berbew | 8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe
Size

45KB
MD5

bc6b0ba542c06afff113eefc159e5150
SHA1

55de0e39f52f9757eea9b2ef416912e18e7b5b22
SHA256

8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76
SHA512

8b1fb3a9404431f0c4115807e8480e2498d2391f1cd81cd3754a677ccd4018d829131d459f0abae6744e36c5196534478d642ea8fe240655d3692cc438be1e80
SSDEEP

768:hlUn/6wyX9xiQaVp341Io9XRC/19l07NQ84PxCMADLq4dO+V5qQGBRVV3d/1H5D:oQiQa4aoJQ/1n07NHyCDXdO+V57eRVVd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 26 IoCs

pid	Process
2460	Chagok32.exe
1924	Cnkplejl.exe
3808	Cmnpgb32.exe
5068	Cdhhdlid.exe
2620	Chcddk32.exe
1908	Cjbpaf32.exe
4316	Cmqmma32.exe
4824	Ddjejl32.exe
1672	Dfiafg32.exe
4672	Djdmffnn.exe
1872	Dmcibama.exe
1576	Ddmaok32.exe
2164	Dfknkg32.exe
5008	Dobfld32.exe
3304	Dmefhako.exe
1264	Delnin32.exe
2228	Dhkjej32.exe
512	Dfnjafap.exe
4464	Dodbbdbb.exe
2212	Dhmgki32.exe
1884	Dkkcge32.exe
2576	Dmjocp32.exe
4900	Dddhpjof.exe
1348	Dgbdlf32.exe
4716	Dknpmdfc.exe
436	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3272	436	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 2460	3212	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe	82
PID 3212 wrote to memory of 2460	3212	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe	82
PID 3212 wrote to memory of 2460	3212	8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe	82
PID 2460 wrote to memory of 1924	2460	Chagok32.exe	83
PID 2460 wrote to memory of 1924	2460	Chagok32.exe	83
PID 2460 wrote to memory of 1924	2460	Chagok32.exe	83
PID 1924 wrote to memory of 3808	1924	Cnkplejl.exe	84
PID 1924 wrote to memory of 3808	1924	Cnkplejl.exe	84
PID 1924 wrote to memory of 3808	1924	Cnkplejl.exe	84
PID 3808 wrote to memory of 5068	3808	Cmnpgb32.exe	85
PID 3808 wrote to memory of 5068	3808	Cmnpgb32.exe	85
PID 3808 wrote to memory of 5068	3808	Cmnpgb32.exe	85
PID 5068 wrote to memory of 2620	5068	Cdhhdlid.exe	86
PID 5068 wrote to memory of 2620	5068	Cdhhdlid.exe	86
PID 5068 wrote to memory of 2620	5068	Cdhhdlid.exe	86
PID 2620 wrote to memory of 1908	2620	Chcddk32.exe	87
PID 2620 wrote to memory of 1908	2620	Chcddk32.exe	87
PID 2620 wrote to memory of 1908	2620	Chcddk32.exe	87
PID 1908 wrote to memory of 4316	1908	Cjbpaf32.exe	88
PID 1908 wrote to memory of 4316	1908	Cjbpaf32.exe	88
PID 1908 wrote to memory of 4316	1908	Cjbpaf32.exe	88
PID 4316 wrote to memory of 4824	4316	Cmqmma32.exe	89
PID 4316 wrote to memory of 4824	4316	Cmqmma32.exe	89
PID 4316 wrote to memory of 4824	4316	Cmqmma32.exe	89
PID 4824 wrote to memory of 1672	4824	Ddjejl32.exe	90
PID 4824 wrote to memory of 1672	4824	Ddjejl32.exe	90
PID 4824 wrote to memory of 1672	4824	Ddjejl32.exe	90
PID 1672 wrote to memory of 4672	1672	Dfiafg32.exe	91
PID 1672 wrote to memory of 4672	1672	Dfiafg32.exe	91
PID 1672 wrote to memory of 4672	1672	Dfiafg32.exe	91
PID 4672 wrote to memory of 1872	4672	Djdmffnn.exe	92
PID 4672 wrote to memory of 1872	4672	Djdmffnn.exe	92
PID 4672 wrote to memory of 1872	4672	Djdmffnn.exe	92
PID 1872 wrote to memory of 1576	1872	Dmcibama.exe	93
PID 1872 wrote to memory of 1576	1872	Dmcibama.exe	93
PID 1872 wrote to memory of 1576	1872	Dmcibama.exe	93
PID 1576 wrote to memory of 2164	1576	Ddmaok32.exe	94
PID 1576 wrote to memory of 2164	1576	Ddmaok32.exe	94
PID 1576 wrote to memory of 2164	1576	Ddmaok32.exe	94
PID 2164 wrote to memory of 5008	2164	Dfknkg32.exe	95
PID 2164 wrote to memory of 5008	2164	Dfknkg32.exe	95
PID 2164 wrote to memory of 5008	2164	Dfknkg32.exe	95
PID 5008 wrote to memory of 3304	5008	Dobfld32.exe	96
PID 5008 wrote to memory of 3304	5008	Dobfld32.exe	96
PID 5008 wrote to memory of 3304	5008	Dobfld32.exe	96
PID 3304 wrote to memory of 1264	3304	Dmefhako.exe	97
PID 3304 wrote to memory of 1264	3304	Dmefhako.exe	97
PID 3304 wrote to memory of 1264	3304	Dmefhako.exe	97
PID 1264 wrote to memory of 2228	1264	Delnin32.exe	98
PID 1264 wrote to memory of 2228	1264	Delnin32.exe	98
PID 1264 wrote to memory of 2228	1264	Delnin32.exe	98
PID 2228 wrote to memory of 512	2228	Dhkjej32.exe	99
PID 2228 wrote to memory of 512	2228	Dhkjej32.exe	99
PID 2228 wrote to memory of 512	2228	Dhkjej32.exe	99
PID 512 wrote to memory of 4464	512	Dfnjafap.exe	100
PID 512 wrote to memory of 4464	512	Dfnjafap.exe	100
PID 512 wrote to memory of 4464	512	Dfnjafap.exe	100
PID 4464 wrote to memory of 2212	4464	Dodbbdbb.exe	101
PID 4464 wrote to memory of 2212	4464	Dodbbdbb.exe	101
PID 4464 wrote to memory of 2212	4464	Dodbbdbb.exe	101
PID 2212 wrote to memory of 1884	2212	Dhmgki32.exe	102
PID 2212 wrote to memory of 1884	2212	Dhmgki32.exe	102
PID 2212 wrote to memory of 1884	2212	Dhmgki32.exe	102
PID 1884 wrote to memory of 2576	1884	Dkkcge32.exe	103

C:\Users\Admin\AppData\Local\Temp\8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe
"C:\Users\Admin\AppData\Local\Temp\8e32b355201385c78f05bb840dea297cf06f16a6c54bff7bdc2ea3343e98cd76N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\SysWOW64\Chagok32.exe
  C:\Windows\system32\Chagok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\Cnkplejl.exe
    C:\Windows\system32\Cnkplejl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\Cmnpgb32.exe
      C:\Windows\system32\Cmnpgb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 404
        28⤵
        Program crash
        
        PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 436 -ip 436
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
45KB

MD5
13d2656099050ee4da9a4be072f5a14b

SHA1
0cd150f1b837a04162f5a80032980a20fc819ecc

SHA256
581a2e384bdb643e376d78d6cfea330112ee82709ff58855ffc0603b607d85f7

SHA512
6fe48290f31c1df55f87f8bf3596d0622b9c87133261737600a79e64e6989cce4c1cc2f0ba86102545eaa8040b87c5c1d7c216c7fadded6fe755801a61bc6a6a

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
45KB

MD5
1e429bd598c060cb94020f1131d390e2

SHA1
e23536d18a66eba59c7f194895fc234c4ca1c07d

SHA256
53ef7d94e964d05f3ff7a8187edf30e5b0ae61abe6b28c38ac9ea02c631fea58

SHA512
e4affc5524cd2b4cec07f03497720568f4e04410a2522b51ddbbd6edd68ff9cadf4d97e29814fff71f2e6bab27bb70f536c7f406757637fc315f0caba51c65f6

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
45KB

MD5
87bd9e01bf31896e6521d9bf5222d57b

SHA1
57ac43e6c3334b8182e21beb6b64f7289844ef42

SHA256
9ea89acce767fce21859cf480279efb5a0622b04e3b72cbe29b9658cf49aaf4d

SHA512
c8dcae21cd066cddaf3d849e589cd9a95287b975275f3557ef20e960de470ec6bdc2da575aba58620aa768e3261d75a854e2bd8443e32256735ff3e9c92f1015

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
45KB

MD5
45e639371e9eba964b2d403f22602948

SHA1
6a86c9d91244d8d70ce2486e910858c5e7a970dd

SHA256
32ac9ee6515739b269a7a1621349474330ba11d4c6ca5f9e4c4be9820e78b436

SHA512
d3e50de6b06e2d80bb2e05c8a5cfe956a6b373308613e680aa241629b4707b7c3d4f7c3063f429729771dc314c3006b2802a015c2e8fa17d6d5c574e4059e75a

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
45KB

MD5
a6f1243757eccb61a9d6ae0072a1cf7b

SHA1
2fdf64d731f32b7f158635f02c622220180ac8ee

SHA256
364309dc13e62e700d294d27abe5253956ed1ff34ac271abe4e3e8de4b8b6af2

SHA512
0bbb07d39435cf1a6b8fdf7de33cff79c397a0e2d772392e65eab9514c51aec57b2e1e66ae97646bf758f867cf0a0f91267806bbaa10d1e85b0a725712ed8928

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
45KB

MD5
3479fb63e060f54a6902cbd6b7eb91b0

SHA1
b993aa744f28297c6bde3e7ad6c208a1fda9bc5a

SHA256
972cd414c2ba8f3fd72629b1ca44f73a39a1a2a73941abaf0b81ccb271407626

SHA512
5f39fd4d1da922131704eb400812d52f8cc771c67854713bcbd97502292030f807a68309cd635408c4e81d3420a2377ece9f8431df3d8bb931dab9ea0a37463f

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
45KB

MD5
7cde17cd2334e1633edaffb20e40ea28

SHA1
0fe5e26675b75badfb5085dcdaa4fb4b86146fd5

SHA256
640ec35c74a3b3f26daf7a28e45d4e35f482f3c7e383d304249155c3b884d3d6

SHA512
eb5395b7453c0811687f8cf862108749b74f63d047c5631315e40268f3a511d651fe9c219d7dd9a4a71607e65caf6da8cd71756454c10e7461569257149e72f9

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
45KB

MD5
f9cc1dc7599baa72e434d83de971264a

SHA1
c61389eb316c9d52fd7699b3f3bd34c58a5364bc

SHA256
3201020af809227da07b96a400ead0cc0dfc7ea80d3777845040eb39df0ccd7f

SHA512
fffe4ec3b7052adc9bc440a5daf33d51ce8e6d79632715caeccd3de3407af876f3e16c28cbc9d0520826d3d223b06167ba31d1f28004458ae6c7df9557a9c78a

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
45KB

MD5
b902c453291d4d44fc42d64cfecd2209

SHA1
69626ac5a9f484b1f98ad02de209f4249e6e4f58

SHA256
26a0eea9f9aadcc07e4ccc23370bc4c3108217b0d40e7257a6d48f3b49252dba

SHA512
d861b7dffb615927dbe55377e15a1e971824aac914351af1c5c31ac30a91aba6de421eade58af86c5fb283083f72254b43f7bd94fd02ca0d2b4b2761e0ef3071

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
45KB

MD5
9a4c19c65b47801fcb35f58be426acec

SHA1
e41b0ba4b971ad3759ad77c988217f722708abcb

SHA256
629193b702ab47d3a84481de78a32c9946f9f0835c76100c605496cb7895bf31

SHA512
cbc24cc3462174bf5adfc39ff93359a97e2b009383318422e050c7ae4814fbfa2b6ae393f2ee7d45d3d60f9bb36a758e2df9c421e7e67ac69f74334ee68b79c0

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
45KB

MD5
1d8e960e246fe9d31305151b8f08e7ac

SHA1
d09de7788e59f52c8ce63d1c856d848c59cca3a4

SHA256
0d61c6c87f2c82102257935e71e5c61d0b9ee47a71fa097e33251c0feb863241

SHA512
8dabc4124177d66ba0cbe446d672ace1e532da1e8494b2d9d42d656f53751bd7ff667687085159fc2aead94aafc077ec67bf0a3b01c441b73ae13182fec72aaf

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
45KB

MD5
f36f508f0caccd92428b4ea8a81fc1eb

SHA1
50488269ee3567e95c960a18616abf41d0247715

SHA256
24b9d0dde9257d880fd803ba9a1a7dde0c3552567e0ea319541cc68c6097be04

SHA512
f093219c38fdb45cf98d4a93720db01dc78c9e288a69d3a84f5166ea703f41f40adf74a3f391fede7a65a54f543cb3bd2c9179d54595f01b8cef900d5682d46c

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
45KB

MD5
fe4a0d3fdc1002112eb86b9bda69e575

SHA1
5195f7c28efecf3b8c6cb363c4ded287db9b711c

SHA256
78e2bc6e499163644e14583cb8211d68e8ad691042a2a14ca72120e11de548ef

SHA512
6c72b00b8dd2ba293697b8c714da5b32732116fd8b542ba7301a2ae06b7820481f1c67b50409689b851e85ed126052abb828b0c49af2e61f36245efc3a40bca5

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
45KB

MD5
3060a998a2f5089b9be9ec5cbefb7776

SHA1
49e1a12a95488155ed7be0d820ffdfdc2f27e929

SHA256
1185f8917c23680be7851711000cb86f370be7b8030fd6a3a28e91e967e2fbfe

SHA512
c3f3f912fcffc16369e910282243af4b054d5fc6602347e15457d4b6e432f05bfd097bd1f43c579fce04fa9e0d090c321651af147a987ab64dfda05b60c77d21

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
45KB

MD5
1cca6a09046fed51b2b7d788cc0b74d9

SHA1
15e8dabc10eaeb3b8769723024206c483d024359

SHA256
b0cbd59173f95d22ddd19e3ee2d7485666ca6f6e9cbe09ec92837db7ba756b7f

SHA512
5e5641020830d42f97bb8e1ed48d78aaa04afff14e5d3d554fcdbc570cc6457286af23ad2c045dbc4766a16dcaa33c1365a2a5ce4874279677b220224cac057e

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
45KB

MD5
7fc0631d235341ceb3e9ac6b519fe00b

SHA1
11904b32827a53efa7e9d85d29cdcda6bd01c55d

SHA256
4a601c6c2588e2710321e36d3110001e9544e8fa074b6c22652e05bfb9167952

SHA512
665919a9c8694f8dc0cbda8ef277389b999a419f00905fb9bf9d12a0a4a3f31ba76369acd62ad0f0d35adb340f237d887303c9bca5b0f6caccd486eef468afc6

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
45KB

MD5
48ad8f138ba53c567606255d069db8bf

SHA1
62202d37ebc291f0f8b0040745ff8479aba0e7bc

SHA256
11f62205ed057d531a4c9a81208c917836793db385615f607f7287df06034f7e

SHA512
18288291ff179638818569f9dbe47380a9ef61514beacb16a2a4b64c6379b08202dca858ef65defb02ec9b82758909f8e58ef573d7f450bf3fe35f6b9e32db13

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
45KB

MD5
9ce0abff9baf1e22b7166fa54fab73ff

SHA1
077e689ffb3421838ca93c6ee714665fba6f1066

SHA256
ee47fce7b2aab5d885c8588c5311f343a4053056097fe74da7ce5b670e7a77f8

SHA512
914bd939bf6530b70cc3911215000883529941cb60c448fac2ec8700e8e8b6a290c8d5cfd76fba1622326d080f651e50f121db3fed34c95e73e2dc9fa192f086

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
45KB

MD5
d5dc5587e5436d94666e5c4ff29a83cc

SHA1
ce29bbebaae3868910c513301a8bfdf2b61b5160

SHA256
c3155580b1df4d411d0bd12b52141a35fa27f7efa68c9fb036ffead7f4453ebb

SHA512
d938dc9bcfd16df62a0f1ac65b513048314c392c568190427f4f9411e2d7ebce2ec5b8c04decb628a7ac36ac83413c74e65c9fb087f3d49e7e720c4c8640e60b

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
45KB

MD5
13a70de30376652bef76d3c3f0e0f30a

SHA1
65eeb8cffa1d746912f238c9472ef8d974535dcc

SHA256
5f32dd1e4b657d7e43fd38780ac9c3d296a191f9cc98e009e239ccdad67743f1

SHA512
074224599ec81bd718101cf691400f48a72f3d7fb6ad65db2c9313188a808d9e50b292eeddc5bcf88f6462b2862eec6234975a46d0a6248a13fd5279bb56e729

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
45KB

MD5
e7062ede66ad33d35f93bff0742db59e

SHA1
9f70db948d1b2f9df8c73e6c11ff889669b8e2d6

SHA256
5c69541ccd4a0d7d4d9bef192b353db90d91e036b2251c02aded73d3a90a4a21

SHA512
e22cf84944a4b8a60439634ececf6f23c0114b94452431531acfa5ddc3e822872421c117e5f8b0f8e2f5993dbe35f845a9b7124379c47c32b94dd55826aeb021

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
45KB

MD5
250af6d068a3b7cd80090de10dee5aeb

SHA1
1c92d599075ca8ce1454bf4e10cb4c8745c37e09

SHA256
45539f80c597f55c26f68649d48559e6cda83633fdcc64cae609fbabc260e395

SHA512
50513c6dac373ec711c6cd8944fda2e15daa2cd182eff3f3df12116e81b77eb2328a77ecc488242b1b7b29e91413b5c310e59dcf13d4b79ac04d84f31ef72231

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
45KB

MD5
6d91d8b4188f9bf32a56881049912a3e

SHA1
e4f785f36a1bde29f1431167d913df8f0adac4dc

SHA256
691c475ac0ee1f116b904ff9c4528de26d6adbc8aeaca289cc383b4ee7389d20

SHA512
ad876d527593c955309cb838d01e507cfb59e6180b86603c03a3ecbe8b232131e81144687d514ee532efc6debac4aafc3de1aa4a40af41e010b6897dcf5ceaba

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
45KB

MD5
998b27ee18820a4c8b0e00e0549ff833

SHA1
75850f9316977405d78ee4bc20d7ea3a9a980630

SHA256
8c2ee75971e846f281d80b75a8013ad1f206889060006d2ed6c137f70725098b

SHA512
a7da0f4ae16bd6ba4b0a3ac1b968730fc4a7dcf6a14237dc32fcb2c6b763a1c3ee5632917b23e5a06984e2d23ebf1bfecbd386b90d601a0f6be12491b01114a8

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
45KB

MD5
16bb3cd9f6ad0a17a4ec5eadaee7841c

SHA1
6f4065c14c46ed20da709f8c15f1bd94b33d6e26

SHA256
68a5db421beebc162e354822c7883f16a5ad38b2e278429e5b54cb5453cffd30

SHA512
bf606a64e803dabe336b2df34e981795b44ad614d1de4b2f0e832c8309187cc316a319f5cf6cc8d6c4b2ad6878576e3a6988fd86872ff01be26e64d1d3e40b60

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
45KB

MD5
72975cdb6f6fef84f2575d6d452e3621

SHA1
49f0fc5c7083a9e7fd866d6e4f1e2b44f8e02d78

SHA256
f34d9403ece00c1eaa5077abb836628f01b0ac0bd4b943eb49db26017c7e9421

SHA512
a31591854c849dcbb9ea67b001527b5bb3c2e62a165af41355aadd09daed3126a49fcae0f55eeab24af8c57d0c4582cdd695260dd2d4ebdf494c7b93a0f0b74e

Download Submit
memory/436-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/512-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/512-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1576-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1576-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1872-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1872-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1884-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1884-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3304-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3304-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3808-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3808-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4464-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4464-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4672-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4672-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4716-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4716-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4900-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4900-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads