berbew | 6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
Size

45KB
MD5

c4c3a308a2b2ae9108278b3dd4b1dad0
SHA1

3903d729349b7f30f732c8098641a9bfae5f6be5
SHA256

6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05
SHA512

e1d1e111cd67c33549938097c373089d67a1570a41882f57754e900b3e93c3c9aa0367817c88b84924842b8e1d6d797ae432136a7ce8d4d2a51fdd90663aed49
SSDEEP

768:908YdhJlwRJrBA2Zwf3lArO7UUcgaIZfP6f/FhLZq/1H5N:yTJuRJrBA8wf3lRFvSf/FhLSr

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 25 IoCs

pid	Process
1896	Cenahpha.exe
1392	Chmndlge.exe
3996	Cjkjpgfi.exe
4628	Cnffqf32.exe
3120	Caebma32.exe
2892	Cdcoim32.exe
3748	Cjmgfgdf.exe
4020	Cagobalc.exe
324	Cdfkolkf.exe
1860	Cfdhkhjj.exe
1996	Cmnpgb32.exe
464	Cdhhdlid.exe
1600	Cjbpaf32.exe
208	Calhnpgn.exe
4132	Djdmffnn.exe
3008	Ddmaok32.exe
2472	Dmefhako.exe
4596	Ddonekbl.exe
3212	Dodbbdbb.exe
1960	Dhmgki32.exe
1528	Dogogcpo.exe
1888	Deagdn32.exe
1636	Dhocqigp.exe
4636	Dknpmdfc.exe
2416	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Ddmaok32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4708	2416	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 1896	1176	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe	82
PID 1176 wrote to memory of 1896	1176	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe	82
PID 1176 wrote to memory of 1896	1176	6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe	82
PID 1896 wrote to memory of 1392	1896	Cenahpha.exe	83
PID 1896 wrote to memory of 1392	1896	Cenahpha.exe	83
PID 1896 wrote to memory of 1392	1896	Cenahpha.exe	83
PID 1392 wrote to memory of 3996	1392	Chmndlge.exe	84
PID 1392 wrote to memory of 3996	1392	Chmndlge.exe	84
PID 1392 wrote to memory of 3996	1392	Chmndlge.exe	84
PID 3996 wrote to memory of 4628	3996	Cjkjpgfi.exe	85
PID 3996 wrote to memory of 4628	3996	Cjkjpgfi.exe	85
PID 3996 wrote to memory of 4628	3996	Cjkjpgfi.exe	85
PID 4628 wrote to memory of 3120	4628	Cnffqf32.exe	86
PID 4628 wrote to memory of 3120	4628	Cnffqf32.exe	86
PID 4628 wrote to memory of 3120	4628	Cnffqf32.exe	86
PID 3120 wrote to memory of 2892	3120	Caebma32.exe	87
PID 3120 wrote to memory of 2892	3120	Caebma32.exe	87
PID 3120 wrote to memory of 2892	3120	Caebma32.exe	87
PID 2892 wrote to memory of 3748	2892	Cdcoim32.exe	88
PID 2892 wrote to memory of 3748	2892	Cdcoim32.exe	88
PID 2892 wrote to memory of 3748	2892	Cdcoim32.exe	88
PID 3748 wrote to memory of 4020	3748	Cjmgfgdf.exe	89
PID 3748 wrote to memory of 4020	3748	Cjmgfgdf.exe	89
PID 3748 wrote to memory of 4020	3748	Cjmgfgdf.exe	89
PID 4020 wrote to memory of 324	4020	Cagobalc.exe	90
PID 4020 wrote to memory of 324	4020	Cagobalc.exe	90
PID 4020 wrote to memory of 324	4020	Cagobalc.exe	90
PID 324 wrote to memory of 1860	324	Cdfkolkf.exe	91
PID 324 wrote to memory of 1860	324	Cdfkolkf.exe	91
PID 324 wrote to memory of 1860	324	Cdfkolkf.exe	91
PID 1860 wrote to memory of 1996	1860	Cfdhkhjj.exe	92
PID 1860 wrote to memory of 1996	1860	Cfdhkhjj.exe	92
PID 1860 wrote to memory of 1996	1860	Cfdhkhjj.exe	92
PID 1996 wrote to memory of 464	1996	Cmnpgb32.exe	93
PID 1996 wrote to memory of 464	1996	Cmnpgb32.exe	93
PID 1996 wrote to memory of 464	1996	Cmnpgb32.exe	93
PID 464 wrote to memory of 1600	464	Cdhhdlid.exe	94
PID 464 wrote to memory of 1600	464	Cdhhdlid.exe	94
PID 464 wrote to memory of 1600	464	Cdhhdlid.exe	94
PID 1600 wrote to memory of 208	1600	Cjbpaf32.exe	95
PID 1600 wrote to memory of 208	1600	Cjbpaf32.exe	95
PID 1600 wrote to memory of 208	1600	Cjbpaf32.exe	95
PID 208 wrote to memory of 4132	208	Calhnpgn.exe	96
PID 208 wrote to memory of 4132	208	Calhnpgn.exe	96
PID 208 wrote to memory of 4132	208	Calhnpgn.exe	96
PID 4132 wrote to memory of 3008	4132	Djdmffnn.exe	97
PID 4132 wrote to memory of 3008	4132	Djdmffnn.exe	97
PID 4132 wrote to memory of 3008	4132	Djdmffnn.exe	97
PID 3008 wrote to memory of 2472	3008	Ddmaok32.exe	98
PID 3008 wrote to memory of 2472	3008	Ddmaok32.exe	98
PID 3008 wrote to memory of 2472	3008	Ddmaok32.exe	98
PID 2472 wrote to memory of 4596	2472	Dmefhako.exe	99
PID 2472 wrote to memory of 4596	2472	Dmefhako.exe	99
PID 2472 wrote to memory of 4596	2472	Dmefhako.exe	99
PID 4596 wrote to memory of 3212	4596	Ddonekbl.exe	100
PID 4596 wrote to memory of 3212	4596	Ddonekbl.exe	100
PID 4596 wrote to memory of 3212	4596	Ddonekbl.exe	100
PID 3212 wrote to memory of 1960	3212	Dodbbdbb.exe	101
PID 3212 wrote to memory of 1960	3212	Dodbbdbb.exe	101
PID 3212 wrote to memory of 1960	3212	Dodbbdbb.exe	101
PID 1960 wrote to memory of 1528	1960	Dhmgki32.exe	102
PID 1960 wrote to memory of 1528	1960	Dhmgki32.exe	102
PID 1960 wrote to memory of 1528	1960	Dhmgki32.exe	102
PID 1528 wrote to memory of 1888	1528	Dogogcpo.exe	103

C:\Users\Admin\AppData\Local\Temp\6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe
"C:\Users\Admin\AppData\Local\Temp\6ac28d53e587bf1f7eccb67876079f1f5df986fa7ab889d1b11df8bf0f3fee05N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\Cenahpha.exe
  C:\Windows\system32\Cenahpha.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\Chmndlge.exe
    C:\Windows\system32\Chmndlge.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\SysWOW64\Cjkjpgfi.exe
      C:\Windows\system32\Cjkjpgfi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 404
        27⤵
        Program crash
        
        PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2416 -ip 2416
1⤵
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caebma32.exe

Filesize
45KB

MD5
4537b6bac4e72809a25f1c0ca51643b1

SHA1
9ce9b38e84f253e9d1da84b20f09ef61fa2e0ea2

SHA256
1b8449a7fa69a2bd6f21fa05a057d56b10b862a67608d1a69b2446838d7ddd51

SHA512
fbc22b2f095564ca7b35502ad53256a9cd4cf02be60fd40b708b70e4d454016062f1c8059a784b7f0d7a79778cbf6e060cf594c7e4be6f11f238a1a51abeb85f

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
45KB

MD5
4de535eba2702b9139e1e6b7aa21f794

SHA1
201a78426e1ecd473258c37e04e568f64a916ac3

SHA256
38bac0785fb792a58652094e4ac635ec58fae8bb6c43f086fdc0173695e92242

SHA512
732430cfdf5e6f87c04334db19a09d1e59becc490cc46e756e129d3530b7944d664e52c4dde6c52bbfb8fe126a8f2791fcf805d476f760508c6a37b738b16478

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
45KB

MD5
3ee57057b960c92d6331e6ce0ac5c51c

SHA1
70b9deb2e07ac9c005b5e91e202207e04fd0323a

SHA256
6b573228ad6ca5b788081ef1358d145022c2feee539d71fe1880d602460f49f3

SHA512
acb123ff996600309797047ad9d1078d07fb7d7021dfb382ed4e6755e4f2f9a4625dfc0195a2026f17376d1e16b99cd80f03de5b70475a07488bcdd2d0b69320

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
45KB

MD5
5921dabe60a4ebea126e05abb917bfc3

SHA1
2d7023cd2aa626119ff7236214313f37c6323a23

SHA256
779576184150e833640108844edc37b9834fb0f4beffdd90fef94560b4f659b9

SHA512
91c6a2caba2890a7f0bba19c0fcccbb9d3448f330e20086015d20fd06c837a928a7298c4dd98221d68220e8bd5cbcbf76e6dfda29bbfc6833929f0c80b7f0668

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
45KB

MD5
e322b096ab129bc11cf5c2b852632db5

SHA1
7273f4b3886117b6ea39083d6badf1b4dd2927c4

SHA256
7946c733b7f6daaf3ef70df2553fd0c8fbe4910956cdef5528190124d8374ea6

SHA512
c742614008a1d79ed9dc8b000cd3cb101ddd40e2634a5b0fe6eded247d97bd957fd216dfeb560748b90cb7a584175b53e69c322d4163010fe87145e8f67a2b48

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
45KB

MD5
e570bee418cab015f4c80d51d53fbb58

SHA1
1df35d3f774ae846d516164094e45b8d5ae3769e

SHA256
ecb3d7947a949f2ac05754ea6c35d1e8ed3d001ec20a96eda3fa02ad1445a5d1

SHA512
ae87a6148df08d36c00cc9b482ad34f35ebc57969eb8b1a09ed4e90d99eee2bfc638af4ec575f8d80336773bae15f706ffc71b5a75eeb0e4c97fc12674432018

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
45KB

MD5
2412c21efc443455eb254d92931f7977

SHA1
9f83902a7e4d2bbc3b1d4dd6975da0305c8ceeec

SHA256
4360c8619f1be70f6184913df0e90ca1f3eb53af249817ff575385445bf42c3e

SHA512
daa7ee11ea5b07ec557b944ed3afb85346bb77139211721b02de5e96de8144009f7572bc4902d6717d6fa419cb1caabbbee3c49556f299a9f2c5582724a39b16

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
45KB

MD5
3e21ba57c329afa932b016354be9e4ea

SHA1
1e0e8cc76f5d144b2c7d4514db59941e2fd31e02

SHA256
725eb1ac9c5d767cf6cb3bde735e02a6546b24d063f21390e4ee2dd7e6ce552b

SHA512
f13af616767220ff2e1c203adca177e06fad647dedda40a03edec786614e0244b620260540db46495fe61c9aa2503abfebf6f0555f56c4f75bf8a7b8e17aea6e

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
45KB

MD5
2c2880555994473a68f38e365de2791f

SHA1
53034fbbd0e954b4dbe23db84efbbdeeb3a874ab

SHA256
b2dc6321d10aeb863feea9dcd85c34e4d2f13898c4508be2421ac302bff39c77

SHA512
5613af8c3a89e67c1c218d61c12aea8445f9bd01715fb111049a6307e70adea5b16d40e21c86a7d3d11ce97f9e4f7f74603d04f6a1c5f70657c6ea24be3b5026

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
45KB

MD5
3963611d4f91bedb1859dd5b939a0e4d

SHA1
ff8bc50047a179c61eb0d1273550722c81b58c80

SHA256
808ef799d3761a9c5a7e733ca47e8167397abcb930b4b0cd5a1c3e5362df9a76

SHA512
a5142cbc0a6c039d2c81d3156ca1da89969c17c11c26d1c32f7340e1e4ca36d47960b6a0fb57099d41e11e1da5c61801324958bfdb235ed255fa97e25b805f53

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
45KB

MD5
e4fb7b7382a9617ef3f7923d8b182bda

SHA1
aa3f62cae276f5ed626ab6b2a2540e547fb0ed43

SHA256
f714c1bdf7e9fda9326f1d005390d8ab2eb1e5ee47aa5fd064033a6f9ea6375a

SHA512
f4609373c5ce9390d2cfb1f0f067bd3ae08b45859e763b10ce144885f59262492cfc6d639a63ec5422e0742d052b01bb4198f4bfc74191e5bf69fd3cd5f5a725

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
45KB

MD5
f73c1718cfbb1cdfa42c644bb8f2610c

SHA1
86d378d5590a0e9b19abc7b3cf825a884109aa8f

SHA256
003f4749df84c60f7873fe2989db9ce40665e6657fe16c7ff81769bdd651af34

SHA512
91efb40ace6e1a571572d2b8636dc5667a04e84ec9e455eb80a9ab90993b334c8a3394c52a93d4629e355c24915a04018da866c7d15153894d02f920497f01f9

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
45KB

MD5
6b4b5eac6dbd3791f4cd2c12ac8c8e8b

SHA1
af8c9e5c6d01907fcb8819ae6f75929aff069dae

SHA256
8e04bf0a99a66cdd642a65b3153c81530b9d66579de817549854e8b1451ef182

SHA512
b777d549ac6f1cc617c3e1ac303f0fa0dccb71a9b3b4c3ad924d6fc7a260b9241010f8f34c4f51118453fb8861c0b14772a1061359968812eade44aa915bd613

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
45KB

MD5
d43fcde13655c625dbb9d970adc28246

SHA1
014c6de406a7f62e1740449c994dde8dcbcd3605

SHA256
558086d349ae9b80f97d2cd429bcb8439a7f273ab1eff34e7ba1bf938e3fc930

SHA512
5c2462d125da38c8477e60327dd1e31ed633878dff7da486aa7453a5642d25ef9b986a5da7fe881a28258b362b122a1930005341f078f98d6b77adf2b3b8f645

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
45KB

MD5
448551a4b48cab5fb54b36fdb8ca6c92

SHA1
efadfd6d29bd57d0e4c062eb4e4c1304efb9a8a0

SHA256
f2b13a526dcbceae426b432042c0ba25f26adaeeb905a0630e61eb6dfaac88ac

SHA512
4631afd1d3f9bfcc940deb2290008e1004a29ad81ac43290cb3461b12a3d05590db50388dac5312c1a4bcac8b017b4e61c88e16cc834a36c0bea0f9a57ca3935

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
45KB

MD5
63ad119533638f3d2c7359941fc4df59

SHA1
9847922a62d90d5f9e09e33c47b18c9ded2f189d

SHA256
66b72be39d9870601adcc89624e9d98241a41df508515644461c470130f3076e

SHA512
6be2461d4ddaed5f576ef8519dcd439616ed6ab7abf2102b0b64cc89e44d1b5b01040c6c277ee73b309d7887b7b09291b85a32f0152aa62564917d2560366e2e

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
45KB

MD5
c5c797cacd528db377e7102c93c3f9e3

SHA1
00d77133e58bcb4db560207af6200f57f0516224

SHA256
214f49b6b5463e77b93a57bb5d5f234231ebad1480b761911347c453fa5f3e17

SHA512
ee23339c06648e86150aac8e04e699a44094ef9217cca23ed327b653c8e252974198fcc30408ebe814068a3f9ae466f460aa9a3f8770e1e89f61b915691f35b7

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
45KB

MD5
41f16c80cee9f34e4f922b9c0b1969ae

SHA1
505562d082e749ba9dc11aaaaf902478f93ed4e6

SHA256
50e1a349157a076b48d2e868f38174aec53a823957771b4f3780aee5fee3813e

SHA512
7ec8cb99b6c99ff4f8a90586315d654d11d28e8e161e02a8ac6ae564675f602b086478f4782da715bcd6ca2a8b94a3f110f2b5d4c9eafa17b8e98fd9c5920b48

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
45KB

MD5
63210c8be92533d867363a76e5811862

SHA1
e69829d56786d89aed731045ff8d1666feb7f10d

SHA256
ad38def65c1c2ea33cb2c50e874420d22ed2c67a7d9aa40e9b66ab165c83044a

SHA512
11ca67f9270d7b1112a03ef97012ff5bada4c679c88fa9c7cf67a13f5eb02da97f43513a0075f63473b87e7caec02eff8e438042f29b83d50abe6097372e2932

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
45KB

MD5
e050722d3331ba08107f31638622efef

SHA1
54922724e931d78f0b07b5990afe31c1a265608f

SHA256
78d167ccd1465c67d0bb44a898c57d7e72a7a520d645dac6798e1ef39f4ed76f

SHA512
9b93f86f6896402876fbb3003823a48e6f942c9b7f7a3ddb658b08db9e7d4c86cc8d5fe257583367286dccbe77eea0499a7e3f1b6d78522b4686ef33d3786909

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
45KB

MD5
0d95ec01606f8b137325be0bfb17085d

SHA1
d09ed847383db397529bef5c5ab34d54783698f5

SHA256
9331c8f273181685f880075226cac5446dbf0c54b4013ef12e735a5c6e83da0d

SHA512
4b96c8f7b7985aced41d52c7069eda4babc963e343d5338e0e47dcafd373ce8bfa0a96ebd1a5fa676a6961d445fef475c5cdc6599ed9a623fb3701a045718b55

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
45KB

MD5
058a6f2668cbe1e9ff57bb228e2eaa61

SHA1
818f59c8a06e5fe157cc7fbed7ce9111ca2645fd

SHA256
89a443b9e2531f4d3b1588dec5e996984aedb2e6b377a49385d2f508a3f94c79

SHA512
7d94f1e8e7135c5c77399730aa90ab5dad93aba087c51fa4ea2ca3ef45822d612ccd81445c111a8c7add95f9f49f86692cb89c87b3b12ac8444b0c4f2458836b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
45KB

MD5
9d19e000fc2361f3c8591f4361bd6a6a

SHA1
53f2f921731d94da96134faca854b444cf674f92

SHA256
c791a6be1900444977f332782087e407c79b61bca9953a286daa6762888342ea

SHA512
4dc1582af66e188a6c87c301918c308cdbaad549356f68bd93958aeacc424c1b7fcc0d64726a13965e72949017d6aa3307ebf162f6b4d4e4a571e0b0eb959bbd

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
45KB

MD5
ff624245bc61c812d3abd4d04a0250df

SHA1
1ce2066d058f6c3ccb98e2b41fe58647b37eb14d

SHA256
15db86f2094af6eecbf8970ed3eb868b212feb52c16f7167654a526c8a2c05b4

SHA512
050d3d87d0415ca6dd9a23f35c6ed372a0b3ae377b0c102b0eb2e87cf7380ab42ac60bd46d306b6762083330979da0541a4bc4b5fe48fa048ef403f2ad370469

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
45KB

MD5
dcc30dd8104561f3e82d1a78da5cd350

SHA1
e31c625f8c20580fffeaa8101031e08edb2228dd

SHA256
de188c6d4d4b406f1b02a370a34a184c45e4b9acf5ac79b59d7778edbd74f706

SHA512
7c31c58fd572afa96c7f7cd5c8195d04dd36fd61300fc1dbd374bebd77e59f1ef844a3bcb1e891148341e33d3ff428dd691c08fbd5143a6e94a60b08e931de27

Download Submit
memory/208-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/208-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/324-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/324-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4132-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4132-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4628-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4628-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads