berbew | e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a

Analysis

max time kernel
94s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
Size

55KB
MD5

77479a0856e76390974abc5ffd0edfdc
SHA1

f8e741e44233613438f4acdad41404127e7b26c1
SHA256

e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a
SHA512

d0b82a5eaf30c12b3539b900e55bee9612525f4cd0fce106199cf4b9b24cbd4c70d61daef6162d35ac05d7f8202d95a4308abc7359c89c4db9d29eb1f407fef0
SSDEEP

1536:k6OJ+28zqHwyzzakPMLRABNSoNSd0A3shxD6:4J/8zUwyzzakPMtABNXNW0A8hh

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 26 IoCs

pid	Process
3692	Cfdhkhjj.exe
3956	Cnkplejl.exe
4512	Cajlhqjp.exe
4476	Cdhhdlid.exe
2260	Chcddk32.exe
4972	Cnnlaehj.exe
2348	Calhnpgn.exe
2588	Ddjejl32.exe
4248	Djdmffnn.exe
5048	Dmcibama.exe
1564	Dejacond.exe
4628	Dhhnpjmh.exe
3984	Djgjlelk.exe
4712	Dmefhako.exe
208	Delnin32.exe
4840	Dhkjej32.exe
3176	Dkifae32.exe
4080	Dmgbnq32.exe
1628	Deokon32.exe
4908	Dhmgki32.exe
2536	Dogogcpo.exe
4936	Daekdooc.exe
3644	Deagdn32.exe
2416	Dhocqigp.exe
3816	Dknpmdfc.exe
1408	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3940	1408	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 3692	1756	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe	85
PID 1756 wrote to memory of 3692	1756	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe	85
PID 1756 wrote to memory of 3692	1756	e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe	85
PID 3692 wrote to memory of 3956	3692	Cfdhkhjj.exe	86
PID 3692 wrote to memory of 3956	3692	Cfdhkhjj.exe	86
PID 3692 wrote to memory of 3956	3692	Cfdhkhjj.exe	86
PID 3956 wrote to memory of 4512	3956	Cnkplejl.exe	87
PID 3956 wrote to memory of 4512	3956	Cnkplejl.exe	87
PID 3956 wrote to memory of 4512	3956	Cnkplejl.exe	87
PID 4512 wrote to memory of 4476	4512	Cajlhqjp.exe	88
PID 4512 wrote to memory of 4476	4512	Cajlhqjp.exe	88
PID 4512 wrote to memory of 4476	4512	Cajlhqjp.exe	88
PID 4476 wrote to memory of 2260	4476	Cdhhdlid.exe	89
PID 4476 wrote to memory of 2260	4476	Cdhhdlid.exe	89
PID 4476 wrote to memory of 2260	4476	Cdhhdlid.exe	89
PID 2260 wrote to memory of 4972	2260	Chcddk32.exe	90
PID 2260 wrote to memory of 4972	2260	Chcddk32.exe	90
PID 2260 wrote to memory of 4972	2260	Chcddk32.exe	90
PID 4972 wrote to memory of 2348	4972	Cnnlaehj.exe	91
PID 4972 wrote to memory of 2348	4972	Cnnlaehj.exe	91
PID 4972 wrote to memory of 2348	4972	Cnnlaehj.exe	91
PID 2348 wrote to memory of 2588	2348	Calhnpgn.exe	92
PID 2348 wrote to memory of 2588	2348	Calhnpgn.exe	92
PID 2348 wrote to memory of 2588	2348	Calhnpgn.exe	92
PID 2588 wrote to memory of 4248	2588	Ddjejl32.exe	94
PID 2588 wrote to memory of 4248	2588	Ddjejl32.exe	94
PID 2588 wrote to memory of 4248	2588	Ddjejl32.exe	94
PID 4248 wrote to memory of 5048	4248	Djdmffnn.exe	95
PID 4248 wrote to memory of 5048	4248	Djdmffnn.exe	95
PID 4248 wrote to memory of 5048	4248	Djdmffnn.exe	95
PID 5048 wrote to memory of 1564	5048	Dmcibama.exe	96
PID 5048 wrote to memory of 1564	5048	Dmcibama.exe	96
PID 5048 wrote to memory of 1564	5048	Dmcibama.exe	96
PID 1564 wrote to memory of 4628	1564	Dejacond.exe	97
PID 1564 wrote to memory of 4628	1564	Dejacond.exe	97
PID 1564 wrote to memory of 4628	1564	Dejacond.exe	97
PID 4628 wrote to memory of 3984	4628	Dhhnpjmh.exe	98
PID 4628 wrote to memory of 3984	4628	Dhhnpjmh.exe	98
PID 4628 wrote to memory of 3984	4628	Dhhnpjmh.exe	98
PID 3984 wrote to memory of 4712	3984	Djgjlelk.exe	99
PID 3984 wrote to memory of 4712	3984	Djgjlelk.exe	99
PID 3984 wrote to memory of 4712	3984	Djgjlelk.exe	99
PID 4712 wrote to memory of 208	4712	Dmefhako.exe	100
PID 4712 wrote to memory of 208	4712	Dmefhako.exe	100
PID 4712 wrote to memory of 208	4712	Dmefhako.exe	100
PID 208 wrote to memory of 4840	208	Delnin32.exe	101
PID 208 wrote to memory of 4840	208	Delnin32.exe	101
PID 208 wrote to memory of 4840	208	Delnin32.exe	101
PID 4840 wrote to memory of 3176	4840	Dhkjej32.exe	102
PID 4840 wrote to memory of 3176	4840	Dhkjej32.exe	102
PID 4840 wrote to memory of 3176	4840	Dhkjej32.exe	102
PID 3176 wrote to memory of 4080	3176	Dkifae32.exe	103
PID 3176 wrote to memory of 4080	3176	Dkifae32.exe	103
PID 3176 wrote to memory of 4080	3176	Dkifae32.exe	103
PID 4080 wrote to memory of 1628	4080	Dmgbnq32.exe	105
PID 4080 wrote to memory of 1628	4080	Dmgbnq32.exe	105
PID 4080 wrote to memory of 1628	4080	Dmgbnq32.exe	105
PID 1628 wrote to memory of 4908	1628	Deokon32.exe	106
PID 1628 wrote to memory of 4908	1628	Deokon32.exe	106
PID 1628 wrote to memory of 4908	1628	Deokon32.exe	106
PID 4908 wrote to memory of 2536	4908	Dhmgki32.exe	107
PID 4908 wrote to memory of 2536	4908	Dhmgki32.exe	107
PID 4908 wrote to memory of 2536	4908	Dhmgki32.exe	107
PID 2536 wrote to memory of 4936	2536	Dogogcpo.exe	108

C:\Users\Admin\AppData\Local\Temp\e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe
"C:\Users\Admin\AppData\Local\Temp\e4207ffb9a0aedc0a52dfa813be9aa972bcb67161479ffc1cf2551f79193b96a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\Cfdhkhjj.exe
  C:\Windows\system32\Cfdhkhjj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\Cnkplejl.exe
    C:\Windows\system32\Cnkplejl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\SysWOW64\Cajlhqjp.exe
      C:\Windows\system32\Cajlhqjp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 396
        28⤵
        Program crash
        
        PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1408 -ip 1408
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
55KB

MD5
fe113ffe056fb169a3d9f82bb0a5b63e

SHA1
a8c2eb5956b31301e433efe895ac57fee0cd7634

SHA256
8e1fa733318ed38eb6a62c818fe1c5fdf69e1c70271e50c81f3fb4da6c997478

SHA512
994055ea81efc864aa9b83f62410301686a4d38e2db4529d3167f8bf108a114dfc6549c53f12cae63a5ceb06ce49f8652af309954c90e4dc6cfb7eafc5dad417

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
55KB

MD5
24023ced1fafe97ff46d4a530996ee47

SHA1
384caa4a8b9c9be25aec31bd345f64b345bd7ca0

SHA256
3da7629109a7f629ff5263fd0717bbbde6fc6e4232ca717380febd4430d6a8ff

SHA512
88251135cf0ac268d8c9d1538ef876e472e7318fc9109675c53b0fdfe4ba638f6328d517d8d4cac77217141f14ca7eb69e46e4374f57311fcf7c9f266e5b5f3c

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
55KB

MD5
fa02547687a2485328b04b9b1cd06c30

SHA1
4e01753c2efa8100df8f1577d8979eb848420eab

SHA256
211f09b0879e420fabdc973de6e1539a5e1617fdd0f78071edf95f5787ed8813

SHA512
b8dff68e0b331adb98bf616cea492aaf5dddd8977d05684577cfd93ad21749f0d79ceb8b30a7dd941175bc97aa1b0c30e56c4bfbaf01fb34b705a9db8d6be76a

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
55KB

MD5
439e2934a7e02a33f34912f7d51ee2ce

SHA1
c494b50d20d9093ab9cbe996452d317c0d28b994

SHA256
e091c7ba342d189b0e403d21a7d9ac12caa07c02a1fe64d3cad9902f5ee8d574

SHA512
35c2490c1289060076a7d47782f22430b43b532a1c136db1660cb88eff1801283211d2ddeb1cd2e3a994e8e5dea43f901723289894e451d268ee0b4d7574818c

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
55KB

MD5
74fbf398a137d04007b759e4cf8237c2

SHA1
352d9259e9c712291c926cd902881cabff9d21d9

SHA256
9779db92257136970e58044858b1f3a50e738e85d38e3375e16addf5a47ea738

SHA512
58eadcae76b2f4eb6737d44ad67d627015cd6b01c1bcbbba48b5f8439a158a0d7ac6a7a853e8fe9520032e4e07c8c23855edd143ab7374e3670d1fe83f6b1b2f

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
55KB

MD5
2039c14b28f80e44d2fc422e8ac1ee75

SHA1
dd400ca1ab90b93294f4f0f6a9eb757e96f86894

SHA256
c0b784b720fdc525a36d17904fcfcdbfa33d17d481da19ee18cc077acd718755

SHA512
78129bd5fd8c03ab0ce0041ea3943f28c260f72086237b223ec4693f0cc7d9bec2983d16feb89cd3bad7f75b84543352897c71510e7c2a0fba307b4d8f03df49

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
55KB

MD5
ddc6687a854ceb2c5b82a32996b665ad

SHA1
8d235102c236b4baa49b98a85d9d81ba1d760562

SHA256
cb04ac4da9bd977d790651d4f8abe59785cc2998df9ccf0eb98effaa5fc2a3fa

SHA512
3a2941511e64a451015a9b9367e4c18297488500e471466b87e86b31b6b5299ce77638fd76f6f45f1da05069349e31c3162ac829d2b5fc5c8a6ece25d5d5868a

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
55KB

MD5
cb8808f37dca032c4dd81b3d60a6c825

SHA1
4923fd34d1fff0cab9d236a31975f15560fedd14

SHA256
7cf596a2e52e4e221046533eea368f27964e67f5a9033352b78640270eaaad54

SHA512
b30e7c0493debde7f2602731beca0d0df631526bd9a869e79e0d94cefb1ce4e2dabc4190cc1fef3f257d35012296e3c761d9784bc1d1f993032661386bf8d192

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
55KB

MD5
1868c5026fd6cefbffb0f9387de30787

SHA1
54ed28dfe61791676b1b02e43cf807ca7a0a08cd

SHA256
5704de632d9a8d82957342fff36a5ad1082696a603b1b3c88813d8e98a5747a8

SHA512
af8fa1b9a123cd0dc3ba311f11c7c6998ec87569e8e1ce9e19575fcc79b45661c7f5f8a6193d14728bb36ca24927c2aeb6f7a141432491af85678eeaeda24921

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
55KB

MD5
9593c6380b8cf458fe88af08614f86e8

SHA1
5738c0e1b14b9939674a2ef640fbe879ef965004

SHA256
dd32b9cd617ba2059603fc4c6a47809ad21a5bf542cd97d651a9fd8509f31f8b

SHA512
1d0252587e97a4ae754aa83978baa8f1e2306b77150b86efb320edea46b6604d0b94f856b9235bf00a3ddc9bf19b9fe31d587f4980c415f707eeef9d312109c5

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
55KB

MD5
184e8dd97d90d26ba27bf554a7c9492b

SHA1
2e5592383c3e8efd831a8fd83d2323dcd25f1b87

SHA256
07e0eaea3fed36c3df8564320c32b7504b7bd1bd84147965e7134756a64a8bd5

SHA512
6e16e6e18929f8e07808d41f212fdb4f00a50092aa1bc0eda0a57da1fa8ead509ea85a0977e0c760f36505d19efb85178394db6fdb988dbaca24f53e2c87aaf7

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
55KB

MD5
6a99e03b2a4e54db15c6c7b8fcb7ede8

SHA1
70822df38a1f7a02e9b9347176532afa4ccf7a6d

SHA256
7c8995e18c7a4b703f4132de6437b4b626ee2eae3eca29a14bdbda2a541dfc66

SHA512
9598574a98d72c90429660250273a5aa096b45bba1f7fcd098a066dbdb7d24289865393c5c00ca5065227594ea245d9761dad64bf45af950b2e611f1b882341e

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
55KB

MD5
c4ea8e89bb0cff14809148b61c274f5f

SHA1
4405868a2f34a8574781331e9c0b3d7a47a75d47

SHA256
370a829aaabbdf49bb68d3c6dcacc8bdea65241f905b2899f2e09d857b70991a

SHA512
266eac85934942e29f29177970f11884d3244ce9176747d80576adae3eecefdfa83c8a953225cf1a1872133369d5285bc2231ce2a86a1aca7ac7783ba18cbff2

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
55KB

MD5
a9f026ea7dae296282c9353936f5e248

SHA1
0efc26ebaf22b28607ec6bba2d831fd6af769030

SHA256
12b6a5dbe02f1e5a1ba8690b1473d5f6455a6712a029b7a40beeb2cde8392d6c

SHA512
f1410ce585f11a2414d7879d7e73da89ddf3ca343b73614b230552b9ae534f98f77852c9a7da58d3bba11eb1778f40667847fd33308f8d161705d3ff01424396

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
55KB

MD5
7c1957b0dc6ebe79ceaa1492cf2b3319

SHA1
0ffecafab4e46861a27c39eb87fd6ae0583b82aa

SHA256
cf654be7683b2189cdf9908bacef2ae801be6052e4b613814f7941c4aa81969e

SHA512
904c4bd0e5aa162a9d7ba28b8991d17d7abeb1e30f09bdfe9b480b557b141c6cf1e6c8c1a289afc1e3cb98358c81d1caa821cc180a56f6f7e8bb2e0019953682

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
55KB

MD5
9b2e4057faa53ed04634542aefae583f

SHA1
9cf424d8674385d7ddc227be51855f0c6141c61b

SHA256
0d1f7f794f6edb3cf6e3c2c153eb48a067bbf57ef46f410da1e4b8e0457e5ffa

SHA512
bd61d3f6749cd668fb2456313145e59bc078fdd2f34740b3f94238d0b34aeac308b919fba5a2304700c7d1ad540bafc2013ad90cfa1f5e10d77ec40bec369b75

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
55KB

MD5
543498a8051a7a71b40240d0a0f3a77b

SHA1
3898910fb0b3d07600c739cc2e01d5224b2b6c20

SHA256
4dc258e814f152ebecc30b9ead4ca28deefe0f0d2be492e47e2cc9083c0a3557

SHA512
46339f22cf4c3465603d9f05778d6be4eebf8ec0a11cc0a2c516375a5034275a2a9e192b77ad6a729cde02f7d6c474d3bd0452408d2c62a796f78cbfe2cacc22

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
55KB

MD5
04b168e7cae47921d343d835eea88c1e

SHA1
915da80ef190db1128f1a57d2779c3835e87d9f8

SHA256
9b16aec655fcdbcd65911aaa0049e17b895dd36afed33e46dda5bf13a4b5c2d5

SHA512
f0a8c3616531508d3c62027f024f44c4a1a8e4738e60f3f0b94a4a5f644ff325b9c4c6ed271c7b0ab1f86d75e97aa8fbec57adff04f3ccaa14439b7b8ca8211a

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
55KB

MD5
2b9a45aa41e6168126de3cb261902a53

SHA1
b0f551dd54e93601b3c1f0bda4fd57861cedbae1

SHA256
d3b5c7a833087abbf913ff549ce2a6fefc6c58f4ccdc3ec07514b52dd56b92b8

SHA512
2c6810ccdd2234df99d9319a7020ee223baabb77b8c625d0044823e3d59e603dbfb8c3de29528fcc45bac20055efb9c11a5f02dcd743f7296dd47443eb130139

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
55KB

MD5
d6c2dd393a08dc4cb3ca964555717575

SHA1
c84b57dd96445f148911513459a6eca773dc9492

SHA256
46e36e5d2060ce1a7bad81bf3e4145b96485fb12f1522ce1919a72abca2d57a5

SHA512
dce45d741a009debac3fc9934a54bf3f595b74770ef9f10fb63e48b3c1cba8dcab5932891a27420ca86a5ad1f25a94d8c65fa188a7211ec7b33da1de0c5223bd

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
55KB

MD5
febfaf98059f1a93e53bf4d1023917ef

SHA1
b21f8f25035cd0d03f52eed08a734b7976deae55

SHA256
4b02163ca88b95a35344c2f4801b280d2113daee224eab244293eace1c949f98

SHA512
15538ef7150b50199ceafa013b5ad180182a41a050880f5a27b3655f11a99f1339709f0708e932666a57f96918365044e9249c6d8afc3e0cd67c8087396611cc

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
55KB

MD5
c409f6e7f6a60d5292ca7b498ff5890e

SHA1
2eb7f4e45806fc82dcaf6719eb6b3ccb142be4e9

SHA256
03c1ddb67ca8d838f74d4a5c48b32f19804a5c2c7b8567052e3c78b910d756fe

SHA512
44e6cbc3c470699877e92bfaff2c3e01f5233d413bde2be69209095ce40f2dab181fbd489b4eba9f1cc4e5e219ca8d8fabf6897486d485e570e94b84d9104a93

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
55KB

MD5
83afcca2f7ee470bec93a8e4926fc238

SHA1
d9d7c76f7b93caadfba9d3c20311fb61a8440b79

SHA256
866f6a2c1e4d9726ef606f6ae0a76b1b6e16b46acb87f1eeb00ceb3d3319b59b

SHA512
896442b155a087e77b682ac842311783ec25320709f09c819a5a2b37c5d29237946e804641c6382a8e044e84c6f2ec99f0c7e8dcc29398f21fa51659c80a14f1

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
55KB

MD5
416466dafd654e16ef2b3686efd07867

SHA1
cbf2fa20a0a99f6f6d0496d1d4db73b03daedd25

SHA256
399d8bf6ab1556383b96f92828cf1ceb136a04f7e4b43c70626714507e8f7421

SHA512
3ef067454983aef42721361678300850c14a3f8dcfca8100e97243dccdd6ffea755a8c83b8ed5742022ea8f157e439795efdeab09d4a4b23f85f268895b07a55

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
55KB

MD5
6e0ad27196de417ad7d29177abe5db84

SHA1
cc2d36de062d2185387c5cb50f49f06cb870f40b

SHA256
4d87bb58ef73ddfec09f6ab496acff88fe8f73970c0391b27ccd5e133af0b201

SHA512
a172df0bd7d7c5f18bc6d2fab0369605a4d61ab94c6038fd47059da0260e357cc39940107156486e13ff890a9d8165233a7ea71b683bf2bf9bdec375f086f3f7

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
55KB

MD5
7ba0299437c1f44a7db79c59a3e76d21

SHA1
69ecef9aa4895b2a63f6f1894d7fd0048dc91307

SHA256
25e2439e0192f0fb7f1af3dc88d00e3a60908797aa47b4ef7284917df20779d1

SHA512
e2ea0c054fa68f4072f448d10b51d570f5c6cac139c33bb8668ec2ddf1367d619efca96e6db718bf3febb93beb9aae508746f1a38cd136ff2765b1848cd2040c

Download Submit
memory/208-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/208-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3644-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3644-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4248-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4248-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4512-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4512-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4628-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4628-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4936-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4936-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4972-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4972-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads