berbew | 4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
Size

192KB
MD5

cf1e5f226e8871995d0800c3ca3208b0
SHA1

b8d8608dd5f8b9b22129a6626a939e7767853038
SHA256

4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885
SHA512

30862a51c6ef3c2a0d569cfd11e3c53d905ba399bd132cfc36cdbeebb0fc514d52f591ed161dd0014ad956108b5e977147dd4cb2dc103721c2b9df1c86bf71e1
SSDEEP

3072:EfUmo1ZyBvvFwpbNWGA963kremwc/gHq/Wp+YmKfxgQdxvzSTsXXoT2z:E8z1ZSviPB+63/fc/UmKyIxLDXXoqz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 23 IoCs

pid	Process
3028	Cjpckf32.exe
1748	Cmnpgb32.exe
796	Ceehho32.exe
1936	Cdhhdlid.exe
2152	Cmqmma32.exe
2788	Cegdnopg.exe
3356	Dfiafg32.exe
3816	Dopigd32.exe
3604	Danecp32.exe
1092	Dhhnpjmh.exe
1668	Djgjlelk.exe
5008	Dmefhako.exe
3872	Ddonekbl.exe
1008	Dfnjafap.exe
4028	Dmgbnq32.exe
2284	Daconoae.exe
4564	Dfpgffpm.exe
4080	Dkkcge32.exe
988	Dmjocp32.exe
4560	Deagdn32.exe
4528	Dddhpjof.exe
1564	Dknpmdfc.exe
2992	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4428	2992	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 3028	400	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe	82
PID 400 wrote to memory of 3028	400	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe	82
PID 400 wrote to memory of 3028	400	4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe	82
PID 3028 wrote to memory of 1748	3028	Cjpckf32.exe	83
PID 3028 wrote to memory of 1748	3028	Cjpckf32.exe	83
PID 3028 wrote to memory of 1748	3028	Cjpckf32.exe	83
PID 1748 wrote to memory of 796	1748	Cmnpgb32.exe	84
PID 1748 wrote to memory of 796	1748	Cmnpgb32.exe	84
PID 1748 wrote to memory of 796	1748	Cmnpgb32.exe	84
PID 796 wrote to memory of 1936	796	Ceehho32.exe	85
PID 796 wrote to memory of 1936	796	Ceehho32.exe	85
PID 796 wrote to memory of 1936	796	Ceehho32.exe	85
PID 1936 wrote to memory of 2152	1936	Cdhhdlid.exe	86
PID 1936 wrote to memory of 2152	1936	Cdhhdlid.exe	86
PID 1936 wrote to memory of 2152	1936	Cdhhdlid.exe	86
PID 2152 wrote to memory of 2788	2152	Cmqmma32.exe	87
PID 2152 wrote to memory of 2788	2152	Cmqmma32.exe	87
PID 2152 wrote to memory of 2788	2152	Cmqmma32.exe	87
PID 2788 wrote to memory of 3356	2788	Cegdnopg.exe	88
PID 2788 wrote to memory of 3356	2788	Cegdnopg.exe	88
PID 2788 wrote to memory of 3356	2788	Cegdnopg.exe	88
PID 3356 wrote to memory of 3816	3356	Dfiafg32.exe	89
PID 3356 wrote to memory of 3816	3356	Dfiafg32.exe	89
PID 3356 wrote to memory of 3816	3356	Dfiafg32.exe	89
PID 3816 wrote to memory of 3604	3816	Dopigd32.exe	90
PID 3816 wrote to memory of 3604	3816	Dopigd32.exe	90
PID 3816 wrote to memory of 3604	3816	Dopigd32.exe	90
PID 3604 wrote to memory of 1092	3604	Danecp32.exe	91
PID 3604 wrote to memory of 1092	3604	Danecp32.exe	91
PID 3604 wrote to memory of 1092	3604	Danecp32.exe	91
PID 1092 wrote to memory of 1668	1092	Dhhnpjmh.exe	92
PID 1092 wrote to memory of 1668	1092	Dhhnpjmh.exe	92
PID 1092 wrote to memory of 1668	1092	Dhhnpjmh.exe	92
PID 1668 wrote to memory of 5008	1668	Djgjlelk.exe	93
PID 1668 wrote to memory of 5008	1668	Djgjlelk.exe	93
PID 1668 wrote to memory of 5008	1668	Djgjlelk.exe	93
PID 5008 wrote to memory of 3872	5008	Dmefhako.exe	94
PID 5008 wrote to memory of 3872	5008	Dmefhako.exe	94
PID 5008 wrote to memory of 3872	5008	Dmefhako.exe	94
PID 3872 wrote to memory of 1008	3872	Ddonekbl.exe	95
PID 3872 wrote to memory of 1008	3872	Ddonekbl.exe	95
PID 3872 wrote to memory of 1008	3872	Ddonekbl.exe	95
PID 1008 wrote to memory of 4028	1008	Dfnjafap.exe	96
PID 1008 wrote to memory of 4028	1008	Dfnjafap.exe	96
PID 1008 wrote to memory of 4028	1008	Dfnjafap.exe	96
PID 4028 wrote to memory of 2284	4028	Dmgbnq32.exe	97
PID 4028 wrote to memory of 2284	4028	Dmgbnq32.exe	97
PID 4028 wrote to memory of 2284	4028	Dmgbnq32.exe	97
PID 2284 wrote to memory of 4564	2284	Daconoae.exe	98
PID 2284 wrote to memory of 4564	2284	Daconoae.exe	98
PID 2284 wrote to memory of 4564	2284	Daconoae.exe	98
PID 4564 wrote to memory of 4080	4564	Dfpgffpm.exe	99
PID 4564 wrote to memory of 4080	4564	Dfpgffpm.exe	99
PID 4564 wrote to memory of 4080	4564	Dfpgffpm.exe	99
PID 4080 wrote to memory of 988	4080	Dkkcge32.exe	100
PID 4080 wrote to memory of 988	4080	Dkkcge32.exe	100
PID 4080 wrote to memory of 988	4080	Dkkcge32.exe	100
PID 988 wrote to memory of 4560	988	Dmjocp32.exe	101
PID 988 wrote to memory of 4560	988	Dmjocp32.exe	101
PID 988 wrote to memory of 4560	988	Dmjocp32.exe	101
PID 4560 wrote to memory of 4528	4560	Deagdn32.exe	102
PID 4560 wrote to memory of 4528	4560	Deagdn32.exe	102
PID 4560 wrote to memory of 4528	4560	Deagdn32.exe	102
PID 4528 wrote to memory of 1564	4528	Dddhpjof.exe	103

C:\Users\Admin\AppData\Local\Temp\4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe
"C:\Users\Admin\AppData\Local\Temp\4c66d68e541fc50b4c75e2d9a9c3253d001711ea239ef16828a5ad1313314885N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\SysWOW64\Cjpckf32.exe
  C:\Windows\system32\Cjpckf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\Cmnpgb32.exe
    C:\Windows\system32\Cmnpgb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\SysWOW64\Ceehho32.exe
      C:\Windows\system32\Ceehho32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 408
        25⤵
        Program crash
        
        PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2992 -ip 2992
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
192KB

MD5
627e6ba8b9fadd30677d3c58b50425ca

SHA1
3837a6bafa57e6b6db0f1d242327bce98c0c8d51

SHA256
f67f1bf5cf472c48a75f2a033e9053dc22bcd996f5885c201efa162c864a9c11

SHA512
38b54ed535e6d7b2b945e300c9482ac1272cf9f97f308511e180d8bded337487d5712a9e2880d1a5b0c975e13daf3554e1a0d5144cf74ab99f725df597ba859d

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
192KB

MD5
90b546f8097c318f95af5177e515e0d1

SHA1
bf53de6590fd8780fe28c865dfe5d4c3f7ae12a0

SHA256
49c9136dad790224e16b1d20f9b3bf40f9f9d36c51dc3cb309c706bc8d1fbc31

SHA512
6159188610caceabc13c326110725a8fc0b95d45af54548d28ed3c326e79c02c0c0d783f5d0697bc3e60953cadbcfa88f8d1e9e9130a425be338b7fb801ff138

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
192KB

MD5
4ea60c3298cf9716296feb1bd3d9f722

SHA1
a5187ac567f7f9c83cebfe1cfe9bcf2ffc77b884

SHA256
4d687353645ef52861c10a15633f3f695021575f6390629a704e6dd2af0b026e

SHA512
4612e0dd962dd4e4e05f7026568a164e698eded6c2ca45816f826ce9d0a778fcf1e43e6726f14d9b426275e13ef81e389057f4318b6541336bc79d31e7ae0e8e

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
192KB

MD5
4b0cdffd4aefea7b6e6c5e3c42e57fc1

SHA1
b98b930e6da6916ca220b30aa253acd5c697215f

SHA256
6530512da197429a4fda1d608fa64020e522c994d6f3c4d0b07d41dde7714f19

SHA512
a3a4b6a4ec5ad8087a110392c7f18d8ac5d3447a783870523b71b63f508e3332145328545276bf2531b406a67d667f59a89e234b072ef16c661464fe1b0e1a0c

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
192KB

MD5
ad57755b88a1f8f66d7b7880564c6c64

SHA1
137fac1a603d606ebd64d5b193c632a1cf7943fd

SHA256
f42f549fe7e4a453ce84cdbda21ddfe07b4ae8c80dec3c8f163295a308395f50

SHA512
df7567091c85588eb7e915f69b77af522c4579b334323ffdd67c1693bb9c7dd1e0e5fa688ab9027ca636ba407d4f30ab3f3f4da248fbf99b2311bf4df4023182

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
192KB

MD5
de83cbb018e17cf935ce55649ad38477

SHA1
71ff9555fb5e032ad4c62ea400fe6833d18181b7

SHA256
a5cdc49ec7f898f32374a3e75128e2592b2f9e9c171f096882a1f917d2c77e56

SHA512
3f57144b8759869a2d15cbffeb877795ef8bc64352caf760c499a9418c5563f5ce71bef486daacf2b5ece184997e8b3d3c23b7f107dffa60a632feb483ebf70c

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
192KB

MD5
e8272ffe8ff430517ce12f9c48c9b897

SHA1
d977283327c06e3b077bb6a533103c7ac5fddd2c

SHA256
eb5c269036e6c948f3e3afa491129b5dbb14d1fe4517a82ea2fd06f23c05a2ee

SHA512
1852cd7085ea05930b5bf3e0d8af2388732251c52b5ed046f693a64a8f081469020265658b38f7fcbb420489cf387014a8b591156618b11851fa4f8dc9ac9c61

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
192KB

MD5
89a6f1d64faea15f45047d5b6f68df0d

SHA1
0bf493acead887fd7cc399d4eed5c8fc90a51572

SHA256
476c37f88dfe9f1e44dceaa184cc600b8f8bcc51c1b1448ee29768d4dc59c59d

SHA512
2be8fab3b21b176560127691865e2686678b8850d513b4bc67b011b2dced8e05a99d9fcd3c72568630b04a67932b1531d20549c4142b5d81e2f45f43265fea43

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
192KB

MD5
1f5d66bf3a3064393545b6b675b2ef51

SHA1
c5f72857be2b1c5b4ffdc4ffb0967dc9cb2412c3

SHA256
2b7431a48d786ff01252883b4f52c050f9f1950e7b40c828af0346ab1a3027dd

SHA512
0d340679d445adf09420eb76908254ed5e995c9f3e25a090b845fcba167eb8848841adcfa6cc4cf9ff573ddefe77e27b48ff1386cbc2bb9220bbfd6447728e4c

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
192KB

MD5
92c279fe1f3f0bf8af9a2263d7143ecd

SHA1
1058a288be87cbd59677f25b18d8556514f962dc

SHA256
f5689778d7708585888915d46f94e9b5c73f94fa7db5f6c34d0fb45aa8ea61d7

SHA512
5eb5018d792fd3cfc38cb7ab12723896b3e5478400b19706937dca7c3a7038c74352ec20d969e00e51ca12bd4019b0569edf9cd3bb3f1ef1cd82c9b3097ff1fd

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
192KB

MD5
aaec0bafe714f17fcedb050ef5e1d9a6

SHA1
fe0f807a8dca0caa0c35bb3aadcce08bacdfe0b0

SHA256
79e4e78121cee58b27fe07978d6ca3d05fa14d0daa40d6af6a93951472f23a8c

SHA512
7a508ebdb3a64504ac78822586562ec0172a2cdff92f08354e49006a031144cb5367f819cbfab3424017a0e1b1e44c4ea8d75089b349c56d5b74a71c32d1003a

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
192KB

MD5
29d189206b160464f70646386fa2cfc5

SHA1
ef14d7f567953540c6b5f650bc18697fdf3f449d

SHA256
4f82bd039be0c81df39ba62cccb82a75a7c323c70eba5af8d9a5ef03a01f50a3

SHA512
4316795cf9550602a7a6d7ba3099de0a5bd55fb228e38abe17b5a0079954d1e48d523a38b7ce84df2e6420b81d115027c260fa30fec45ea8e4d88390585b651c

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
192KB

MD5
2f797c94a6419af120f6be65d442c768

SHA1
571f7042e291475290b8af14054d08ba7e5091fe

SHA256
5e2dac9eb62a344f6e44695f6f52441cadec572af2641bde5ca8253223fc66ba

SHA512
98f1ed70df972dab01b57a5545fee8790c6d9119cba00a71d44c844d7b4d39d771132afe2627809d81f20cdd775198003c8d65fe779e607d1fcdd9fb3ff41ffa

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
192KB

MD5
987f2f17882fe0d71195610c905889a7

SHA1
a12e008d0a3aac7d76079842c9ba65162b54522f

SHA256
bb8d5a7d05c249419665cfb9dae7f49c1e842101cb0fc90e5eb812a076b66b4e

SHA512
e33593cfad37337518dbc56db13e0da88909c230d8fc375eef5738a4f3919fa9f955f702a54ea0d3f2c8a3ca164dc6766a07274b88b09b43bb934c235e2b2d9d

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
192KB

MD5
deefd1a1108ca07dbd1024c5c70adaa7

SHA1
703598dc8e7c1b59bc2d754bbb06261878db34da

SHA256
ee80aab3a07c4651714447a0d541a5ff60ee39a539692ca4adb2d4f1ecd016f3

SHA512
2834038e7f17997db24c8f9f96ad5cf7d53fa22f836a3ad27fc1f566b2346baad131da034b8b0faf7e57ea8daa90b2cbc4e0cf1b44ad5a6f88b069397688b416

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
192KB

MD5
d3ca4aa42d3d85cbd7c851d6b9223e78

SHA1
56fb385b898d5adea5c62e6fb7dc3a207d56e447

SHA256
16d908de3f21bba383eaa2c590aa23fe1f29cd2f98f474497339a4c46010254c

SHA512
87f83d877cf58be4b6c25a1c625ca03cd7bb02fce372003a9dee17d1014ddd30c06439749647a7a5baf3f259e5ad6ab344258b69501e6f6e16e4ff306ae925a0

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
192KB

MD5
9a5a124d9be8957bfc34210a417144f1

SHA1
30b99136558a963276f59f79fe3fe9aa24f012cf

SHA256
54da0382dc54d942ecf4c578b7dba05113abd29d6ce6ed41b8c8b0693ac7dac3

SHA512
5c6f2e8e212fe5a289f330fee93bcfd0c6801e840ccd864db28104c02ad0f2e9f2a6053eef5f41a6d538d5c1d5eedc96209c9372d392756dea9d434b18a0b394

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
192KB

MD5
65cdfd5a83167c4198c7b15422cf79d6

SHA1
19f0c6f50bcece369a860bdaea3b21d7ae38f108

SHA256
dce6992b22fd16f954a402791cbb44aca0de507abffa5ed127faa46c850bf57d

SHA512
5526d5c384fac0c7caa36feca37b701f51233d58e508f4531d30ca2b5c25f0179e5f8581a95b029e7e228a9d19f1aea03a6fa554684894bb580b43e4d42f1afb

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
192KB

MD5
3817c1d05bbb34d2ae688a0f2f1ab9bf

SHA1
44db6a22297215126223a9a4992fc9d5dd321d3c

SHA256
a1017f93b631096354766f20fe13379ab44556cd33cb7b542b9c29a12b3c8477

SHA512
35b73905bd6725eddaec83475388d5e225c788d8f756b8504fc032b1adc72779f1cbc7faf4bfcd1b222480c38132215819137ab2ea591f6ea8acc70d2e0eb857

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
192KB

MD5
296b6fe901c07fcf026bb532914feca4

SHA1
f1e07b19cb4e2d3c38cb6a841f9b9d6ac84be6ad

SHA256
cbf26a5de558b9ff96b6841694a55f25cf97fff7a5b232ff6027c35bae3c16ff

SHA512
780173ecccf489048b25297b0ab881138613107953edea7712f078f0dcc3f96509ddb86585ac0eb10779dd448ff6aaddc5e546dcca5d12bfd15df6ace56c4c1e

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
192KB

MD5
912afc129337e381560ed9f26128b74f

SHA1
7a5ee713ed8521ad69903b20846a43f500b285a7

SHA256
1664f0d3095fee23b88a7edd8078b6af715e208523e96265b5ec36091a4344b7

SHA512
a90e83521d310af3e02cba98c9ccb8f678f95d4c60986a1cbc5058ac7fb169f47907ee85c5ab25e43c290a481fc089b6534759855ab0d81e671c8325fe4a5a3d

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
192KB

MD5
ef83bd6f83d0200201808b40e5a40d4d

SHA1
f1ac54d17be3246b70e6f7806a89eefce166f226

SHA256
a58b61935de8e467190f8db386b2981d6d2f0f5a94439e9be4d6be822349e73e

SHA512
4030e5fcb1d90907bcf76eb9508191c8421a9963fb2975ca21f4240b438cbd3d0bd887b5728ae1c352b73b00083255805a7f66df186b46e824e0942f68e58e2c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
192KB

MD5
760a6b3389dd799434f6cb3b6203e0bb

SHA1
2abec080b759668d78c83f050bcb7b1be911784d

SHA256
b2ef96e997dced1e471e7500ddd6e5ef7f4d2e5ac2dbbf1f599aed56bd801d2c

SHA512
517382097860878b09242f5ab1d22f48962c7ad4567c1cdcf99a413274ba6bb57d26a4bbc4648723490e3f9c7ad40f5bd94d933906a3429900d3cbd7e7a9da53

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
192KB

MD5
4d19b5e875378d3b15691389242afed6

SHA1
acffe67ecf8b343124302d89c5064f04604d76b3

SHA256
7596ac8af37378b075b104474e58f8ac954b1305461468acae06aa32988ad7a2

SHA512
a08dde3958404a2254891cf926a9fdef6b4baaafea040d50068d32427de127c7a9be2d73086fab1c2c8a8b6238e13c91e826e6b579c442b8c0ac6815d15b69aa

Download Submit
C:\Windows\SysWOW64\Okgoadbf.dll

Filesize
7KB

MD5
2245cccce0de1dde990ea195af568781

SHA1
a6e593386ba2781a42ac53a2a64fe89c1c2fe309

SHA256
a07df407bf44fb7d6cf43af27142ce243b1729b26971a537dca8a10fc78f4379

SHA512
d63b506025ae828533b6c32a1c2f4e4f8d8fde755413251321e52ec01856806d96fa673d4689b06d8c4ad9592c518683dbad0a12cc467bdcb30d2d52e33d8cf3

Download Submit
memory/400-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/400-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/796-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/796-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/988-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1008-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1008-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1092-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1092-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1564-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1668-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1668-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-186-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2788-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2788-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-185-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3356-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3356-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3604-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3604-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3816-194-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3816-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3872-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3872-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4028-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4028-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4080-149-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4528-172-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-164-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5008-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5008-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads