berbew | f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
Size

136KB
MD5

9240bf867655b762145a6678511f3de3
SHA1

b4e1974b6ab0d21825adbfe5375f43c8d9d3b6f3
SHA256

f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7
SHA512

aef9a827b21d226a459a8f31f8ac59f75abfce0f8714d3760d7649973cf9f232db574f08e398eeebfb5ab54889b4d1f56488aed7d0b8ed61b760e75b13b00089
SSDEEP

1536:KG5TVSyqWTqJHwoy6FHru2c8+KAssJXcqOxL8ZTzbcJ+7zNjSKOhYXYnTmujz0cT:NPcJQZ2c8+KYsEXNjShiKIi/mjRrz3OJ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 23 IoCs

pid	Process
2460	Cdfkolkf.exe
1924	Chagok32.exe
3808	Cnkplejl.exe
4896	Cmnpgb32.exe
2620	Ceehho32.exe
1908	Cjbpaf32.exe
2800	Cmqmma32.exe
3084	Cegdnopg.exe
3124	Dhfajjoj.exe
2088	Dmcibama.exe
1852	Ddmaok32.exe
1052	Dfknkg32.exe
1764	Dmefhako.exe
3676	Delnin32.exe
4816	Dkifae32.exe
4040	Deokon32.exe
1296	Dhmgki32.exe
3688	Dogogcpo.exe
4248	Daekdooc.exe
4980	Deagdn32.exe
1624	Dgbdlf32.exe
4572	Dknpmdfc.exe
4564	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2948	4564	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 2460	3212	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe	82
PID 3212 wrote to memory of 2460	3212	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe	82
PID 3212 wrote to memory of 2460	3212	f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe	82
PID 2460 wrote to memory of 1924	2460	Cdfkolkf.exe	83
PID 2460 wrote to memory of 1924	2460	Cdfkolkf.exe	83
PID 2460 wrote to memory of 1924	2460	Cdfkolkf.exe	83
PID 1924 wrote to memory of 3808	1924	Chagok32.exe	84
PID 1924 wrote to memory of 3808	1924	Chagok32.exe	84
PID 1924 wrote to memory of 3808	1924	Chagok32.exe	84
PID 3808 wrote to memory of 4896	3808	Cnkplejl.exe	85
PID 3808 wrote to memory of 4896	3808	Cnkplejl.exe	85
PID 3808 wrote to memory of 4896	3808	Cnkplejl.exe	85
PID 4896 wrote to memory of 2620	4896	Cmnpgb32.exe	86
PID 4896 wrote to memory of 2620	4896	Cmnpgb32.exe	86
PID 4896 wrote to memory of 2620	4896	Cmnpgb32.exe	86
PID 2620 wrote to memory of 1908	2620	Ceehho32.exe	87
PID 2620 wrote to memory of 1908	2620	Ceehho32.exe	87
PID 2620 wrote to memory of 1908	2620	Ceehho32.exe	87
PID 1908 wrote to memory of 2800	1908	Cjbpaf32.exe	88
PID 1908 wrote to memory of 2800	1908	Cjbpaf32.exe	88
PID 1908 wrote to memory of 2800	1908	Cjbpaf32.exe	88
PID 2800 wrote to memory of 3084	2800	Cmqmma32.exe	89
PID 2800 wrote to memory of 3084	2800	Cmqmma32.exe	89
PID 2800 wrote to memory of 3084	2800	Cmqmma32.exe	89
PID 3084 wrote to memory of 3124	3084	Cegdnopg.exe	90
PID 3084 wrote to memory of 3124	3084	Cegdnopg.exe	90
PID 3084 wrote to memory of 3124	3084	Cegdnopg.exe	90
PID 3124 wrote to memory of 2088	3124	Dhfajjoj.exe	91
PID 3124 wrote to memory of 2088	3124	Dhfajjoj.exe	91
PID 3124 wrote to memory of 2088	3124	Dhfajjoj.exe	91
PID 2088 wrote to memory of 1852	2088	Dmcibama.exe	92
PID 2088 wrote to memory of 1852	2088	Dmcibama.exe	92
PID 2088 wrote to memory of 1852	2088	Dmcibama.exe	92
PID 1852 wrote to memory of 1052	1852	Ddmaok32.exe	93
PID 1852 wrote to memory of 1052	1852	Ddmaok32.exe	93
PID 1852 wrote to memory of 1052	1852	Ddmaok32.exe	93
PID 1052 wrote to memory of 1764	1052	Dfknkg32.exe	94
PID 1052 wrote to memory of 1764	1052	Dfknkg32.exe	94
PID 1052 wrote to memory of 1764	1052	Dfknkg32.exe	94
PID 1764 wrote to memory of 3676	1764	Dmefhako.exe	95
PID 1764 wrote to memory of 3676	1764	Dmefhako.exe	95
PID 1764 wrote to memory of 3676	1764	Dmefhako.exe	95
PID 3676 wrote to memory of 4816	3676	Delnin32.exe	96
PID 3676 wrote to memory of 4816	3676	Delnin32.exe	96
PID 3676 wrote to memory of 4816	3676	Delnin32.exe	96
PID 4816 wrote to memory of 4040	4816	Dkifae32.exe	97
PID 4816 wrote to memory of 4040	4816	Dkifae32.exe	97
PID 4816 wrote to memory of 4040	4816	Dkifae32.exe	97
PID 4040 wrote to memory of 1296	4040	Deokon32.exe	98
PID 4040 wrote to memory of 1296	4040	Deokon32.exe	98
PID 4040 wrote to memory of 1296	4040	Deokon32.exe	98
PID 1296 wrote to memory of 3688	1296	Dhmgki32.exe	99
PID 1296 wrote to memory of 3688	1296	Dhmgki32.exe	99
PID 1296 wrote to memory of 3688	1296	Dhmgki32.exe	99
PID 3688 wrote to memory of 4248	3688	Dogogcpo.exe	100
PID 3688 wrote to memory of 4248	3688	Dogogcpo.exe	100
PID 3688 wrote to memory of 4248	3688	Dogogcpo.exe	100
PID 4248 wrote to memory of 4980	4248	Daekdooc.exe	101
PID 4248 wrote to memory of 4980	4248	Daekdooc.exe	101
PID 4248 wrote to memory of 4980	4248	Daekdooc.exe	101
PID 4980 wrote to memory of 1624	4980	Deagdn32.exe	102
PID 4980 wrote to memory of 1624	4980	Deagdn32.exe	102
PID 4980 wrote to memory of 1624	4980	Deagdn32.exe	102
PID 1624 wrote to memory of 4572	1624	Dgbdlf32.exe	103

C:\Users\Admin\AppData\Local\Temp\f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
"C:\Users\Admin\AppData\Local\Temp\f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\SysWOW64\Cdfkolkf.exe
  C:\Windows\system32\Cdfkolkf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\Chagok32.exe
    C:\Windows\system32\Chagok32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\Cnkplejl.exe
      C:\Windows\system32\Cnkplejl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 408
        25⤵
        Program crash
        
        PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4564 -ip 4564
1⤵
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
136KB

MD5
e5b18de93a638140c068723f5550d1d2

SHA1
2a52fbdf0ae49fe692f12731a36dc1b4477499cb

SHA256
51977330de6b7722e6ab2916254b151b7363ff0ae8dfc59b676e09a3e1e67a5e

SHA512
337ffc67ee65608d618c4bf22486e10c2d7f77e7e6e54f2e3c962c7e4a8fb975ea6da10b1e19d83ceff23a8a4e0f9bda0119c308b682f5bf5e3b7e4e1e45a940

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
136KB

MD5
6405e1fceb758c6d89c59bed8330c71c

SHA1
58ae195d540630ffbd882f3c9c4dc4fb927fc91c

SHA256
6a731e0f4e0c68c754e68e073c73243718bd15f9e81c870b2f1b6ed6805d3bc1

SHA512
c1e018e61dba6b5266fb07977f32873c8464c3376f436838d7e8783f3b988603789a46d06df10e53cfa54ef63d2b013c45e8a44431deaf1a43ab190d8faf723f

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
136KB

MD5
4de124c1694541a82738b1fca629b60e

SHA1
1883e314ec11655a487614114f184b03efa114fd

SHA256
577299533582f433c406d813e9d10e53fd4b2ab1a6f5f30f0e748b042825e355

SHA512
0cebc8c7ce738b414265827718c132c567ebeb4cca58ef6dcb3bd44220621df1d00e6d3e15a4122dc358316555f6504fef5056bfd883b8156a179ffe4860b7ce

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
136KB

MD5
0802cb33be3f858ee3cd04d175ed6de9

SHA1
b84cb6de223b78464711c21ec34171b4cb3b07c4

SHA256
598a7c17f5d7f15e2a207d4014e24a0b02b7051570f424dd11d7c411d5ee7d3a

SHA512
eb0608c4ead2d4f12cfb1e7396e7f027178d136ff7c35a96e88dea800880fe8f3780801d52385f431b6fb1b98343078d5ffc2665f82882d2d37a3a1475432c78

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
136KB

MD5
cd2179450de933c6430862c801457e77

SHA1
98e5c012b3a7edb0833988c27d45ec4f2ca18fac

SHA256
4813d7d41c732b8bb06b02c453a967aa0b8ac27ce57bdfc51e037fd9a17f8420

SHA512
28105aa9296778c4255b3d1ac201c32ec9e89526121a296e314ffd0890ba36345c1b411711feb9ef0d6cd9acbe987dc47f6edf6aaec873568363bb717726333c

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
136KB

MD5
161cf5e8ddefb0337a01ceb4bc271af2

SHA1
8de7bb0f5cb008f31d5745d412569683f1a5b3a2

SHA256
304d0e1b55da3458ceeb5e83910b84086830b40b26f71e117bae588a2da086ba

SHA512
1e9a394ea0202f68570e4bdb7d73dec17cae35cfa1fee241e86968252f616e9268c2b430d99fbef92473a37eba35da5c2cfaa0d1a9bf0bd002a05c9fea6939d3

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
136KB

MD5
137f8e9bdb973ad60e9c34f61137b1eb

SHA1
4c8843411a12f3f224594beb649f1ac4b1d35019

SHA256
dc0b56ae11c100409a7b297627de92753f204dac7aa21aa42a3d66b1455427f7

SHA512
424093a35a434b27a1114366263cc2221b65f5182c6b926a3e713fbe3c8cc30f91970d8c95830f19aad51f189c710b6a16933910532fdf2a8267345c9566aaec

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
136KB

MD5
f3adb0d5079c173430ab362688b62dbd

SHA1
4d69f548b451dace2d0617a9906194a7044b28f2

SHA256
0ccc8825000ddc82523521f32c33ae72142cdaa27e0463c147a43a6992926c0f

SHA512
a7875d5a90b0bdde0dc0420c48968a96d006b8518622212536fec3eb55b17ee8ea7b9de9ccbfa824d4ef7f608d188bfb0fd1a9f25d172f03b4ea4fb4eabde4e2

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
136KB

MD5
e7706602f9475d3fb650f15e9488f03a

SHA1
2a2926ec9d50bc53bf3fd2acd5e780e52b649a7f

SHA256
60c404f1f85882477b808f97a576260b039098c46937f646484864552ec65d7d

SHA512
fa5e404e6f478856cb7ac47fe54f80221e7c501b1b841bd4c893a734a22e26fa753e3ac4e49b8e9dd16bc114f69e6a90940fb388f39b0b7a148d396ad15a9c6f

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
136KB

MD5
caf71166883f38f564759ce56cd0cdb5

SHA1
1f69e762675ffb72229c7a941cd783f63b1c6cd3

SHA256
cdb0fd2f2ff1b777e22375dece3663db012cd890883795289f449ea2aaaaf303

SHA512
744dafc8a0052b17cc0110abe5eaae0934bdcb434ebba42f49a32390d645492ebe68d32df865ace716a3b2a93ad89cd669776a4f073249091be7fef14b8739f1

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
136KB

MD5
5d9a0005dab89ef1eb588a8830485fda

SHA1
73d12deb8f0e0355fabbea8bba029642f466386b

SHA256
15ea6328f3c6d7b87727709a4efc10ad956837916ec0f2b49975a0f5d437be65

SHA512
6b8a387b1a1b4c0a946567ddade7d6bc02bfd64994491ffa54e3bf19f58814175d136d5f49f416d347da8ab3d6af1cedf42464246e0d43baa831d1ea0ec3f26d

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
136KB

MD5
e4c18d16dd792fdd2afabb46753fc3e8

SHA1
2e14a31096f6dea96da75d645afc8b51cbfff4e0

SHA256
386a309820c6eda856e97fc7bb21208fec402906727a1f44e121e2c2068c7144

SHA512
412979b26f91b4d678b3a426a0acf93c9eec1c7fb99c61914ff6287f5f12a84a5cad101ee29977a02fb76103522c35543e957c320bacadb7592b841e2ed3a5a5

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
136KB

MD5
c19c1074f1cf467632b5edea694a40dc

SHA1
ce6b8126ddc8b57a27bf9e2b54c25d8aafb04f43

SHA256
e3055acb8a3eba64c9cd7461a963ad1c149f476e4f90a5e93cd33977c869ba53

SHA512
988db720a2ff861f2469599ec51bcb1bd93fb26298082478ceaad3a27b9987eb4b7169a109e60ee59e47bda728507fd4106eddc99f98741ad52144fca9bd0494

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
136KB

MD5
6a276a43f1b0c96cd0cf15b70a7c4f41

SHA1
a10484ecfc58dc400c6594a0d2b5981d28079bdb

SHA256
948391a96f94dede2da9473788bec28a91ba4974008505ede0ff67c090350370

SHA512
98a5bb302efe2fbf293f966251a1e8525aa3b22ab0e05746506e0d091022d318d2990bffba6067241b7559d46ed955e69cd39500752c60f4b9851866493e42d3

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
136KB

MD5
53c9edc7b72e0d107e56ce5f183f0544

SHA1
1561ed20b524690d5d2ab110460742c379e543df

SHA256
dfd9dd82cc45c3074e23edd613bf767c58ea355ac27fae2a4dcd7e9fe78a5490

SHA512
701269690f27831b47911026c7a4a5dd36a42cd9a0d97d5cd8987dfc039e411b360f98e9c0cc59acdd426916a37c69243c0a173ab82a67eb718b2378a6f2647c

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
136KB

MD5
5a167a620161062450d807112ad02103

SHA1
e03f114ce612c2f099c14b437b808125ec64cbca

SHA256
628f6c6d9f9caf818d1a0957566e87fa33370d0e98cea2a45353216cec389904

SHA512
20b885bf421adb24603b4221a13054958b7dbc5f58ae6e9f174fe6ecf89934108bdcf89c13bc516eba6abe2c736689178d599519e9862432378ce30c2cef89f9

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
136KB

MD5
36c9ce6cc45c850f6d65eca4619373ab

SHA1
f86ef7dad8152b8e6f234469591dd38a7c95cf2c

SHA256
88d9b8a65a5cbf3d726ab0277b2486baa4816a0ce011b70008ce6b27f17fbc51

SHA512
1661cf9a00c6f1934b3fbf28609d7882027a5110f6b7eddfb3f57021c99f1b562cee9efb8c9c91d0b82be1c1cecd5ffe7544bfecff2b5950ae2b15206f9e138d

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
136KB

MD5
cc3f1ee5398c635f9ca2f74e1c194868

SHA1
b34ce7b46394d793468a6f6282b620b14fc3b8bc

SHA256
37181f5ad01e1666f834b3d5dc0274ba1787f1d6a2867a2af9f5115c250dda43

SHA512
5b5c3bb1f449c3487b40ab7d80560f16f79018dd78b64bb9b6873f7e785bd7582f45921cd3389bcd18741cbfefc215a7c9157cf10fa9980f71d4fff148a2c022

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
136KB

MD5
cd9ea419531c11722453c07397bdaf29

SHA1
9ef1fcee6a6457bd56004bb32d4131b40ebdbfe2

SHA256
92ba73b222e1a20bc617867f0a0904463dceaadbd6dcf3708d349bccab6a7cfe

SHA512
f822340ff20337934104f93c0289ed5384a675b0a05da185c145085f7c7862dd49c031a8332c413c0c1101cd5d78597711d484a15dd24768a58a9ea381deb023

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
136KB

MD5
585957ffa2aa69803e07942d4f708d94

SHA1
fd970705726cf0f7e51433e3e7cd0dad592784e6

SHA256
b9bb2c9673e8970a57bc88e0f92c01214c01f51fa391ca06e4e46aca4644760b

SHA512
7f17e64aab7b2c8da6df86e423913cdfa15fa4365b8886c85c9b9f28fbaa19be2516f6cd91b868ae541528da47d567de8b47af07bdc99a58574099cdf7142523

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
136KB

MD5
0b3b5b5333f5546c7ea1fc901418717c

SHA1
03e274591852fee16d0668c17ea6f0034f1f7b8b

SHA256
de62be6478bad372562342e4ecdfa04ae0578c630c2f251f3648af1c0237fce0

SHA512
95877713f71733de5752ccd36bcb8a66eb6dbc0cf464a86a3c121cc19717c0e1b90ea671bacbd6d82f01ab0591b4a6180d9d31a800d7f1e25c0f32fdfc3e21c6

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
136KB

MD5
d25e55e528aa4d58673d8f49301db520

SHA1
7710a3341e0ea710eb4d309b6c2416e34f898256

SHA256
10f0d86a3e3c1008e719e67c8c8ea6ea613673b4ec40ecb168e48a91945831ac

SHA512
84ea1828cf26d6d887949864f2c6eaff061f820303abdb67e5af3d99da290a6b72ff7152b30f800d9a83aec8d5da599918f22dae52085ea98b6c934d4d237d7e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
136KB

MD5
1f6e4649580f74f420ee2f87500845a4

SHA1
487c792f07d9d62270b58300038fd125ae8e6322

SHA256
d8b39cc4bd587f85d4e948e06b60da0eefec34c936aed77f4c94541db2b35143

SHA512
1e7839c985ae848cdf15a824ef0b97f348f326b78d77efaf8eee84194c0b050b34c00e386598780967432ebbe93987d1ad2ad373070eb1de1e5d4898fd4f6e73

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
136KB

MD5
6fc2a35760cc4b3f3d22ec12812267cf

SHA1
2b548c72936ff949a1aa1d210176c8e164bdc3c3

SHA256
7f85ef35efb2be02b2ed7f4481b89a2b6733f0c3c0d7ee951bf969449e0b6433

SHA512
89c95344967e4a0bfbd5fb5b02e2ce64243198f34d6dfd4d0700ca598258832f90fae48a118294e44883f4b5d9ef29f5f2f10ebeeaf309c050bc68e3502915a1

Download Submit
C:\Windows\SysWOW64\Jekpanpa.dll

Filesize
7KB

MD5
8086b74a3a64745fa521cfddc1fa3fe4

SHA1
cf6113dbc253dbebd4c07f77058f3d767327fe78

SHA256
0fe74270c13bdc643f0efd6e82c6a587eb583b90d9951c67668222e6afde85f9

SHA512
6ae5ab9d87511d3ce1838549d6310e19521c5f49baced42af5e23c39864b90e1693121cad5f2296e8e89e77631aa92f14b37620e3c307c6c514fb6e4aa8c93df

Download Submit
memory/1052-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads