 wrote to memory of 2852	2780	Ddgjdk32.exe	32
PID 2780 wrote to memory of 2852	2780	Ddgjdk32.exe	32
PID 2780 wrote to memory of 2852	2780	Ddgjdk32.exe	32
PID 2852 wrote to memory of 2520	2852	Dlnbeh32.exe	33
PID 2852 wrote to memory of 2520	2852	Dlnbeh32.exe	33
PID 2852 wrote to memory of 2520	2852	Dlnbeh32.exe	33
PID 2852 wrote to memory of 2520	2852	Dlnbeh32.exe	33
PID 2520 wrote to memory of 2944	2520	Dkqbaecc.exe	34
PID 2520 wrote to memory of 2944	2520	Dkqbaecc.exe	34
PID 2520 wrote to memory of 2944	2520	Dkqbaecc.exe	34
PID 2520 wrote to memory of 2944	2520	Dkqbaecc.exe	34
PID 2944 wrote to memory of 692	2944	Dookgcij.exe	35
PID 2944 wrote to memory of 692	2944	Dookgcij.exe	35
PID 2944 wrote to memory of 692	2944	Dookgcij.exe	35
PID 2944 wrote to memory of 692	2944	Dookgcij.exe	35
PID 692 wrote to memory of 1488	692	Ebmgcohn.exe	36
PID 692 wrote to memory of 1488	692	Ebmgcohn.exe	36
PID 692 wrote to memory of 1488	692	Ebmgcohn.exe	36
PID 692 wrote to memory of 1488	692	Ebmgcohn.exe	36
PID 1488 wrote to memory of 2828	1488	Ehgppi32.exe	37
PID 1488 wrote to memory of 2828	1488	Ehgppi32.exe	37
PID 1488 wrote to memory of 2828	1488	Ehgppi32.exe	37
PID 1488 wrote to memory of 2828	1488	Ehgppi32.exe	37
PID 2828 wrote to memory of 2004	2828	Ejhlgaeh.exe	38
PID 2828 wrote to memory of 2004	2828	Ejhlgaeh.exe	38
PID 2828 wrote to memory of 2004	2828	Ejhlgaeh.exe	38
PID 2828 wrote to memory of 2004	2828	Ejhlgaeh.exe	38
PID 2004 wrote to memory of 1700	2004	Endhhp32.exe	39
PID 2004 wrote to memory of 1700	2004	Endhhp32.exe	39
PID 2004 wrote to memory of 1700	2004	Endhhp32.exe	39
PID 2004 wrote to memory of 1700	2004	Endhhp32.exe	39
PID 1700 wrote to memory of 1140	1700	Ednpej32.exe	40
PID 1700 wrote to memory of 1140	1700	Ednpej32.exe	40
PID 1700 wrote to memory of 1140	1700	Ednpej32.exe	40
PID 1700 wrote to memory of 1140	1700	Ednpej32.exe	40
PID 1140 wrote to memory of 1916	1140	Ejkima32.exe	41
PID 1140 wrote to memory of 1916	1140	Ejkima32.exe	41
PID 1140 wrote to memory of 1916	1140	Ejkima32.exe	41
PID 1140 wrote to memory of 1916	1140	Ejkima32.exe	41
PID 1916 wrote to memory of 2176	1916	Eqdajkkb.exe	42
PID 1916 wrote to memory of 2176	1916	Eqdajkkb.exe	42
PID 1916 wrote to memory of 2176	1916	Eqdajkkb.exe	42
PID 1916 wrote to memory of 2176	1916	Eqdajkkb.exe	42
PID 2176 wrote to memory of 2508	2176	Edpmjj32.exe	43
PID 2176 wrote to memory of 2508	2176	Edpmjj32.exe	43
PID 2176 wrote to memory of 2508	2176	Edpmjj32.exe	43
PID 2176 wrote to memory of 2508	2176	Edpmjj32.exe	43
PID 2508 wrote to memory of 3064	2508	Ejmebq32.exe	44
PID 2508 wrote to memory of 3064	2508	Ejmebq32.exe	44
PID 2508 wrote to memory of 3064	2508	Ejmebq32.exe	44
PID 2508 wrote to memory of 3064	2508	Ejmebq32.exe	44
PID 3064 wrote to memory of 2180	3064	Emkaol32.exe	45
PID 3064 wrote to memory of 2180	3064	Emkaol32.exe	45
PID 3064 wrote to memory of 2180	3064	Emkaol32.exe	45
PID 3064 wrote to memory of 2180	3064	Emkaol32.exe	45

C:\Users\Admin\AppData\Local\Temp\b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe
"C:\Users\Admin\AppData\Local\Temp\b71429f4422c3039bdf597d44ee9b2e3633c1b932f95510f79aebe5a0c3be971N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\Dbhnhp32.exe
  C:\Windows\system32\Dbhnhp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\Ddgjdk32.exe
    C:\Windows\system32\Ddgjdk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\Dlnbeh32.exe
      C:\Windows\system32\Dlnbeh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\Dkqbaecc.exe
        
        C:\Windows\system32\Dkqbaecc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\SysWOW64\Dookgcij.exe
        
        C:\Windows\system32\Dookgcij.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Ebmgcohn.exe
        
        C:\Windows\system32\Ebmgcohn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Ehgppi32.exe
        
        C:\Windows\system32\Ehgppi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Ejhlgaeh.exe
        
        C:\Windows\system32\Ejhlgaeh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Endhhp32.exe
        
        C:\Windows\system32\Endhhp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Ednpej32.exe
        
        C:\Windows\system32\Ednpej32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Eqdajkkb.exe
        
        C:\Windows\system32\Eqdajkkb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Edpmjj32.exe
        
        C:\Windows\system32\Edpmjj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Ejmebq32.exe
        
        C:\Windows\system32\Ejmebq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Emkaol32.exe
        
        C:\Windows\system32\Emkaol32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Egafleqm.exe
        
        C:\Windows\system32\Egafleqm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Eplkpgnh.exe
        
        C:\Windows\system32\Eplkpgnh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Effcma32.exe
        
        C:\Windows\system32\Effcma32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Fjaonpnn.exe
        
        C:\Windows\system32\Fjaonpnn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddgjdk32.exe

Filesize
96KB

MD5
79b73bbfa63a90cb21685ca0f801cee9

SHA1
428467cf2fd9f89e35854caff2cce4a9cf63e989

SHA256
2651f4e1b02c4047bb8c1d1e5a521ba8499a1be9d7bc571ef3f1c0172556bb06

SHA512
0c1b82600c32f10fbfc451090c4ec62008faad8241bf526b40063604b8019830d3e57fcdc2a14606af77315325a95f2077a08e67ee41ea1fdbc78ac915b2c76d

Download Submit
C:\Windows\SysWOW64\Dkqbaecc.exe

Filesize
96KB

MD5
27000340c197bede4ae570a81f73db13

SHA1
5d5d7439c279066300eedf53dbe06a2c5626d712

SHA256
77cdc1194f6998c981716ab0e58a6b8cb5c10adbfeaf19391fa84fe6a3cdd337

SHA512
9d676c72ed21e4cf31e84509aa5c8309ecbbb48022615685764b0471a8e9e0de6fb9ec8632acb9bb7dbb00227f5ee00af1542f6858a98b4ed91dcfa3a33b8c6d

Download Submit
C:\Windows\SysWOW64\Dlnbeh32.exe

Filesize
96KB

MD5
245f3f7d6cd21ac5bb2e70d161a7785c

SHA1
739ae156f8044aeb627104b72d1480ef0f30947f

SHA256
823f2838f7191004a188ca06c23361b149c5a4627eaea21ee5c5cf8d7ce6dc7d

SHA512
7724ed3f123a46553882150ab550ea3ada361612b24a8b9da471663bfb165337e33336ce39c8ff31d56e49fc99a906092fe44733a6146c37b6d57fc1e2298ec9

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
96KB

MD5
162161adda275448bbd07b19257f1862

SHA1
58f38b1614f1326c3bd732ab6ffd300d34b722fa

SHA256
b5a0a866b66aae56484ee36e3fff2683aefc5946867d46fc81007a9d978e5b2c

SHA512
9b414e86dbd0e4a1d38d9b9ef38f7dd1e6c174413c451c264ed1da59ce81dcdd1ddd91f0d4327811824fa5b2696609b96b4b4ac16f3caedb0069f4344f6b9bbb

Download Submit
C:\Windows\SysWOW64\Egafleqm.exe

Filesize
96KB

MD5
f496e3c1a6af5c8935ad2d2c494bbc00

SHA1
e80cb56a19f9257bad45d472bc512a2ad203854e

SHA256
62cf2fc5d5f9b1e8887bcbd488c96b80b9e12d6deaafecfce2a5711d4c92c6a2

SHA512
4d6f206e0beb031c268e08063042c6b33bf17e9b4625808fb33026e82fc3c2171030377c780ad3259af9017e26dcfd36126c684ad042e2a3a9d1c38ea282c98a

Download Submit
C:\Windows\SysWOW64\Ehgppi32.exe

Filesize
96KB

MD5
e854473c679f4551a2415cda6762db6d

SHA1
9109d0c7e5a6d384bdeb09d8a7549d91f8e76051

SHA256
b815e075dc757fc09f332ef6f7ddb623f0dd138b73fe7c1a4bb8aef81ca78150

SHA512
aeb0ef522a27e4e657001bfa3b48fea1d6e3322ea59318df3d291a4acebc694f94c2867be3d0bcc68a1bd3c80b84e1c86c1aa9e36724017ea1fef8a2e45f434a

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
96KB

MD5
ec6952021610ee1ed552f51ac8a1fd1e

SHA1
775532752619992a45d89f3cf1fa42c05209ac73

SHA256
988a4f6780017518cb73b460c1a6681bd199f8375e112b840a81920783b33c47

SHA512
d9aaf7a0c9ced13ba6231dde06704087f015decaafda47fd327cb2c8d3d7566d31e292ad37034723be1c8bc276d573d92a2735116c84562e2a7778ea6e66f1a0

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
96KB

MD5
bf559c81465aa06b02f77e93d1ed8ad7

SHA1
40656cd677c8ee4389aac1040a0876b1dc28dfa7

SHA256
4b0f7a83c559b72d8cbc91e0b92a0dfdb7071f382125f914192ce0560af362a3

SHA512
0f9b5bab4eaceaaf90050924b0f6bd8a1348eede3710be7429fbf98acbe5255b3a2432a0ed4da0cfc4db44d114327c543deb844782e9b29e8e06a8c8a9b54178

Download Submit
C:\Windows\SysWOW64\Endhhp32.exe

Filesize
96KB

MD5
d002a99ca15e0baf42a81a9a6a794b52

SHA1
a580fefa1ab6703120161f84c2bc8447fcbfea58

SHA256
c552d82aa3f4a3e8b1f11b2a06f31d3f73ca7929e296fd428db31d9a7ce23341

SHA512
38af000e709a3cc3b24ae05a52823d0b06c965c74cee0a974bb9421b88cf71ca4a2c1cef49c8cc4c1388d0ab798cbd2fcc68120abbd5a65f995c8d87c1e9f0e2

Download Submit
C:\Windows\SysWOW64\Eplkpgnh.exe

Filesize
96KB

MD5
90e837ba0ef548d5f567b2960899dbd8

SHA1
b2a6768f05614518335174f2a1f515603921ee63

SHA256
95b803f00d1529fbb543fcd541917d14f770eadf7be92611238762a2dc54771c

SHA512
d229bb5619d7d153fbce060d3003c432e08b63b51d250cc888ab7bf6bb48111af0abfb133d7b784bca9eeedb71e4693b5a4196cb996b180d370518a47fbf1a28

Download Submit
C:\Windows\SysWOW64\Fidoim32.exe

Filesize
96KB

MD5
d7bef9150e4873c01097176a7894481d

SHA1
27affd837397d449fda66506907b14347a567a5d

SHA256
b20c6f10b0e2d8a60b964e31f753110e41e7e05f6d27e1fd5fe0298e7e7cdf6e

SHA512
721fa363d9ca356790f675161d2ec7fddfe6659fa1653c25a5e532ba296f8f53686c2d48629d329bd9d6ceecd2fad8aabe9873fc3977cfdd91b8ca7c3c77e709

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
96KB

MD5
9f7409b155b63e8ed9d893463fcfb528

SHA1
95f65ba9146278355dcf8f421c308bceab1e46fc

SHA256
2bf833ea2ffbf840308e83b02f5c61cf3e7ff79a48b6b050682ab212a06b2179

SHA512
93ee5a1aeb6c9cc41293812a1821d36a49ba68ffef0b78ddc36dbfa258cba6c23285bec9cf52a09d024e75df7b9ed4b66e8c0f7866ca53cc4423ce3fe873d60d

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
96KB

MD5
3c81b527012e6730e575a11a350a9c43

SHA1
1b8aafb3b8639d3cd8bb3d748e97f4ebe4cd91f7

SHA256
b89be3fae8c8e9022328d50fa14e7751e476eca6b93215e7308ee00dc19c2097

SHA512
bdf87fd6425c38bb4af7f976310a772ed908c5ddf1dae4c50a91b5d83982b3247ae7f4688b89bfd9b9f8e21209cb85670b8ba29904b087756076f6be05a70a59

Download Submit
\Windows\SysWOW64\Dbhnhp32.exe

Filesize
96KB

MD5
b6cb0c1f1935c49743f40aa4229be7ae

SHA1
9d2680a621921ee0b5c4a176d0615cc42fdacac7

SHA256
1f6d56c4047f73582097f626922c443e472713dcaee8dde5c95fd33d2ce2935f

SHA512
3e503042b472ed6884ef91208f94181383d50100b33cb02745d2eea02fc826c5350c958a377aea1f6b849a88bdad6136af6258e524f5b44ff79156bdb168e203

Download Submit
\Windows\SysWOW64\Dookgcij.exe

Filesize
96KB

MD5
2102a49ec24d7d313fed3231201c5405

SHA1
03c48fff3a22395bc1dc084a55323b71873947d8

SHA256
0accf7089848631257d534f709494a338b32563246c37a4d3d3698029378f777

SHA512
b7f9ffc3b9e030f0d473a17ca0e10d5073dda5601ec245844aaa1de9cf12ea43f0e63ef2a0780f8907cf878b5e5ba116cb02d2f9e6ba877ed68e8798b353a128

Download Submit
\Windows\SysWOW64\Ebmgcohn.exe

Filesize
96KB

MD5
0791dd21ea8a5c793fbd49368be69e00

SHA1
d6583648d7f9c83db087cdef4925fed2ea5b0e43

SHA256
0e02fb47d3f7694f815dc6f2a03808796092cf6064385d597ffc4334b9434826

SHA512
ca38020b6d09bfe0d6e70150558fb66f6608fad4218a21b9d2d662f20b94386370655096e2c58aae8be0ad8543a33f07e02fb1cbf6bff3c37c7ee2d116198ac0

Download Submit
\Windows\SysWOW64\Ednpej32.exe

Filesize
96KB

MD5
8d649754b23644cb222e92c11bd8ba7a

SHA1
0c0bb886fd67922286e3636df03752ba794f5273

SHA256
db36cf4e959d720a83a14896d5235283cf83b636d4bab99c6b617a01b55ab4e0

SHA512
18b38bd7839fccfe9af2a1b0f463591df9b47f4c6436b686c0125794ef372586aacb3240237f43d6849730b87b05e77bac4a4ba5bf74c753943ddfdc5b0870ab

Download Submit
\Windows\SysWOW64\Edpmjj32.exe

Filesize
96KB

MD5
d4ebb3a03591a22137dc52063c0dea38

SHA1
43d6e60c4b277139386e5528ad8ee8af7fec04f9

SHA256
b66203132a308f34fb9f6abea0ee1ac34f3a0c59860e92ac335eef5a31f71c8d

SHA512
ac6aef8b6cbbfcca4e1b01a6605ce6ef5f195e1e4e80969f21378c8ea5231cc5af7a7b67e1684f641997e3fd4af16f30372baae774a3f6ece5bd08d8ef0d7518

Download Submit
\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
96KB

MD5
fd65ff14f38c41a9bc22204f912d9d5e

SHA1
4abf9c8ad7ea3e6d8aa9759a9d77f8bfc250dea2

SHA256
a734d91bbb4f4123799590ddc4263bdc1c525e5d5ae7f7cae2320748a06a4b5e

SHA512
2ede8fd9e542e0f8d54e4d1e0517d1abb10ca9a99585241441834a42ac8e744949e0dce241dc1bbe6efcb7a1966a5ae400c92fa5b1de10b5c7fc9db3479108d5

Download Submit
\Windows\SysWOW64\Ejkima32.exe

Filesize
96KB

MD5
d055d3ece35f262a38c1999f26941319

SHA1
c9f847e1ed485cb42df2f5176276932c334edcc7

SHA256
4d0fbecc2b45f6f8572c366abe797d29fec53351a0cbcb0ccb9a9b1c28acc765

SHA512
7c33d659e916464fbd0f6046219a5add578d21f47ea4be0a2da910f796fa08cdf4d01d1b9319df9584926500c790d59c1d2c28d5294ef53e0bddb242dc8e9bce

Download Submit
\Windows\SysWOW64\Ejmebq32.exe

Filesize
96KB

MD5
ce4a8ec506cf2a4a6c6d9c9bb467d803

SHA1
9138f2ed94a3bab46bd4a79063f64199c72cc65a

SHA256
31709f7a4c6f28c456d91514c7abc8fd2a9e8d8d158ab1ae5fed8c7f011eaa17

SHA512
0eb3f5c353e8996243d881417ece7cfb684a49357d59f77f6f9df76d24eaa6f133e9340ac0334ea6d48d66b5449eacf0997a9a5095007455dda485b34754fa2c

Download Submit
\Windows\SysWOW64\Eqdajkkb.exe

Filesize
96KB

MD5
119f74d01d506816ed70e9e8a74fcf6b

SHA1
50639bfd71a585baa9e9735b11e5f0afcb846dbc

SHA256
70316583bb08962622099f5712b3937339a6cf2d9ac35f59fd66812234b7b36d

SHA512
83cfe520f53e58d8c114176da998c1e2d1892cf5952e3853eb444cb24b291d9e8270eb1dc405c36d0fb1334fdfb03eeb1fcd1934491bad046e83ed45c1f48722

Download Submit
\Windows\SysWOW64\Eqgnokip.exe

Filesize
96KB

MD5
2038f408fddddddbac0e443449ce6d69

SHA1
587a95e062e6cbd4fbccc1f8980219a4b7b0342b

SHA256
85fa994139aae1031d3f20de6cddd661eefe953f4cecc4956b35af785ee0aebf

SHA512
7cca5baef00e3574f883cfadb72442f45c76aa92f5e192da341281e575bad638f2894cfe527b7920d183fb5cabbb2ad1f53e4667e12e5bd6c9aef49eeb78ff5f

Download Submit
memory/692-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-228-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1484-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-107-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1700-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-277-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1916-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-128-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2004-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-45-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2828-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-76-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2944-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-17-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3032-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-18-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3032-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads