berbew | 83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
Size

192KB
MD5

467934e2dc7c23409656c192b11644b0
SHA1

9382b1c471f7725cb26a2efb641bea87fdb72b42
SHA256

83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96
SHA512

381f4f7ad76d55192010ba7d4c9501e032831bcfdd9b8790bf669b29a3f8a216292e9f891fe886a11188a8be834f13c853be3dd880ce4a20eff0032772af48fa
SSDEEP

3072:qvlNN7znal7k6ieRIc3YmFJs1JWk1outkTy27zU:q9NN7zKMTeLJon1oSkTl7zU

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 24 IoCs

pid	Process
4312	Cdcoim32.exe
228	Cfbkeh32.exe
4016	Cjmgfgdf.exe
2360	Cmlcbbcj.exe
408	Ceckcp32.exe
4936	Cdfkolkf.exe
1472	Ceehho32.exe
3008	Chcddk32.exe
2736	Cmqmma32.exe
4248	Cegdnopg.exe
3748	Dfiafg32.exe
3444	Danecp32.exe
4496	Ddmaok32.exe
1976	Dfknkg32.exe
4452	Dmefhako.exe
3272	Ddonekbl.exe
3872	Dodbbdbb.exe
4088	Dmgbnq32.exe
2136	Dhmgki32.exe
2328	Dkkcge32.exe
2124	Dmjocp32.exe
3244	Deagdn32.exe
2524	Dgbdlf32.exe
2116	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3268	2116	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 4312	2268	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe	83
PID 2268 wrote to memory of 4312	2268	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe	83
PID 2268 wrote to memory of 4312	2268	83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe	83
PID 4312 wrote to memory of 228	4312	Cdcoim32.exe	84
PID 4312 wrote to memory of 228	4312	Cdcoim32.exe	84
PID 4312 wrote to memory of 228	4312	Cdcoim32.exe	84
PID 228 wrote to memory of 4016	228	Cfbkeh32.exe	85
PID 228 wrote to memory of 4016	228	Cfbkeh32.exe	85
PID 228 wrote to memory of 4016	228	Cfbkeh32.exe	85
PID 4016 wrote to memory of 2360	4016	Cjmgfgdf.exe	87
PID 4016 wrote to memory of 2360	4016	Cjmgfgdf.exe	87
PID 4016 wrote to memory of 2360	4016	Cjmgfgdf.exe	87
PID 2360 wrote to memory of 408	2360	Cmlcbbcj.exe	88
PID 2360 wrote to memory of 408	2360	Cmlcbbcj.exe	88
PID 2360 wrote to memory of 408	2360	Cmlcbbcj.exe	88
PID 408 wrote to memory of 4936	408	Ceckcp32.exe	89
PID 408 wrote to memory of 4936	408	Ceckcp32.exe	89
PID 408 wrote to memory of 4936	408	Ceckcp32.exe	89
PID 4936 wrote to memory of 1472	4936	Cdfkolkf.exe	90
PID 4936 wrote to memory of 1472	4936	Cdfkolkf.exe	90
PID 4936 wrote to memory of 1472	4936	Cdfkolkf.exe	90
PID 1472 wrote to memory of 3008	1472	Ceehho32.exe	92
PID 1472 wrote to memory of 3008	1472	Ceehho32.exe	92
PID 1472 wrote to memory of 3008	1472	Ceehho32.exe	92
PID 3008 wrote to memory of 2736	3008	Chcddk32.exe	93
PID 3008 wrote to memory of 2736	3008	Chcddk32.exe	93
PID 3008 wrote to memory of 2736	3008	Chcddk32.exe	93
PID 2736 wrote to memory of 4248	2736	Cmqmma32.exe	94
PID 2736 wrote to memory of 4248	2736	Cmqmma32.exe	94
PID 2736 wrote to memory of 4248	2736	Cmqmma32.exe	94
PID 4248 wrote to memory of 3748	4248	Cegdnopg.exe	95
PID 4248 wrote to memory of 3748	4248	Cegdnopg.exe	95
PID 4248 wrote to memory of 3748	4248	Cegdnopg.exe	95
PID 3748 wrote to memory of 3444	3748	Dfiafg32.exe	97
PID 3748 wrote to memory of 3444	3748	Dfiafg32.exe	97
PID 3748 wrote to memory of 3444	3748	Dfiafg32.exe	97
PID 3444 wrote to memory of 4496	3444	Danecp32.exe	98
PID 3444 wrote to memory of 4496	3444	Danecp32.exe	98
PID 3444 wrote to memory of 4496	3444	Danecp32.exe	98
PID 4496 wrote to memory of 1976	4496	Ddmaok32.exe	99
PID 4496 wrote to memory of 1976	4496	Ddmaok32.exe	99
PID 4496 wrote to memory of 1976	4496	Ddmaok32.exe	99
PID 1976 wrote to memory of 4452	1976	Dfknkg32.exe	100
PID 1976 wrote to memory of 4452	1976	Dfknkg32.exe	100
PID 1976 wrote to memory of 4452	1976	Dfknkg32.exe	100
PID 4452 wrote to memory of 3272	4452	Dmefhako.exe	101
PID 4452 wrote to memory of 3272	4452	Dmefhako.exe	101
PID 4452 wrote to memory of 3272	4452	Dmefhako.exe	101
PID 3272 wrote to memory of 3872	3272	Ddonekbl.exe	102
PID 3272 wrote to memory of 3872	3272	Ddonekbl.exe	102
PID 3272 wrote to memory of 3872	3272	Ddonekbl.exe	102
PID 3872 wrote to memory of 4088	3872	Dodbbdbb.exe	103
PID 3872 wrote to memory of 4088	3872	Dodbbdbb.exe	103
PID 3872 wrote to memory of 4088	3872	Dodbbdbb.exe	103
PID 4088 wrote to memory of 2136	4088	Dmgbnq32.exe	104
PID 4088 wrote to memory of 2136	4088	Dmgbnq32.exe	104
PID 4088 wrote to memory of 2136	4088	Dmgbnq32.exe	104
PID 2136 wrote to memory of 2328	2136	Dhmgki32.exe	105
PID 2136 wrote to memory of 2328	2136	Dhmgki32.exe	105
PID 2136 wrote to memory of 2328	2136	Dhmgki32.exe	105
PID 2328 wrote to memory of 2124	2328	Dkkcge32.exe	106
PID 2328 wrote to memory of 2124	2328	Dkkcge32.exe	106
PID 2328 wrote to memory of 2124	2328	Dkkcge32.exe	106
PID 2124 wrote to memory of 3244	2124	Dmjocp32.exe	107

C:\Users\Admin\AppData\Local\Temp\83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe
"C:\Users\Admin\AppData\Local\Temp\83f1a406b799812d194440b6188c8379d73a237503734c29b190d06ecf97ca96N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\Cdcoim32.exe
  C:\Windows\system32\Cdcoim32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\Cfbkeh32.exe
    C:\Windows\system32\Cfbkeh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\SysWOW64\Cjmgfgdf.exe
      C:\Windows\system32\Cjmgfgdf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 408
        26⤵
        Program crash
        
        PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2116 -ip 2116
1⤵
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
192KB

MD5
95c4112a10b82cdc0408b99d90bb93e1

SHA1
6d1c1f24e417aa301bc8d8920396ad47191e6127

SHA256
d5d4c7fab766b8fb233613b4a60de205428713e45e8cfb5f25dcc712d29a06da

SHA512
6821416587e9501c2d9960a48444812f0ce4276440cc22763a96a7b841099a5770209bd1f3b6b15a916d00ebfd1b5c5d40130bf85ce1fb2f549d6cc0d3af1f38

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
192KB

MD5
72ddcd143ed95cf6bb988374e9844962

SHA1
d3f30abde6e21dd3f0871955f3c47eb4f0eaae1f

SHA256
6d0946f971b6cb941461eefeede0b49c5f4c9fa556394a70f28d7e44652c982f

SHA512
09afae94f56114280138fe01a73845b629f7978c7d742e4a453b3452983decb108b710557b28848c28a4fa6ee4c14a9515eaa8c04c1ba4aad5edea8f467d7da2

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
192KB

MD5
52861f1e8c0c8cca93d96fc2c7132ed3

SHA1
4a378f9104af031bdfcbf2701bbe74c0e88a121a

SHA256
5ef5fb71e4eda576686a3ffac1fa727bbce9833ac5167c9d01401e74a0042fa2

SHA512
8d14727b8232c1d27a22fa45077a9f77f4a821adf275361f13bb5d0f9b0405d32c70b92e1a5c3ece7ba2eb0d0f91d4d75ab6216e4c64180e57d43f0898049e4e

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
192KB

MD5
ff61be0ef1659ca6bfafa50f99b1138e

SHA1
44cdaa8571bbc92472b10e31d4539df45e395416

SHA256
a1c4d10ad53e815b752d76ff56ed7c2496be674a67ee9c37cd80931fd580bc2a

SHA512
ee201857c401fe1f34dedd01c6a564ce5d2ea66e93a3e9d9178c90d3a17622f23f7529a85c9de0efb2d0f456e77e0bed68743ac8dae25d0b2c46b297cf5ce055

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
192KB

MD5
3fa7203061728b7e2b1017d936e27c56

SHA1
157c3fa0fc642e1399efbbaf6de62d51da4e489f

SHA256
7911bbe26818aeca3d0561b89e1c2b1729ec4238aaa3b987c9757ee29612bdae

SHA512
84749585b1de7a03d4f56e55e71f9e097aa0e6d1bc35aaafb6931f534dc13e58071d8e38bbf8bcbb07492883e66c22592d090e76564d0431436684b901d0e803

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
192KB

MD5
b0f7350c39f03d1895b196f0dda6cfa7

SHA1
b93a393339996933cb42d5c3b735ca6d45baccab

SHA256
6170a8acd433680a99442f7ca04b0ef29abaa7df149f8b0b69079dcc460a902f

SHA512
386e5f64bebc046b32b6ed0788622de6695c3051527e2968b726d994529b0e47ce315d47205955a62019326bbffc87d597317c727ebda0d97ab2f288949b31ae

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
192KB

MD5
23e176130aa0e2b79438aee82bee77ea

SHA1
4bbe24ce5b424579ad67e13621ab5040c2fc2f24

SHA256
570f93b5d61abbd0cdc115ddd45e3db1b95833c775727143d82726e4b9ab30df

SHA512
14829ecc32b738e009dee2b391dac58e64beedba1de676b3cdbd0dfc3d6828382d1f24ea9609c87eabc0bb7f1515d45a8feae07c54c8895a6b734a05168e45c3

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
192KB

MD5
c0e6fd29dce25ece0df003a36a5de131

SHA1
8a5a9a3820211bd4d0fde3ef150d1da5f548cd9f

SHA256
794842c1c8e2f411c7f83877bb46b9da23f3e7bdc2ed2440510dbf4598efc340

SHA512
dbed936bd112e84e5239a4623ce93cf87a13184027c505829600823cd2ae09170a045653ca058c419032ac37b20447b0accf8a5f84301fbf32291fdf2a0b7940

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
192KB

MD5
94764bacb437175cb7d5facac3d41a23

SHA1
ec347f72ec4c7224e99c993147560c6fe73099e2

SHA256
fcf32d2ef97aa29521e227e23e43e8ee7d9ccd5945a1ca1f243f44cba9330dfc

SHA512
8d9dd168c8e5aed5fa7dfd9ef26b860dffddebc8527bc41d7b7cc849db4a0331ec80bb43fba10e6705c4df7a3f2fd5bd71ff6ed79ff15673e837042ec799bbd3

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
192KB

MD5
64cf99e987203456ae6b94c07aaff165

SHA1
7cbd1567e5461b9bceac5f972a5ca6211aa78f38

SHA256
fdf248b921b842ff52080188f2040086996ddb5050a2a12aadd9c4aa963bb863

SHA512
2fe42f75c54ffb2ffa4a39465c91ebcf537919a5ea4571fdc60b278e2bac5bca845131b16a5029480d892a5273b7b52691cb8081ea221828acba0909adac0e19

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
192KB

MD5
90bb8a483fe1eb452c6079b84a915d7c

SHA1
f3e74a7e6fd8519143b0e7e01924188f6b3acf4e

SHA256
3eaa2fa00982510962ad5581438326241b255b594c5ad3b0e88049cf88be7844

SHA512
add9eec9a53d1f7a8814b1c9e673309da4b0928db53a14c51771739fe43671a0286c185a14ea4fa733eb8c356129ce78c5fa489334cfadfae2101c8b15c3b52f

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
192KB

MD5
7948bc6b492618e43a0eb8d982d2cb53

SHA1
cb00cfa05ea0467a4344efadf41af857f99a4e2b

SHA256
c280f619af7650e586aabbdabd994ed472ce84d06664426664d5f46058737850

SHA512
fcd1983b12a538a88ba38437cd3cff180ed6adc23ef5a2d3c458fd556204373408645236464491f608449f3fb6ca8ded1bceb9477ee3ed6b6fa1769aa80c9500

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
192KB

MD5
ac72afc54a441c3d1bfe27b8a4893105

SHA1
af9a46172f621cb8f403894d1f7102d78f6b61ea

SHA256
d861d9fe46f0f2a5fa15c3c86d23221650b155ccc3ebadc6189bab46bbe28ff8

SHA512
a80b939e7a804b4a31a1c36092056c7ade3e0d3197336e23d9bca267c6b6af7b45c281bd19d5dd0760985bfbb0037ccec5c3efd1255cb56c5d46953142b7403b

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
192KB

MD5
8085725a1d18eedb2821936eed470495

SHA1
4fbfb56199c2d17a85050e1c2ae5c8a133e4099d

SHA256
228e9f859ba1f32b95e530d90cc0243c4f82854fdbd6d6ad2a124467ec10ba25

SHA512
3d53547c94f05cb75c6648b3fe420a67072e176eee087eaae913c8a426bc38be972a3b83d1f8f39b61329778d71cbb3beaeee505cff0ec2fa1c8901ab03b7686

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
192KB

MD5
35ceb3967bdf90125c068f923ffeeb55

SHA1
929597f9cb56ba40cb33f0dd27dac5a8a892639b

SHA256
0dc2fea68566c191e53e12b6ebd778040822d91449b6fd967ecf914ce294dd53

SHA512
bd8d20caf8d9f9e1f916fb746e4e3ceb821a6dd986d048789b39169fb43ef36fe85f9fed3349e4ffddac6afd307f84579017dd55ca26792469fc53a6668facfc

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
192KB

MD5
b1df84d135dc1f4b03d2990f2901a3b8

SHA1
1f13042c09208e49922671c578c14df73633ff00

SHA256
157f0cef81f1fe770c9299e18d4d6524e4ece8404798e6cc631d913e632a503b

SHA512
c411145184c73f039e75f5cf2f031f27a5148307962a796592e4ec4d7461c0c1332f16bc75d1950901baa6e05e42381f396e7c71f883554f870eb756e321c6fb

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
192KB

MD5
4d89993216bebf21168eadedb9f80add

SHA1
d0427edbb1deae74cb7fbd840d6617eaeb36c8f7

SHA256
b4b2333968e7a6a281e61dafacf6960fa2305b40d5d7462962ced171d900d8d7

SHA512
5fc6680d1becc3dbc63ceab5a87470060d80f051c17dd29ff3724c8500ce1dc5870871eda192aadda6726c276a4ac00becf5de2eac24e8843e1a19e440f4388a

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
192KB

MD5
96ae409479cbd894800e3f10b9a14805

SHA1
5c744062aab10b06680507a1a7d80722b53988ad

SHA256
831d5f3176ada0652f6637392e53bcb4bf53dc90681af275839b5121009992e2

SHA512
95b215634dcf277e51f1ed7617ff24ac9e7176bf70e0182085c7fcbade03ab5705ad96f846b4d2dd9bb096a1f2fabcf2aaa31adeb67b6fd7b53721559b1d3b3d

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
192KB

MD5
56c45acd663d314971060928f20d6ff9

SHA1
0346340529f7f2dc712aeb3961589ccd63a2e705

SHA256
d07cf761d70dce659d21d862f1242999053316b203894c37988c8e5e69ab5d96

SHA512
f5655a15bac79862fb6d9e8c82bc5fae3cb82ec4cf19ba935a57f7f9446b41d9f794d0a255f76bdac7b055090c8f03fc9c81d08b4b26ca0f1fc61dc1c5225f8a

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
192KB

MD5
1265ce73b42129a01f0ae53273c547c6

SHA1
551929c2d3506ce2e431adb858672b0677b77c1a

SHA256
59c7a938d3a0c03a2ebd2d4478220d9a9a6141cdb56478eac9935b3f877d32be

SHA512
2049a227598051e34e1702d53daa8ad5d0f05bf349e4f7d508eaa503d815faba053cf8c2c6f691c5fb46b813dad2d753101887036a182b92dd0da511be67b3f8

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
192KB

MD5
74295e67dfb61570d0cc0e48a2f1cd3d

SHA1
7cc5a6c245f5110a2853af646515ae720868830a

SHA256
143a3fdef75e213a689fb30bea3c53f6aee0b1dc3293efb083d3b5e43bad12c8

SHA512
b0656271442598756be09e38093c2be376c7695111a11c6b888056b95b022c25fdd41167463c8ca1b1246abf2fb09bbd8a0381aa94b2816ccb5bae9afc9fb6f5

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
192KB

MD5
dbe09e347587784851cd7a253e40fd7d

SHA1
0955025698172c7081484d6498643d06089082a7

SHA256
9368fa953f7c9610fdae3d0030cffacd1889f6426725b35b150d709f86ae3248

SHA512
e3c7914cacd62336e11669230a743c88dcceac0163a79d02d2565024ae42f5dd384b02b1291049a6c4faaef03f67875378a322dff715d15e940e34a003f69b9b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
192KB

MD5
985e87d182caa9ef15d67e2777a55abd

SHA1
6a630d63eeeaee1b5eeeb5d6a5998a9dc0bf71d9

SHA256
02332ac2b9e7e9b83299c5f776deec4a80c0794058cdb3e9823be89570b9002a

SHA512
6979c6ca3fa091d123e42757fc9b4ef0722e8992c765ebf6ce1b92081da6b8b8504324b9dd8d3d981a8cf8016a004e6aee58e97d2d12d6599c66df2398010961

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
192KB

MD5
c37159d24c766cdf64f1fdc466bec0fc

SHA1
6244e269477665985802d3807b733daf8d95dae5

SHA256
6254c742988f58437b28de7077a8816366683b226fbd26db0306e1085299a590

SHA512
92f1c910398d1b7099b0d72e8a957ab57756d1d80b6757bd1f0bc4b1677832e1c325f89d70b261f91771cfb2b57488f5d751bfcad7745c88a32265801af86916

Download Submit
C:\Windows\SysWOW64\Eifnachf.dll

Filesize
7KB

MD5
859aae1d72502b18281892c4e7d34704

SHA1
6627a5cd2cb010ebd1f8008067b2c3d7b68b3607

SHA256
e261b868aaf0bf3456f3a10405d2b491b6464f1c49907cae656eab703460649c

SHA512
88530468586b2a97acf0bee948d5570af3dce3733a654acdf45c99526f53e403d68e5c2fec1a96ae32cf01d7faf517a5c413abad8b77b78bb03fb0617d4e0fe4

Download Submit
memory/228-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads