c5237d4dd6f98f6705111b4df807bc7bd456f7e8aa6cc293f0629b66a64bb7d8

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2023 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.568648c382848f68fe376bb28a487530.exe
Size

143KB
MD5

568648c382848f68fe376bb28a487530
SHA1

5497be8409732540f9179455ab0cb362f4ca44ab
SHA256

c5237d4dd6f98f6705111b4df807bc7bd456f7e8aa6cc293f0629b66a64bb7d8
SHA512

cd15d09fac58925cb51276c71f602e811a14d13d294399ceb417fe8c59de79c9b250116e3a19793ec8c59d6c500d67964bd2dad053487e4b7b80e9f92d1bdacf
SSDEEP

1536:RsSeBtB6t1OudtMkKqFEQMtpEycUQ5ziJE93isirBUBEVGBtVM2hZV03fca13y:WSeBf6t13dG1Lsyc3N93bsGfhv0vt3y

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.568648c382848f68fe376bb28a487530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.568648c382848f68fe376bb28a487530.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/376-0-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x00090000000224ad-6.dat	family_berbew
behavioral2/files/0x00090000000224ad-8.dat	family_berbew
behavioral2/memory/4964-7-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022d5d-15.dat	family_berbew
behavioral2/files/0x0008000000022d7d-23.dat	family_berbew
behavioral2/memory/2064-16-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022d7d-22.dat	family_berbew
behavioral2/files/0x0008000000022d5d-14.dat	family_berbew
behavioral2/memory/1888-24-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e3f-30.dat	family_berbew
behavioral2/memory/4928-31-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e3f-32.dat	family_berbew
behavioral2/files/0x0007000000022e46-38.dat	family_berbew
behavioral2/memory/4580-39-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e46-40.dat	family_berbew
behavioral2/memory/3952-47-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e48-46.dat	family_berbew
behavioral2/files/0x0007000000022e48-48.dat	family_berbew
behavioral2/files/0x0007000000022e4a-54.dat	family_berbew
behavioral2/memory/4720-56-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e4a-55.dat	family_berbew
behavioral2/files/0x0007000000022e4c-62.dat	family_berbew
behavioral2/files/0x0007000000022e4c-64.dat	family_berbew
behavioral2/memory/4608-63-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e4e-71.dat	family_berbew
behavioral2/memory/3476-72-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e4e-70.dat	family_berbew
behavioral2/files/0x0007000000022e50-78.dat	family_berbew
behavioral2/files/0x0007000000022e50-80.dat	family_berbew
behavioral2/memory/2148-79-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e53-87.dat	family_berbew
behavioral2/memory/2232-88-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e53-86.dat	family_berbew
behavioral2/files/0x0007000000022e55-94.dat	family_berbew
behavioral2/memory/3872-96-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e55-95.dat	family_berbew
behavioral2/files/0x0007000000022e57-102.dat	family_berbew
behavioral2/memory/1036-103-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e57-104.dat	family_berbew
behavioral2/files/0x0007000000022e5c-110.dat	family_berbew
behavioral2/memory/4672-112-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e5c-111.dat	family_berbew
behavioral2/files/0x0006000000022e5e-118.dat	family_berbew
behavioral2/memory/3356-120-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e5e-119.dat	family_berbew
behavioral2/files/0x0006000000022e60-126.dat	family_berbew
behavioral2/files/0x0006000000022e60-128.dat	family_berbew
behavioral2/memory/4760-127-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/3304-136-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e62-135.dat	family_berbew
behavioral2/files/0x0006000000022e64-142.dat	family_berbew
behavioral2/files/0x0006000000022e62-134.dat	family_berbew
behavioral2/memory/3660-144-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e64-143.dat	family_berbew
behavioral2/memory/2112-152-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e66-151.dat	family_berbew
behavioral2/files/0x0006000000022e66-150.dat	family_berbew
behavioral2/memory/2112-153-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/3660-154-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/4760-156-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/3356-157-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/1036-159-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/2148-162-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew

Executes dropped EXE 19 IoCs

pid	Process
4964	Bclhhnca.exe
2064	Bnbmefbg.exe
1888	Bapiabak.exe
4928	Bcoenmao.exe
4580	Cdabcm32.exe
3952	Cmiflbel.exe
4720	Cfbkeh32.exe
4608	Cnicfe32.exe
3476	Cfdhkhjj.exe
2148	Cajlhqjp.exe
2232	Cnnlaehj.exe
3872	Dhfajjoj.exe
1036	Dmcibama.exe
4672	Dmefhako.exe
3356	Dhkjej32.exe
4760	Dhmgki32.exe
3304	Dmjocp32.exe
3660	Dhocqigp.exe
2112	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	NEAS.568648c382848f68fe376bb28a487530.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	NEAS.568648c382848f68fe376bb28a487530.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	NEAS.568648c382848f68fe376bb28a487530.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	2112	WerFault.exe	107

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.568648c382848f68fe376bb28a487530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.568648c382848f68fe376bb28a487530.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.568648c382848f68fe376bb28a487530.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	NEAS.568648c382848f68fe376bb28a487530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.568648c382848f68fe376bb28a487530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.568648c382848f68fe376bb28a487530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 4964	376	NEAS.568648c382848f68fe376bb28a487530.exe	88
PID 376 wrote to memory of 4964	376	NEAS.568648c382848f68fe376bb28a487530.exe	88
PID 376 wrote to memory of 4964	376	NEAS.568648c382848f68fe376bb28a487530.exe	88
PID 4964 wrote to memory of 2064	4964	Bclhhnca.exe	89
PID 4964 wrote to memory of 2064	4964	Bclhhnca.exe	89
PID 4964 wrote to memory of 2064	4964	Bclhhnca.exe	89
PID 2064 wrote to memory of 1888	2064	Bnbmefbg.exe	90
PID 2064 wrote to memory of 1888	2064	Bnbmefbg.exe	90
PID 2064 wrote to memory of 1888	2064	Bnbmefbg.exe	90
PID 1888 wrote to memory of 4928	1888	Bapiabak.exe	91
PID 1888 wrote to memory of 4928	1888	Bapiabak.exe	91
PID 1888 wrote to memory of 4928	1888	Bapiabak.exe	91
PID 4928 wrote to memory of 4580	4928	Bcoenmao.exe	92
PID 4928 wrote to memory of 4580	4928	Bcoenmao.exe	92
PID 4928 wrote to memory of 4580	4928	Bcoenmao.exe	92
PID 4580 wrote to memory of 3952	4580	Cdabcm32.exe	93
PID 4580 wrote to memory of 3952	4580	Cdabcm32.exe	93
PID 4580 wrote to memory of 3952	4580	Cdabcm32.exe	93
PID 3952 wrote to memory of 4720	3952	Cmiflbel.exe	94
PID 3952 wrote to memory of 4720	3952	Cmiflbel.exe	94
PID 3952 wrote to memory of 4720	3952	Cmiflbel.exe	94
PID 4720 wrote to memory of 4608	4720	Cfbkeh32.exe	95
PID 4720 wrote to memory of 4608	4720	Cfbkeh32.exe	95
PID 4720 wrote to memory of 4608	4720	Cfbkeh32.exe	95
PID 4608 wrote to memory of 3476	4608	Cnicfe32.exe	96
PID 4608 wrote to memory of 3476	4608	Cnicfe32.exe	96
PID 4608 wrote to memory of 3476	4608	Cnicfe32.exe	96
PID 3476 wrote to memory of 2148	3476	Cfdhkhjj.exe	97
PID 3476 wrote to memory of 2148	3476	Cfdhkhjj.exe	97
PID 3476 wrote to memory of 2148	3476	Cfdhkhjj.exe	97
PID 2148 wrote to memory of 2232	2148	Cajlhqjp.exe	98
PID 2148 wrote to memory of 2232	2148	Cajlhqjp.exe	98
PID 2148 wrote to memory of 2232	2148	Cajlhqjp.exe	98
PID 2232 wrote to memory of 3872	2232	Cnnlaehj.exe	99
PID 2232 wrote to memory of 3872	2232	Cnnlaehj.exe	99
PID 2232 wrote to memory of 3872	2232	Cnnlaehj.exe	99
PID 3872 wrote to memory of 1036	3872	Dhfajjoj.exe	100
PID 3872 wrote to memory of 1036	3872	Dhfajjoj.exe	100
PID 3872 wrote to memory of 1036	3872	Dhfajjoj.exe	100
PID 1036 wrote to memory of 4672	1036	Dmcibama.exe	102
PID 1036 wrote to memory of 4672	1036	Dmcibama.exe	102
PID 1036 wrote to memory of 4672	1036	Dmcibama.exe	102
PID 4672 wrote to memory of 3356	4672	Dmefhako.exe	103
PID 4672 wrote to memory of 3356	4672	Dmefhako.exe	103
PID 4672 wrote to memory of 3356	4672	Dmefhako.exe	103
PID 3356 wrote to memory of 4760	3356	Dhkjej32.exe	104
PID 3356 wrote to memory of 4760	3356	Dhkjej32.exe	104
PID 3356 wrote to memory of 4760	3356	Dhkjej32.exe	104
PID 4760 wrote to memory of 3304	4760	Dhmgki32.exe	105
PID 4760 wrote to memory of 3304	4760	Dhmgki32.exe	105
PID 4760 wrote to memory of 3304	4760	Dhmgki32.exe	105
PID 3304 wrote to memory of 3660	3304	Dmjocp32.exe	106
PID 3304 wrote to memory of 3660	3304	Dmjocp32.exe	106
PID 3304 wrote to memory of 3660	3304	Dmjocp32.exe	106
PID 3660 wrote to memory of 2112	3660	Dhocqigp.exe	107
PID 3660 wrote to memory of 2112	3660	Dhocqigp.exe	107
PID 3660 wrote to memory of 2112	3660	Dhocqigp.exe	107

C:\Users\Admin\AppData\Local\Temp\NEAS.568648c382848f68fe376bb28a487530.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.568648c382848f68fe376bb28a487530.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\SysWOW64\Bclhhnca.exe
  C:\Windows\system32\Bclhhnca.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\Bnbmefbg.exe
    C:\Windows\system32\Bnbmefbg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\Bapiabak.exe
      C:\Windows\system32\Bapiabak.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
      - C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 396
        21⤵
        Program crash
        
        PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2112 -ip 2112
1⤵
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
143KB

MD5
9073eedfac94008a0c85e0f36b39c12e

SHA1
a21d52adfe8b16803109fd36421476c152e2ef8b

SHA256
74f0d78cdf2a924a895248d175adf3b6b68b32c6ee1d94c8327edb0f83cb8cc7

SHA512
afa04e4c113f38291a7aa61b605ce7e965d76f0e248806bdaa061a029ae76d9fead2af5de2f461e2c024964d6264e038c7d7e680e1d74146712ec750a0a752b3

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
143KB

MD5
9073eedfac94008a0c85e0f36b39c12e

SHA1
a21d52adfe8b16803109fd36421476c152e2ef8b

SHA256
74f0d78cdf2a924a895248d175adf3b6b68b32c6ee1d94c8327edb0f83cb8cc7

SHA512
afa04e4c113f38291a7aa61b605ce7e965d76f0e248806bdaa061a029ae76d9fead2af5de2f461e2c024964d6264e038c7d7e680e1d74146712ec750a0a752b3

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
143KB

MD5
3ab9939006c2974840ef684f60fe31e1

SHA1
e19794f0e2e0702acffac53f7b3ca62326043029

SHA256
f7a0e2fb1e32c894fed5ce3dcc10826ba6a5e33b7f39f7d8a645b8a923cd7289

SHA512
a6fec20c2b833c875ce4b15460c565482847182b7ade0e3605c99e0d7d108d494d34f6f61ec71d216b0149f070c878c8d5a92198250738d0c1487d7f5bc7cca1

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
143KB

MD5
3ab9939006c2974840ef684f60fe31e1

SHA1
e19794f0e2e0702acffac53f7b3ca62326043029

SHA256
f7a0e2fb1e32c894fed5ce3dcc10826ba6a5e33b7f39f7d8a645b8a923cd7289

SHA512
a6fec20c2b833c875ce4b15460c565482847182b7ade0e3605c99e0d7d108d494d34f6f61ec71d216b0149f070c878c8d5a92198250738d0c1487d7f5bc7cca1

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
143KB

MD5
6291782a0b3f98bfd54a89c8fb6a1dd2

SHA1
b3ab248ce730db8dbeec7f46d73742484b4438a6

SHA256
18ec36bb9cb219b1607638a8514594e49967e5bd449466207a13170eef107a65

SHA512
685da4bfeb7e6bc8222947ff1eb2ad04e94d6822d5a516b98c4e46461588e10dbe06c8c4ae536a252c3e3878ad41d9043df6217da33443ef8049d83b5f2a22cf

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
143KB

MD5
6291782a0b3f98bfd54a89c8fb6a1dd2

SHA1
b3ab248ce730db8dbeec7f46d73742484b4438a6

SHA256
18ec36bb9cb219b1607638a8514594e49967e5bd449466207a13170eef107a65

SHA512
685da4bfeb7e6bc8222947ff1eb2ad04e94d6822d5a516b98c4e46461588e10dbe06c8c4ae536a252c3e3878ad41d9043df6217da33443ef8049d83b5f2a22cf

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
143KB

MD5
d8a654e08a7829642451a9244a3623b2

SHA1
0baefd9c82a3091ef185111f13ba5a693ffe195f

SHA256
0531992cab5933d651cca47a58bc75cccb6ba4db446ab55b2c772ca0791ff1f7

SHA512
04858b5514124675ebc957db94893b391f0b44cdd6f004ba584fb8906e9cf101c79f4e365993f0d84a2bdf43b5c44b2590a1047dfd8b61495638682e151f0fb5

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
143KB

MD5
d8a654e08a7829642451a9244a3623b2

SHA1
0baefd9c82a3091ef185111f13ba5a693ffe195f

SHA256
0531992cab5933d651cca47a58bc75cccb6ba4db446ab55b2c772ca0791ff1f7

SHA512
04858b5514124675ebc957db94893b391f0b44cdd6f004ba584fb8906e9cf101c79f4e365993f0d84a2bdf43b5c44b2590a1047dfd8b61495638682e151f0fb5

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
143KB

MD5
da6f0ec890c4228f966ad1159991935b

SHA1
85eb416f90486f4d3489eaac0a1038b4e15f258a

SHA256
c7f133dccc1323c32de6b71857a00047f521422d399d7824f2af90ef76844f18

SHA512
b4a9eb253fd43ea0ef9b4198e0600ad151e1b5f4007183aabe9acb3e78cd30b19198ca039c5ec915ae0bcf23ab2f319444b8931f71af5eb899ad0621cd71b072

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
143KB

MD5
da6f0ec890c4228f966ad1159991935b

SHA1
85eb416f90486f4d3489eaac0a1038b4e15f258a

SHA256
c7f133dccc1323c32de6b71857a00047f521422d399d7824f2af90ef76844f18

SHA512
b4a9eb253fd43ea0ef9b4198e0600ad151e1b5f4007183aabe9acb3e78cd30b19198ca039c5ec915ae0bcf23ab2f319444b8931f71af5eb899ad0621cd71b072

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
143KB

MD5
2b2a0f86298524962f579463435e23f3

SHA1
bc53ff043e93c5925a837558266fee532b02bb49

SHA256
a4d11b95eab126c39b8298025f49f57793b7986d2ef6371bfbe02e2236b3dfe2

SHA512
ae0f3d05b14dc7f0d277d1c02f1fb75295a4302bbe5a8b99250a70055188169debf26c0de0d763b56d38b2663ed108615e1714343679ad7de999e0946e58afd9

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
143KB

MD5
2b2a0f86298524962f579463435e23f3

SHA1
bc53ff043e93c5925a837558266fee532b02bb49

SHA256
a4d11b95eab126c39b8298025f49f57793b7986d2ef6371bfbe02e2236b3dfe2

SHA512
ae0f3d05b14dc7f0d277d1c02f1fb75295a4302bbe5a8b99250a70055188169debf26c0de0d763b56d38b2663ed108615e1714343679ad7de999e0946e58afd9

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
143KB

MD5
dc94fc63374d9fff54ff14a6003a5f5a

SHA1
ba3204cd4783ab8f1cc52b33a56be18ef1169edd

SHA256
194a58a751797c5ef84d1c6c88cf0217c867822b79aeb73776c036bf41d4fb93

SHA512
bc7d86ae42f84caf54891651028bf8e2fb56a7a41d133ec50d375aec26f406a197e87c26cc54e4bb66d6550ae0e96d9fb217f5bff9fc7dce9887cf1f735a4c1b

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
143KB

MD5
dc94fc63374d9fff54ff14a6003a5f5a

SHA1
ba3204cd4783ab8f1cc52b33a56be18ef1169edd

SHA256
194a58a751797c5ef84d1c6c88cf0217c867822b79aeb73776c036bf41d4fb93

SHA512
bc7d86ae42f84caf54891651028bf8e2fb56a7a41d133ec50d375aec26f406a197e87c26cc54e4bb66d6550ae0e96d9fb217f5bff9fc7dce9887cf1f735a4c1b

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
143KB

MD5
7af7950278d078846534e56d32927315

SHA1
a465ebe4535bbaea6d83456407cc955eefef7418

SHA256
3872f56ff68d6ee5f03f4e59c2d4ee844a303ccb5a18c1f246b7817ae0df0a9a

SHA512
494babde96022a75d0a4de2a953dcb0e96768d83408e3c39b2e82aa6d2657d215502fb127b468f07f6be86179d500868e702e7df3e97583b2557502316ca0c67

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
143KB

MD5
7af7950278d078846534e56d32927315

SHA1
a465ebe4535bbaea6d83456407cc955eefef7418

SHA256
3872f56ff68d6ee5f03f4e59c2d4ee844a303ccb5a18c1f246b7817ae0df0a9a

SHA512
494babde96022a75d0a4de2a953dcb0e96768d83408e3c39b2e82aa6d2657d215502fb127b468f07f6be86179d500868e702e7df3e97583b2557502316ca0c67

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
143KB

MD5
17b5e49fc4a92ed3c3a4215860cb1212

SHA1
5db1d33b938552a417f0558af7f6012fc3e0e6be

SHA256
b1635dcd46008ef81414eb71f77a78dce07697d4f4ba31e34b0b73e6df7e522b

SHA512
0bf01b1e1a83b1c6b1ae84641c9fdc06daf1371babff3b0b9c12f9b6c535c5404718c729c30a2101e163b7197f3e269db2d4ade50f6ca043623195fe27c485ec

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
143KB

MD5
17b5e49fc4a92ed3c3a4215860cb1212

SHA1
5db1d33b938552a417f0558af7f6012fc3e0e6be

SHA256
b1635dcd46008ef81414eb71f77a78dce07697d4f4ba31e34b0b73e6df7e522b

SHA512
0bf01b1e1a83b1c6b1ae84641c9fdc06daf1371babff3b0b9c12f9b6c535c5404718c729c30a2101e163b7197f3e269db2d4ade50f6ca043623195fe27c485ec

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
143KB

MD5
a136f82008761589b3a5aa18ed0d306d

SHA1
a9df146b887e1d3b0de6c2bb0bef189a331396bf

SHA256
fd1851c67702129af7ace48adf61786363e58b4d747b0143e8adc48780a29875

SHA512
2b75ca8701ddba1c265d6094099e8116ca0adf11171c7357aa293c0e4ee6b5c5a02ccb9aff73c759891182d19225dbff4faf8ee78ec8fde163a2a43799835401

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
143KB

MD5
a136f82008761589b3a5aa18ed0d306d

SHA1
a9df146b887e1d3b0de6c2bb0bef189a331396bf

SHA256
fd1851c67702129af7ace48adf61786363e58b4d747b0143e8adc48780a29875

SHA512
2b75ca8701ddba1c265d6094099e8116ca0adf11171c7357aa293c0e4ee6b5c5a02ccb9aff73c759891182d19225dbff4faf8ee78ec8fde163a2a43799835401

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
143KB

MD5
57a5eadc3974265b8364c5002902a8e8

SHA1
9fbc98122aa71439fd35aa1f184abf7a620da402

SHA256
ba2fa6329c1b77d9ede355d4b7859dbebed3ee2d2eec3d676a8603be124e757f

SHA512
4f115f860eee162a115440cd153eae3cd2c0f8751ef960f5931dca0abb27072e7eae815941be965ed289d24932887f810bc75fc03e608717c7d9304c8f436bd6

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
143KB

MD5
57a5eadc3974265b8364c5002902a8e8

SHA1
9fbc98122aa71439fd35aa1f184abf7a620da402

SHA256
ba2fa6329c1b77d9ede355d4b7859dbebed3ee2d2eec3d676a8603be124e757f

SHA512
4f115f860eee162a115440cd153eae3cd2c0f8751ef960f5931dca0abb27072e7eae815941be965ed289d24932887f810bc75fc03e608717c7d9304c8f436bd6

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
143KB

MD5
28e86c273ca81fdf78db2199905d0bfc

SHA1
78088a1d29d366b75e960cd4e4bd5b9018b521f0

SHA256
b561668a96bc24451af8eb4ebff35f60fec564feb91bfc0590c1d30596d29e07

SHA512
a8b8b698be7d34349093a070e0fc8ef554889e5f765bd20a2b29c56a74ea83bb3a1646d9844304b4654faecc757a9676d8a2af1b6ebecf275deee4e254aca750

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
143KB

MD5
28e86c273ca81fdf78db2199905d0bfc

SHA1
78088a1d29d366b75e960cd4e4bd5b9018b521f0

SHA256
b561668a96bc24451af8eb4ebff35f60fec564feb91bfc0590c1d30596d29e07

SHA512
a8b8b698be7d34349093a070e0fc8ef554889e5f765bd20a2b29c56a74ea83bb3a1646d9844304b4654faecc757a9676d8a2af1b6ebecf275deee4e254aca750

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
143KB

MD5
f75a8ed5ebdfec705dd27c7968714564

SHA1
df50b21e9a138b3edfac2e65bfe8e1b92899a6a6

SHA256
37eea228ec5c00badfa43b1a245a3b91ef02dfe055e6a5c949c34b2a35e0e434

SHA512
de06d329573c6923cce6c11d72194673e1c13435454191cdcb035a1543945394287f0ca69ecb23a5d009968a69dca42eaff9b83e05ff6ed64f3ceb0c1f554a9e

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
143KB

MD5
f75a8ed5ebdfec705dd27c7968714564

SHA1
df50b21e9a138b3edfac2e65bfe8e1b92899a6a6

SHA256
37eea228ec5c00badfa43b1a245a3b91ef02dfe055e6a5c949c34b2a35e0e434

SHA512
de06d329573c6923cce6c11d72194673e1c13435454191cdcb035a1543945394287f0ca69ecb23a5d009968a69dca42eaff9b83e05ff6ed64f3ceb0c1f554a9e

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
143KB

MD5
c8b913e4fe8e63ccac7466dcfa94aa18

SHA1
f0a3291965ac371579d8f3d13f9e4373d85cdc8c

SHA256
d195bf20fbd324670a89be453f0ed98828247f414d0cfde21b7b1508de80bd19

SHA512
d2099cd6dcc40d45529f69f86a2b4334432ede7f81930c2533c814677d216f7e9e857756660218b2293b475a0d6d3cd7137547f087ec5911439c35550e120910

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
143KB

MD5
c8b913e4fe8e63ccac7466dcfa94aa18

SHA1
f0a3291965ac371579d8f3d13f9e4373d85cdc8c

SHA256
d195bf20fbd324670a89be453f0ed98828247f414d0cfde21b7b1508de80bd19

SHA512
d2099cd6dcc40d45529f69f86a2b4334432ede7f81930c2533c814677d216f7e9e857756660218b2293b475a0d6d3cd7137547f087ec5911439c35550e120910

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
143KB

MD5
6f6e33c8cecc7eae4253c00d9a9dee89

SHA1
889148f35e9cc935560e221620f19b2a9d40512b

SHA256
f7c1ae52b659fd713d3ac9b651db0d66e0cc812ae58b61c0d5b1cf60b737aca0

SHA512
21bd9a29a9ecbb13cdee1587e5047c5071b2bfff012a1382e5c0fefbab2549e38e88f9595869782fbe5cd9d3af666e035870120d348ddcb10bd433a757d23a17

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
143KB

MD5
6f6e33c8cecc7eae4253c00d9a9dee89

SHA1
889148f35e9cc935560e221620f19b2a9d40512b

SHA256
f7c1ae52b659fd713d3ac9b651db0d66e0cc812ae58b61c0d5b1cf60b737aca0

SHA512
21bd9a29a9ecbb13cdee1587e5047c5071b2bfff012a1382e5c0fefbab2549e38e88f9595869782fbe5cd9d3af666e035870120d348ddcb10bd433a757d23a17

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
143KB

MD5
dbc6f9425989ca2e7d2e0d1b7089564e

SHA1
96bedcf5e92e6b04f418f7b7ed53763c513ef013

SHA256
addf8c1de22f45b1e2bd13d1a748bf9355bf29be042430d4274bfc35d029b0f1

SHA512
5cb7c7705aa8c4cadf8c228b8872b981dff7bcb3653b6daba7b13564c9f15b89082e9d0ddf3d722b37fef82f59b652e52db8cb767019a960f2ca50a6022468c5

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
143KB

MD5
dbc6f9425989ca2e7d2e0d1b7089564e

SHA1
96bedcf5e92e6b04f418f7b7ed53763c513ef013

SHA256
addf8c1de22f45b1e2bd13d1a748bf9355bf29be042430d4274bfc35d029b0f1

SHA512
5cb7c7705aa8c4cadf8c228b8872b981dff7bcb3653b6daba7b13564c9f15b89082e9d0ddf3d722b37fef82f59b652e52db8cb767019a960f2ca50a6022468c5

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
143KB

MD5
34e4145c72e0b35648c469719ceadf3b

SHA1
14a730330250c328b2510233175dd677938a96a7

SHA256
ad51196c1056b8224dc1bb312426f5b86b50d27c3a2ff362dbff2b9f739ead9d

SHA512
a3ffdf2170976723dcb4188779ed597be707524935d985bbd8a5c966404846402e9468363b60ad5bf382065391e21455368e4c2db94eb1aced074f01fd178739

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
143KB

MD5
34e4145c72e0b35648c469719ceadf3b

SHA1
14a730330250c328b2510233175dd677938a96a7

SHA256
ad51196c1056b8224dc1bb312426f5b86b50d27c3a2ff362dbff2b9f739ead9d

SHA512
a3ffdf2170976723dcb4188779ed597be707524935d985bbd8a5c966404846402e9468363b60ad5bf382065391e21455368e4c2db94eb1aced074f01fd178739

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
143KB

MD5
7d18fd5e745913f517f2b5b8649102e2

SHA1
5ca18d60a27743c982cbdfdeaacb274c007bafd8

SHA256
e7aa468544e9fa02e73952fdebdb05bcf4c8ac0d2429add97c737eee3be7322d

SHA512
58b03cd702586c8e025ba244c198270975314991fdf7f9896135970ee5011ff27fcf1434c9caf0a7ffea982e748676c6db4d20821bb79b8e7d845f4dd78a63b1

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
143KB

MD5
7d18fd5e745913f517f2b5b8649102e2

SHA1
5ca18d60a27743c982cbdfdeaacb274c007bafd8

SHA256
e7aa468544e9fa02e73952fdebdb05bcf4c8ac0d2429add97c737eee3be7322d

SHA512
58b03cd702586c8e025ba244c198270975314991fdf7f9896135970ee5011ff27fcf1434c9caf0a7ffea982e748676c6db4d20821bb79b8e7d845f4dd78a63b1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
143KB

MD5
5dca1d1076a5e1aaf9d1d6a72ad99e04

SHA1
e99306c7fdc8e9489380b11d2e838dcd517d0d1c

SHA256
a078b9572d13231ce9ef88f907e900d8cf1f45772faedb32c6d1233830fb9ce5

SHA512
02ea34c0f66bc55721c9291a7fd6f5c3af6145a37831bccd0993ea8c6b80fd80c385c8c7cb6775acd85e5bcb2e6a1315dda9acb9dec8b6722a372d90455fff60

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
143KB

MD5
5dca1d1076a5e1aaf9d1d6a72ad99e04

SHA1
e99306c7fdc8e9489380b11d2e838dcd517d0d1c

SHA256
a078b9572d13231ce9ef88f907e900d8cf1f45772faedb32c6d1233830fb9ce5

SHA512
02ea34c0f66bc55721c9291a7fd6f5c3af6145a37831bccd0993ea8c6b80fd80c385c8c7cb6775acd85e5bcb2e6a1315dda9acb9dec8b6722a372d90455fff60

Download Submit
memory/376-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/376-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2064-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2064-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3356-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3356-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4964-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4964-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads