berbew | 2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c

Analysis

max time kernel
93s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
Size

64KB
MD5

99e29e0e64960cd2910be5171d9a09f1
SHA1

0fb9df4dd28db03dc9fe7342575419c90ef1b115
SHA256

2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c
SHA512

5d279f5e96174953baa39bb228f07bc3fe266519464865158bc698310ce4ca95be0583c39822f61e48e46f8829cf9ea6446fff5c364147bc86a29482f648ae80
SSDEEP

1536:5D99PEpuL+5oIXMRt64fUXruCHcpzt/Idn:5p9PGmKMmUpFwn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 27 IoCs

pid	Process
3504	Cagobalc.exe
384	Chagok32.exe
3768	Cjpckf32.exe
3460	Cnkplejl.exe
3276	Cajlhqjp.exe
4640	Cdhhdlid.exe
4420	Cffdpghg.exe
2296	Cnnlaehj.exe
2936	Calhnpgn.exe
4656	Ddjejl32.exe
4792	Dfiafg32.exe
2364	Dopigd32.exe
4360	Dejacond.exe
5072	Dhhnpjmh.exe
3672	Dobfld32.exe
2436	Delnin32.exe
4436	Dhkjej32.exe
3188	Dkifae32.exe
1956	Dmgbnq32.exe
4112	Deokon32.exe
1896	Dhmgki32.exe
4144	Dkkcge32.exe
3804	Dmjocp32.exe
2996	Deagdn32.exe
220	Dhocqigp.exe
4056	Doilmc32.exe
2244	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe

Program crash 1 IoCs

pid	pid_target	Process
2544	2244	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 3504	4260	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe	84
PID 4260 wrote to memory of 3504	4260	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe	84
PID 4260 wrote to memory of 3504	4260	2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe	84
PID 3504 wrote to memory of 384	3504	Cagobalc.exe	85
PID 3504 wrote to memory of 384	3504	Cagobalc.exe	85
PID 3504 wrote to memory of 384	3504	Cagobalc.exe	85
PID 384 wrote to memory of 3768	384	Chagok32.exe	86
PID 384 wrote to memory of 3768	384	Chagok32.exe	86
PID 384 wrote to memory of 3768	384	Chagok32.exe	86
PID 3768 wrote to memory of 3460	3768	Cjpckf32.exe	87
PID 3768 wrote to memory of 3460	3768	Cjpckf32.exe	87
PID 3768 wrote to memory of 3460	3768	Cjpckf32.exe	87
PID 3460 wrote to memory of 3276	3460	Cnkplejl.exe	88
PID 3460 wrote to memory of 3276	3460	Cnkplejl.exe	88
PID 3460 wrote to memory of 3276	3460	Cnkplejl.exe	88
PID 3276 wrote to memory of 4640	3276	Cajlhqjp.exe	89
PID 3276 wrote to memory of 4640	3276	Cajlhqjp.exe	89
PID 3276 wrote to memory of 4640	3276	Cajlhqjp.exe	89
PID 4640 wrote to memory of 4420	4640	Cdhhdlid.exe	90
PID 4640 wrote to memory of 4420	4640	Cdhhdlid.exe	90
PID 4640 wrote to memory of 4420	4640	Cdhhdlid.exe	90
PID 4420 wrote to memory of 2296	4420	Cffdpghg.exe	91
PID 4420 wrote to memory of 2296	4420	Cffdpghg.exe	91
PID 4420 wrote to memory of 2296	4420	Cffdpghg.exe	91
PID 2296 wrote to memory of 2936	2296	Cnnlaehj.exe	92
PID 2296 wrote to memory of 2936	2296	Cnnlaehj.exe	92
PID 2296 wrote to memory of 2936	2296	Cnnlaehj.exe	92
PID 2936 wrote to memory of 4656	2936	Calhnpgn.exe	93
PID 2936 wrote to memory of 4656	2936	Calhnpgn.exe	93
PID 2936 wrote to memory of 4656	2936	Calhnpgn.exe	93
PID 4656 wrote to memory of 4792	4656	Ddjejl32.exe	94
PID 4656 wrote to memory of 4792	4656	Ddjejl32.exe	94
PID 4656 wrote to memory of 4792	4656	Ddjejl32.exe	94
PID 4792 wrote to memory of 2364	4792	Dfiafg32.exe	96
PID 4792 wrote to memory of 2364	4792	Dfiafg32.exe	96
PID 4792 wrote to memory of 2364	4792	Dfiafg32.exe	96
PID 2364 wrote to memory of 4360	2364	Dopigd32.exe	97
PID 2364 wrote to memory of 4360	2364	Dopigd32.exe	97
PID 2364 wrote to memory of 4360	2364	Dopigd32.exe	97
PID 4360 wrote to memory of 5072	4360	Dejacond.exe	98
PID 4360 wrote to memory of 5072	4360	Dejacond.exe	98
PID 4360 wrote to memory of 5072	4360	Dejacond.exe	98
PID 5072 wrote to memory of 3672	5072	Dhhnpjmh.exe	99
PID 5072 wrote to memory of 3672	5072	Dhhnpjmh.exe	99
PID 5072 wrote to memory of 3672	5072	Dhhnpjmh.exe	99
PID 3672 wrote to memory of 2436	3672	Dobfld32.exe	100
PID 3672 wrote to memory of 2436	3672	Dobfld32.exe	100
PID 3672 wrote to memory of 2436	3672	Dobfld32.exe	100
PID 2436 wrote to memory of 4436	2436	Delnin32.exe	101
PID 2436 wrote to memory of 4436	2436	Delnin32.exe	101
PID 2436 wrote to memory of 4436	2436	Delnin32.exe	101
PID 4436 wrote to memory of 3188	4436	Dhkjej32.exe	103
PID 4436 wrote to memory of 3188	4436	Dhkjej32.exe	103
PID 4436 wrote to memory of 3188	4436	Dhkjej32.exe	103
PID 3188 wrote to memory of 1956	3188	Dkifae32.exe	104
PID 3188 wrote to memory of 1956	3188	Dkifae32.exe	104
PID 3188 wrote to memory of 1956	3188	Dkifae32.exe	104
PID 1956 wrote to memory of 4112	1956	Dmgbnq32.exe	105
PID 1956 wrote to memory of 4112	1956	Dmgbnq32.exe	105
PID 1956 wrote to memory of 4112	1956	Dmgbnq32.exe	105
PID 4112 wrote to memory of 1896	4112	Deokon32.exe	106
PID 4112 wrote to memory of 1896	4112	Deokon32.exe	106
PID 4112 wrote to memory of 1896	4112	Deokon32.exe	106
PID 1896 wrote to memory of 4144	1896	Dhmgki32.exe	107

C:\Users\Admin\AppData\Local\Temp\2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
"C:\Users\Admin\AppData\Local\Temp\2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\SysWOW64\Cagobalc.exe
  C:\Windows\system32\Cagobalc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\Chagok32.exe
    C:\Windows\system32\Chagok32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\SysWOW64\Cjpckf32.exe
      C:\Windows\system32\Cjpckf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3768
    - - C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
      - C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 404
        29⤵
        Program crash
        
        PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2244 -ip 2244
1⤵
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
64KB

MD5
6bb466624199090fe7ca26bce3410518

SHA1
8c6a11c88e16fd92f6af67a61e011c291b724bac

SHA256
2896cee393eed7939f9c86d018b25cbc80021faf596ca4aa09a05280690db796

SHA512
f7a9ac6a20845a3b4f31c03254dec1e439594fbeb6385d49aef1d39f9e3310fcce244572c889f466f559c5ee5cc61c945931c87f6cd6cbc380bb901ca95aab0a

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
b557a831c9afd6d670c0d9e89735914c

SHA1
751d0b02b04f45e07c72dfceed16bdaa9d49aa6e

SHA256
774b87a8ec578cf5a43dec2f2533f4cc2d41555724997dc98c1d55d9fded71e0

SHA512
5ad0a3979c2f65d98a32056399c1f75a4e1a81dcd36648866b509db698f3b237260e287b3a396c7e5933a20ad67349ddd7e0b8310a0482b1aab20e6ac4596de6

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
64KB

MD5
40a1a9a6b5a80410e2cfc096d9e0d900

SHA1
9802aad2289fd46adb04766071f689944a3dbfbd

SHA256
5f47fbdf4c7e33818bc2407c184f6c391eebb73d45d7e18dab9165b249ad8da0

SHA512
4b89ec20d61e18ac6d715c7569d4c24793d269103071cff03bd66a782d5a935374db5b11cf977deb6aed71e2afb0dc99b0e77b59c87aef5e7233552f9fb384e8

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
7f12beca1e0119e579d2e7b64eda4519

SHA1
5f052a69b354fefad666b57d45722a3f44273fe0

SHA256
739b01a6de531d086fa13a394a7cdde5ad9d9ee844d15adfe4a62bcffdbba53b

SHA512
d2f073e2c67ab78f0ed5a6fc34658a5e042343c5fac644e6edcb52ae341d8d3d287d4dceaf3e1913a18be33b4308b91f09dfb0ffdb420cb4c5b8dcfcedca5d27

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
e46039b359193809704d45bb91ffa00f

SHA1
0f69993e5b558e10cbb9192892af9b8b2806de2e

SHA256
6c27b3aea780500f6f968d3d40929273d6f37213847b653dc217c0dd768a3ff0

SHA512
452dab99bec6b4da8a59516a5bb99a027e012e8d42763959c097863b2a4e5786bcc9ddab3997d7331a0e7bcad06eaed773155959bf4b4a5d2ffdf34d22436642

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
64KB

MD5
20dbfe5682a026825d8724171266dc51

SHA1
c2d796d3c4e86f4eb302ac956be03c7d46cf8778

SHA256
055679cd5e3668fcb073e5bb72cb64d01b3dec2c2bcc28419cafa7f7d9987bd0

SHA512
81fa5fec562e43555c520c474b3aa3b1b81416d4bbe2715e017dcabea3dc3620d54a51ecde5d2962b24bdbfd7cb8e32bc026a66facb85f7b9de2fdcfe1d5c47b

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
c1cc1b5b2abe5065151869b58ca0f52b

SHA1
6e98337a1851960cb98375425481208cd82c663a

SHA256
23dc6f977ebecff0ea7779247ca76895c97b62abba952aea84a1afd6c87aaa55

SHA512
4a7959e65c548e46c15c0fa3a210d6a3a46919879c0f2a6781f4564e313dcef10607d0f00859c5315da2728e17ca5e52d9e43b978ba71733984349670e658853

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
4a5124b0bb1a3d052b4fdab00cab2669

SHA1
0947e2c9fadaec14031e59d422547696d44056a4

SHA256
0d609e691ae2518a70fe1b812d428678c259f6b9efb7ce88f50db743d72363a3

SHA512
449449b7b51c85d21132d6b4d1c90921fb7bd9c8333b215f254d32a522d5d22f9e70031ded67104c5e0a747ecb4bcb17ebae79b7986e77df1f30464cd40b6cbb

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
c2e95ee21f8728ddbd26d61079c25352

SHA1
fffe1483652ecfcf676aad19d81b0b12af64b389

SHA256
c2349828b9a654ffa215571802309d2b11173ac17a70a01d6571dc53c2ab32c1

SHA512
715c553b3dbb313829ff5aa0b1bf67bef7cd7e30fd7f78238e0e58e21a453d09c590c59484149b1362e3ed818d681f86c4fab2ef35fa4c2b1708ca515bba300b

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
e895c88fbc30d3991a5daabbfbd0a94a

SHA1
cb37eb3178c1de6fbb4f5b63de7524fb57d968fe

SHA256
0a1a5b5fc15a529329bef7b3bbc73c94d700bb04ae228aafb13af816138ae269

SHA512
f375aa467ae5d7d6403bce346ea568deec3a861d12dcc91075bee28019e4b8dbd8f8710cb7140f4e5c76eb16590b72b7b262efc4416292d232c2409cc15e3d3e

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
64KB

MD5
b5eba82a800bf884f0ba94a7090ab6d7

SHA1
c27c0ef065cc65fe2af3ee898037d086e34e9806

SHA256
714c36be04192adf1712961cad1507dcfc8b7f8d3dcdc4e3ea114c898cb402cf

SHA512
2c35baef74ca4585b8712e497c8e9695f4715d29ab80635becac0d1ff7c62eee0f5ad21019f2811d18d9e50c83ec2aa897ae919089456fdc274d584132e44233

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
64KB

MD5
93293d02f540074dcfd3eba23a807aaf

SHA1
adcd8582d772a41bb56fe35f8ea0fad0a55c3133

SHA256
399cd2a3a6eac88e9ad5a9250dcb13139fef2ab370f9e29defafc83a090f054e

SHA512
b5542287502a42694a2dfb75e2de74ecf94ead501768943ab6a78125bf4673d0fa31267b44d1cbeb467440017d3924829cf05886b165e63b5971e0b586dfcf19

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
20de727fcc58b90204cd7ec284e7601c

SHA1
74faa75f23cb132c853a21a736bc0fb63732a6b5

SHA256
9b834f94496edfe0d1cae0de0a277ac94390d32c27583eb92f834f8f2d6a555b

SHA512
b46b431813d69159671d1ccd890e88e253f125edfbf85256a7dde3fd84cff0d6c9b9421faa039b6fdbf3fc09ce1b7914680c894d3070c996e8d3b4e2a1479c7d

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
058b62b605cbac2ba2268bb0912d38c4

SHA1
a894da9de554dd87861708d927ac87864a9f6d9d

SHA256
2ee4915e627fef32ef93b93ec69dc77fd163d21e1e1ea75496cbd1c691a77777

SHA512
004a03d99b6bda9de4eb59b5fe992e7d6273799e1a7f37fd2cb3ae0bf8758ecb2aee44419f27f19b0f56edaa1740bfab1303006b011156ce10046b37d96c2d78

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
e99d69bd72cf70a9bb5084044e6ce93a

SHA1
e24382d64c3b5647f80effbedc3cefc55c375b7e

SHA256
92eba807f720e55bf6f97e512daa1f7e9f261b0f3ed2aeb972aa2b758fee78c1

SHA512
8b06815a588973525e80584c11c6aa6420db9a538231528b07cd5b7535148f6f7ad8c1b50293a0031f4237175bb7efde041fb3dee167bc37c0ec39d15a2c620b

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
af7784655119ce718acc2f32363f468b

SHA1
9c7157764d18ddd3bbcce2e55d47b2cc8ab2b3f0

SHA256
a7fffd0740df3564119562db937498be9672af261040b59f9143fa5c71cd2d0b

SHA512
2a2508b30b266406ad10d9113b8c008495aabe5943345b85a18df39d1108fa3a784860007c860eb9d983983fbfb6ca5104cee3625a33ca5b7c523c03b99366e7

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
64KB

MD5
40ba4e51ae2b6c6eb184680cb3a35fd4

SHA1
29fe299247808e986c96e94928b37eb58401fb6e

SHA256
732d647e588ba46fb4d26fcd62f34d1db67b5d375cd91d37c8abfc680b87d185

SHA512
30374d355ab4075197957b75a13c2073313cc4d6356215b4f7f1d93c23f1c6afdbcc0b7f059f3a1fcf4b0a5131b99b8737af8bacdfa05b36ea6320ecede7ec87

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
64KB

MD5
a1673cdf19e70c773255d3afc3c0f284

SHA1
c3359993b225240e817b3d4be11dfc2767b67929

SHA256
2ba0d40873c8f30f9ce505414d02b01ed51941d3d293c171615e5b052cfacb20

SHA512
f7926a168cf1eb8d97df61610cbe4c41b3518ca6b0081e4f55a1ae8fb5a943a93dbb8604ba6696eecf2d35aaf74569dfa9c5bf34e09ad7d6e4d260302a271ec2

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
64KB

MD5
ea0d062dc63abd92df9a5818a7450b39

SHA1
f23c6b009d00b6a8c556f4eb19b888ad5da2c260

SHA256
7d0ab5a351f0d0c08180a9da4f3e23b4520bc74664379ac9460d294d583578f4

SHA512
b62c1fe3e482b3fc2e2d042cb20df83f0fb4adaa7dc0ace2975c32688938369beb7b1034a1aa09eefd8f77b4a420bd4c3b0b953eb79232d86629da05c254bcd5

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
dc356514c7daee2c3893d261caf90f31

SHA1
3a33e2b0aeca69f9079f218b05aefc96800b2a34

SHA256
7ee203375abb22e54bab64cb81d1fd96cd4a205ec781d4f7e5bc17e76b3d8696

SHA512
6fee2b6c22d79172400a7bc2eaf3655423837e6fd21c210829deb1cdc1e68f0573a345fec78e305ac1e3bbbafe54cc7ce2e4baefcd492389a009e3d6a615c47b

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
84323c5ee45842ef38389a4f88aee4bd

SHA1
2638f98f2f2c4003f619d7b85e9cb8b7c1ac6ad0

SHA256
d40e823b39b16ca1520990ea8040ae8c14507c79b98cb329e75314200d4e0ca8

SHA512
261a1fa3243866389c5ef38471bfbb3a1e856c82870eaf3c5e49bc3a77729a5ffce06fecf8f54eb2383b6af1e549ddc006c5f29a309d2b2b18dc714e8b1353df

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
be525661f1d345e789b9ec46d91ecf63

SHA1
6f20dffb703d374d66ee4138d48a12256791b528

SHA256
f22f1bd87d268a37d76228a48e61649c0c3481cfcd3b95d0388ad00bb76d7e58

SHA512
19b522adf1f8cf25aadcdb934e63eaa93d57fd1f980e0b299c32b37dcf5a56cee515ecaabe4ff3d4e15c02b3bb15df2115cb1c9327404ede2208e9eca7f7b87d

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
64KB

MD5
5b8a804a3dbb8fae6edd2e987b7f584e

SHA1
f30450024f5b77a18672ad3fb0130f83ada52adf

SHA256
9d0326806ac35f8988d0b4a120cb1ed733f3ab1b51f4ba32692c946e9875f294

SHA512
cd01db9f74d58e997416ca3d671a95802d4b283c6eef41a8a06507ccf70a46036ef59843207030897ea98e0891a708bb1db5ed8a77dfc718c261b084c4a08c92

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
12df4073c46f571f47434f11625ad192

SHA1
e22690ab72b2d800290acfe321ebec1eb36152c8

SHA256
7bc3e8412e6a3f438f4d3be6d8d10646d903876f140dc76ba5b6c18aff5e3457

SHA512
1c1747b92211e31e36b45d36b8b7f858440f3866e94c772eac5d2895cd762412d67e6558746d42e813cff9634808a0969ab6809601cd8008b7d8bb9067b482ad

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
661e261b8e1a0523ba97224daad1e4be

SHA1
31280456394fc6c400a900c56663a25389cbf124

SHA256
dc9d588755f0fe30c99a41ec506269f88feb31decb96128ea6ec15e049f079e5

SHA512
c5856eae4a641d28797b35ab1b395b63ac6abf70514cc5d2e511a0d6ea6304729c5955f598966f773dda412bdb0fa04c5f9ce78aa5b9de7a107bf18bd7148775

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
64KB

MD5
7c8ea12a17644a1247ebd2c567ce7011

SHA1
b36b0b1dcbf88a6d8f5c142a0645bc7049929baf

SHA256
2ee6f95ee9b667e57183256328674eb05551d5bd4fb0941380b8e42ab280e78e

SHA512
b2e36e69f2f28a6a4e77ff05a3a97e5912661ff0bb780a33e7dc7f3e8c31b89dd9bbc7f7efce9a1d14b78e299c90b6d6c996d1eb2598a223303041447bf34aa8

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
f182f5162ca4325f8c09b663828dd0f5

SHA1
da828efc964035071d16c42fe53d23414eea4a54

SHA256
788bd8903825b3242f1155f97baab9ece0a15d092bd369775d7272c16d45e6cd

SHA512
a6548c1a187e913f7204690eb9ba9278f1565e69440f01fad40161625c896377190eec38df4bca7bb25ac275a7dd13066ac6e38fe783d684ac30457233e9288c

Download Submit
memory/220-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads