berbew | cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9f

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
Size

163KB
MD5

cdd4726ea11e285d06e53e24b47831a0
SHA1

463c3ed369a469936ea0dded3f1813c1edd3e59f
SHA256

cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9f
SHA512

802a5cac257b16a34a91b4959d1f7ad2256a59ecf6eb982123d69a46ad5f1fe945fa033d5b715624c4fdfc87df381ed9b4945becfbf06fb9f8c290c872ac1918
SSDEEP

1536:P03DDYXYVSWyRLddbiTYv1MQl8F8IlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:4D0XYKRL/biXFdltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 23 IoCs

pid	Process
4320	Cdcoim32.exe
232	Cjmgfgdf.exe
4848	Cmlcbbcj.exe
2044	Cdfkolkf.exe
4964	Cnkplejl.exe
1728	Cajlhqjp.exe
760	Cdhhdlid.exe
1252	Cjbpaf32.exe
3192	Calhnpgn.exe
1336	Dfiafg32.exe
1244	Djdmffnn.exe
4888	Ddmaok32.exe
3824	Dfknkg32.exe
5080	Dobfld32.exe
1800	Ddonekbl.exe
216	Dkifae32.exe
5116	Daconoae.exe
4508	Dfpgffpm.exe
4472	Dogogcpo.exe
1268	Daekdooc.exe
4928	Dhocqigp.exe
3660	Doilmc32.exe
1084	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4180	1084	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 4320	2964	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe	84
PID 2964 wrote to memory of 4320	2964	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe	84
PID 2964 wrote to memory of 4320	2964	cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe	84
PID 4320 wrote to memory of 232	4320	Cdcoim32.exe	85
PID 4320 wrote to memory of 232	4320	Cdcoim32.exe	85
PID 4320 wrote to memory of 232	4320	Cdcoim32.exe	85
PID 232 wrote to memory of 4848	232	Cjmgfgdf.exe	86
PID 232 wrote to memory of 4848	232	Cjmgfgdf.exe	86
PID 232 wrote to memory of 4848	232	Cjmgfgdf.exe	86
PID 4848 wrote to memory of 2044	4848	Cmlcbbcj.exe	87
PID 4848 wrote to memory of 2044	4848	Cmlcbbcj.exe	87
PID 4848 wrote to memory of 2044	4848	Cmlcbbcj.exe	87
PID 2044 wrote to memory of 4964	2044	Cdfkolkf.exe	88
PID 2044 wrote to memory of 4964	2044	Cdfkolkf.exe	88
PID 2044 wrote to memory of 4964	2044	Cdfkolkf.exe	88
PID 4964 wrote to memory of 1728	4964	Cnkplejl.exe	89
PID 4964 wrote to memory of 1728	4964	Cnkplejl.exe	89
PID 4964 wrote to memory of 1728	4964	Cnkplejl.exe	89
PID 1728 wrote to memory of 760	1728	Cajlhqjp.exe	90
PID 1728 wrote to memory of 760	1728	Cajlhqjp.exe	90
PID 1728 wrote to memory of 760	1728	Cajlhqjp.exe	90
PID 760 wrote to memory of 1252	760	Cdhhdlid.exe	91
PID 760 wrote to memory of 1252	760	Cdhhdlid.exe	91
PID 760 wrote to memory of 1252	760	Cdhhdlid.exe	91
PID 1252 wrote to memory of 3192	1252	Cjbpaf32.exe	92
PID 1252 wrote to memory of 3192	1252	Cjbpaf32.exe	92
PID 1252 wrote to memory of 3192	1252	Cjbpaf32.exe	92
PID 3192 wrote to memory of 1336	3192	Calhnpgn.exe	93
PID 3192 wrote to memory of 1336	3192	Calhnpgn.exe	93
PID 3192 wrote to memory of 1336	3192	Calhnpgn.exe	93
PID 1336 wrote to memory of 1244	1336	Dfiafg32.exe	94
PID 1336 wrote to memory of 1244	1336	Dfiafg32.exe	94
PID 1336 wrote to memory of 1244	1336	Dfiafg32.exe	94
PID 1244 wrote to memory of 4888	1244	Djdmffnn.exe	95
PID 1244 wrote to memory of 4888	1244	Djdmffnn.exe	95
PID 1244 wrote to memory of 4888	1244	Djdmffnn.exe	95
PID 4888 wrote to memory of 3824	4888	Ddmaok32.exe	97
PID 4888 wrote to memory of 3824	4888	Ddmaok32.exe	97
PID 4888 wrote to memory of 3824	4888	Ddmaok32.exe	97
PID 3824 wrote to memory of 5080	3824	Dfknkg32.exe	98
PID 3824 wrote to memory of 5080	3824	Dfknkg32.exe	98
PID 3824 wrote to memory of 5080	3824	Dfknkg32.exe	98
PID 5080 wrote to memory of 1800	5080	Dobfld32.exe	100
PID 5080 wrote to memory of 1800	5080	Dobfld32.exe	100
PID 5080 wrote to memory of 1800	5080	Dobfld32.exe	100
PID 1800 wrote to memory of 216	1800	Ddonekbl.exe	101
PID 1800 wrote to memory of 216	1800	Ddonekbl.exe	101
PID 1800 wrote to memory of 216	1800	Ddonekbl.exe	101
PID 216 wrote to memory of 5116	216	Dkifae32.exe	102
PID 216 wrote to memory of 5116	216	Dkifae32.exe	102
PID 216 wrote to memory of 5116	216	Dkifae32.exe	102
PID 5116 wrote to memory of 4508	5116	Daconoae.exe	103
PID 5116 wrote to memory of 4508	5116	Daconoae.exe	103
PID 5116 wrote to memory of 4508	5116	Daconoae.exe	103
PID 4508 wrote to memory of 4472	4508	Dfpgffpm.exe	105
PID 4508 wrote to memory of 4472	4508	Dfpgffpm.exe	105
PID 4508 wrote to memory of 4472	4508	Dfpgffpm.exe	105
PID 4472 wrote to memory of 1268	4472	Dogogcpo.exe	106
PID 4472 wrote to memory of 1268	4472	Dogogcpo.exe	106
PID 4472 wrote to memory of 1268	4472	Dogogcpo.exe	106
PID 1268 wrote to memory of 4928	1268	Daekdooc.exe	107
PID 1268 wrote to memory of 4928	1268	Daekdooc.exe	107
PID 1268 wrote to memory of 4928	1268	Daekdooc.exe	107
PID 4928 wrote to memory of 3660	4928	Dhocqigp.exe	108

C:\Users\Admin\AppData\Local\Temp\cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
"C:\Users\Admin\AppData\Local\Temp\cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\Cdcoim32.exe
  C:\Windows\system32\Cdcoim32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\Cjmgfgdf.exe
    C:\Windows\system32\Cjmgfgdf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\SysWOW64\Cmlcbbcj.exe
      C:\Windows\system32\Cmlcbbcj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 404
        25⤵
        Program crash
        
        PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1084 -ip 1084
1⤵
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
163KB

MD5
eb1efd5c99fcf02901a2afcbb45896d4

SHA1
3cba09d138b646b59cbfc3995baaaa18fc83acc0

SHA256
bb3297bf8c0a53c838accaee41fdb1bac6646cee36048f923f9b3457a9f8973a

SHA512
aab0ddeb7ddd06ed325335608b322a9a8d880768bfdbb875ff7d3b9bc770917f9979a3b6b40805c9c469287a43f3d1324962ccf60ebb55d0b9050ebbb701e346

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
163KB

MD5
65603d5c22974d60674c0c8f20e37aca

SHA1
0db72bb2db0a9bc08c13811e7ac9f2f01bf541a0

SHA256
440a34240fc3dbc0a1e09895ca7d48e706d22b96afda0d64b6e2057b37cc5870

SHA512
df8e901888c62df96587865b38e9a96e456b0aa42994f26843c41218590b5825faa64d97b3606b618ead85394bdf1e15305f2cbb45d14986bfd12e2a446452c7

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
163KB

MD5
3bc28956be05e5a8e4835120b629ac0f

SHA1
c1f4d3a2f4360626a4123035ebc48904ef57e873

SHA256
540f10733505e46a9b66a22951595f62429a7851f88837c85da7e6e3bda1b61e

SHA512
9f635fe26ac3c4e391c666a37700e4c89416a41a7132ae9f02f4e25f1b5dd6ae1cfc2b3cb92672a02d0db06aa4a33365fe06a59f55e9efa8a8b1081c175605c8

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
163KB

MD5
66a9b5e8670f250fcdfb95b4842585f8

SHA1
d79a7bf3ba89a7922227fd044e2aed5632f0d794

SHA256
705dece08143d1a7f282a83d8b3a72b3cb5beb32eef8719c016cb09f955b8d40

SHA512
96275a0b7eb5b0367eb76bdf968f0fc7cf42432559d0386c03e2ac95dd93b495fb9af11159df8dec426d459e21134b1914a996d3999a0481e6bcb2c0cbaad792

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
163KB

MD5
3895ec3059b4b12ec8bbf9d786ca3967

SHA1
b26ab6d5bf8a70c02dfb5df9a8799ec5f526c9d3

SHA256
ca8782d521caf47bd4fc5e33a71340930c50eb3c58500907a084f599e31a2f9c

SHA512
f736714d8c2025ec2dceab3e02c13a8f1d6a6ecca83b83fe6db5bea9b756e37ba5927f695ff890522511871e945977b9a0e443c60bc875b2c1985f3fed56687d

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
163KB

MD5
ab3dfbc2e7db2564458c9059beb401dd

SHA1
8950a380fdf2b9856186e64633444e6ee5a7b381

SHA256
dd5b24a0c96cbef076e4906de2574e616aa05ff19baddbdc5dcf670e5599dbc5

SHA512
11dd6e6f2f47fb1aad952ae030e06079b14e23fd9bcec8ad0ddeb767c134168479bfc5cf3d333775a66e9ebe00370bc12d381b5f2eb3c6fedc5a670f30f1e5b9

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
163KB

MD5
31deed5073634ebe0611359b1e32d52a

SHA1
d76292234c6e2256a51f41f4b349a8fc51e1b831

SHA256
a251d60226fd24fff6b229d3ef73c6a76cd731acac1c3e12e5be503d8271dca7

SHA512
119e2c8575b5f44f34107554fa0c3721adcaf338c0bb3e5e8e0e3abe7626e1b3770d6bd007b4a9f2f1b97e2d556c7bf3ae0b7ff40235b7e8b5fb33ce0d65e857

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
163KB

MD5
65992d127f2d5bb0134bd7926f8ed07c

SHA1
02cded87d04c2357da0aad338f181d6b960bc4c7

SHA256
d13ae754114f417f4f54dd3adb7f7f3e364d69d26d702401378d75abf00e1f69

SHA512
399b5011a7f2aaef2236696f83a5a20243834cc86509bd2e2a5ab64070377c8b699160af5463a90d53fb043fb4393034d4f4ddfb12eec55b56a0a68c673030e3

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
163KB

MD5
31801c5fe748e1877eccda1691699aa8

SHA1
36c91a5e2576c64de5dda235328424a8c315ff00

SHA256
d10b2c632c045a6b6d7cc263794c5044f367b6e6a5d4cfa899f31baad8ff0a60

SHA512
f3bebd7f1b6b6d577b970d58a122eabf48680c09c5a2e961704ef340f342f98b8d2a7c98729888f9260249697b64b16322d66362e1ebb596cd8bf585fba1c0b4

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
163KB

MD5
c68c28fda37f3c46f02a97f2ad685327

SHA1
e8f9670c60104f1e5d6258943060bf03c86b1d72

SHA256
0778ee4ff30a97008b284664966a8dd55844bb2a0b36df2b896131c593d6b9a2

SHA512
5ea660df7e152cd789e2ef135e41a7426804885a15117736495d3a739202f9c557ee3ccffe41373cdccaf2285cd755906a953584c429c7cfad0bef9ba8528698

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
163KB

MD5
80bc14d10a584b3e5b0b2596b9f1cc09

SHA1
2c08f0b0020582e2038a0d73ff61d79aeadf1be2

SHA256
0ca4f014a20bdb2e9137daa0bdccaac10cc68fa77021b302c69c123f61d6e899

SHA512
0252b3d3c7a59b332c95426faad64505b0ad5153cfb7c477ce947ea517de853a8976154f3ea00f5a867e218eb7401d41645b6a5d08a1503c1f33a3b68fa122fe

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
163KB

MD5
0c58acdf121946c660906c4ee1bf9e6f

SHA1
648fabeca121ef0860a0e4323fcc2e67079eae90

SHA256
9d409d0f6a1eb0b35308386765f59434a4998ebe8eb614f4586b5208a9310b21

SHA512
34dad1a71941fbc5f5169322d94ee209071a9f133181c15dae5240a612ca74291831e73dd747f8b28d702c83d7a61bd60a033b96a8c0fe964f7dcee06a993d46

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
163KB

MD5
13c9489e9510a0a017675a3b8149cd0c

SHA1
e8f1b26d6a7458d1b7b25537b85e9655eefb7d9e

SHA256
90597e3904abc887791f53f14151c7f8c26e5b200205e35768294009ee7fd937

SHA512
1dbf9a6aa134538aeaf194a23038dca579f7684469664dc693debb6df2940e93b05a9c7d57d0a908d38e4c42f5ebeecba7492f9a555e44564fcd93a4fffd7e41

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
163KB

MD5
4836bc0b383e992be62d80a66ed3d937

SHA1
48a5d3887a3576d4fe8a44c6888e2b21770aba93

SHA256
5044908ec4fab7d112b7b7f78bebc4908d47324e05d26bdd2914928df8105785

SHA512
93203a027d345c5c1895134ce71b0a6b29acc6d98c7dd11cd7a59db201503c26ffe59db49e20d068515f7daf84b24220dbbe700bd9d3818dfd290ab53e61d475

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
163KB

MD5
bb53061816a2af27e79b42cd28b73417

SHA1
6ed766dd701c76e1092c3f0d61465918c148c847

SHA256
693839aaeacb8f354a60060c3d31658c05629a8018a37719d8bd97d2ec3394c6

SHA512
69a51dd7e682722a13da557f95843eb28f8f523c385a55167b18866cb3bc1298af679e210a55a5b16b072dc8db1dabcaac3c70ae7f128795a5716be22d1918fa

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
163KB

MD5
3ee00ff21c68aeaf69b58482410f2d33

SHA1
c292a5597efcfb57d347c19ce45dea1b310f9512

SHA256
a2a10e11d1b39c1cda9f72339df42272cad7cf9d19a6e34d2a98161c78dacd4f

SHA512
f5e6b5cb8a2c8cb812c067248eb5ea571e99c62490ebd7c1160ec8a7419df34eb3144613175a3e8ed09c1c33180048b46d196df9b53361948ac4e00bec7b83f6

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
163KB

MD5
48958504a6eb846785bd72dff28673e1

SHA1
e4025c75ef82699aea019cb696d9511fb306d770

SHA256
d2d302e291b17dea814ce222dabccb92021703c81c63e666a4fa6944bfa06183

SHA512
9e3eded9019c828dec2a8b0d7350156531ac9e170da1e8a835114b629d31318354551da5f12c0081781c60460ef592d8852083aab4d80a8cc99a7ce64deb0a28

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
163KB

MD5
4d6029af5dc2b39e453c55dc8cfb8fc2

SHA1
ac28845cae499fa814a51c21db29f913a207e1c3

SHA256
96f3f9f3ca11ce52085a39fe6b68819dfae0fa9c86f782204cfcea131bd70229

SHA512
b692d6eadc533e54986b17773683dcb0e02c319da2db3187f4bde9c3bf21a12ecfb84b7f609b0bf7959b3c63041333fa06d0293f067582688392746df6c4f5f2

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
163KB

MD5
d86fb70ac81157a1699bbe1fe5d49311

SHA1
f1027ec431d3e7afc30729b2002b286d5d1e0669

SHA256
d1000cff512d7a57d0abec0ca9db55896c8825d503a291407235d27173e1e406

SHA512
40f60f5950e7851b38ed76dd08f858539d479342317f865d2da6c4d4f1e71633b68abdd4bb2bc5c9a78046422e2e5333e67bff91c2efc0a65cdbbab2013499b6

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
163KB

MD5
dd1c96d052f1d112da5a5ee25bad3551

SHA1
46238ba21ff73a5c0190f1292d2b6af81ca7573f

SHA256
a5a772f541633fcfe0f5fd8dd11859565d64534b1fb72c367503b84e0e0ceedb

SHA512
6424fc95cff37a88737bf20c13f19272fa96d1ab798b15ea648951a5787e0a5a0d321e7cb01fa9ea7ceeac7d2f06e409ac76bd975dbb418d1577061b2daed291

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
163KB

MD5
7ea795f5ae1603cd6ef71148ea853e0c

SHA1
99411e2803380512bd590299b0aa0bb436cf28a5

SHA256
35e3a04a2778c0e2c7fce530ef31786e7797151b48de995a93c64b4fe77204ff

SHA512
6f46073f77fb2621fafadbc0e8957ede37094c829c8b85bc5d79264247865fe88649e59bc5d45c3e6c3df580eb647bf7470c125c01fc96dd397868c79e5b46a4

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
163KB

MD5
d5af934f25aec10978a37441d91d337c

SHA1
8539e08361a2476a7b5deef56575960295da843f

SHA256
c01f013289791b870cb8fb500b27650ab71676bf81f282803fc1c95e102ffea4

SHA512
031b4ca89edea76be4a8068ea4024d2f85996ede96699b127f07e4a99fba8e3c1155db470fa7e5363130f2e3b6389e4789a70a117b81852d76a4a0e4c6d24bb0

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
163KB

MD5
6e45e2467eb1d604792e91a566a96fec

SHA1
9a4882ec953b01e785193e3e41b9b4551b624352

SHA256
95e7b63a25495d8153c0b543e16af44de8268577f632b51ba55a1e3db679160c

SHA512
3dce2ac453026c736ab1724e7f6be0289f74b6174476bd6a8a31f3d1cbd7982dba0513706441c7f9d47accbbb4b1aaecae75a094321fbc4d999b82fe41e4df49

Download Submit
memory/216-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/216-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/232-227-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/232-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/760-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/760-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1084-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1084-188-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1244-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1244-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1252-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1252-215-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1268-194-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1268-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1336-211-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1336-85-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1728-219-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1728-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1800-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1800-203-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2044-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2044-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2964-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2964-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2964-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3192-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3192-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3660-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3660-189-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3824-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3824-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4320-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4320-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4472-196-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4472-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4508-197-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4508-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4848-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4848-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4888-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4888-207-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4928-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4928-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4964-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4964-221-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5080-205-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5080-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5116-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5116-199-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads