berbew | a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 01:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
Size

161KB
MD5

c0d8d205beee4ed0fb39422ae9affdcb
SHA1

9eed736cebc8acde3921b9fb807142bdfa2b655c
SHA256

a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a
SHA512

4a0b78df9146ed7a0b3dc9d2b7410974084fd074e21b81fda3fc675dc92866a710d627b4ca9f0f2d41b90c39d251cfebcdaae540e8518f5a9babaacf826f1377
SSDEEP

3072:zhaKwvxAPpMZnQkBVwtCJXeex7rrIRZK8K8/kvV:twuyZnQkBVwtmeetrIyRV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 22 IoCs

pid	Process
2052	Bdcifi32.exe
2880	Bjpaop32.exe
2776	Bgcbhd32.exe
2372	Bjbndpmd.exe
2760	Bjbndpmd.exe
2736	Bieopm32.exe
2572	Boogmgkl.exe
2980	Ccmpce32.exe
2524	Cfkloq32.exe
760	Cmedlk32.exe
1512	Cbblda32.exe
1564	Cileqlmg.exe
2832	Cpfmmf32.exe
2216	Cinafkkd.exe
1596	Cbffoabe.exe
2436	Ceebklai.exe
2008	Cnmfdb32.exe
1732	Calcpm32.exe
1848	Djdgic32.exe
1536	Dnpciaef.exe
3008	Dmbcen32.exe
2108	Dpapaj32.exe

Loads dropped DLL 47 IoCs

pid	Process
2280	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
2280	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
2052	Bdcifi32.exe
2052	Bdcifi32.exe
2880	Bjpaop32.exe
2880	Bjpaop32.exe
2776	Bgcbhd32.exe
2776	Bgcbhd32.exe
2372	Bjbndpmd.exe
2372	Bjbndpmd.exe
2760	Bjbndpmd.exe
2760	Bjbndpmd.exe
2736	Bieopm32.exe
2736	Bieopm32.exe
2572	Boogmgkl.exe
2572	Boogmgkl.exe
2980	Ccmpce32.exe
2980	Ccmpce32.exe
2524	Cfkloq32.exe
2524	Cfkloq32.exe
760	Cmedlk32.exe
760	Cmedlk32.exe
1512	Cbblda32.exe
1512	Cbblda32.exe
1564	Cileqlmg.exe
1564	Cileqlmg.exe
2832	Cpfmmf32.exe
2832	Cpfmmf32.exe
2216	Cinafkkd.exe
2216	Cinafkkd.exe
1596	Cbffoabe.exe
1596	Cbffoabe.exe
2436	Ceebklai.exe
2436	Ceebklai.exe
2008	Cnmfdb32.exe
2008	Cnmfdb32.exe
1732	Calcpm32.exe
1732	Calcpm32.exe
1848	Djdgic32.exe
1848	Djdgic32.exe
1536	Dnpciaef.exe
1536	Dnpciaef.exe
3008	Dmbcen32.exe
3008	Dmbcen32.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Gfikmo32.dll	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bieopm32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe

Program crash 1 IoCs

pid	pid_target	Process
2408	2108	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Ceebklai.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2052	2280	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe	31
PID 2280 wrote to memory of 2052	2280	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe	31
PID 2280 wrote to memory of 2052	2280	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe	31
PID 2280 wrote to memory of 2052	2280	a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe	31
PID 2052 wrote to memory of 2880	2052	Bdcifi32.exe	32
PID 2052 wrote to memory of 2880	2052	Bdcifi32.exe	32
PID 2052 wrote to memory of 2880	2052	Bdcifi32.exe	32
PID 2052 wrote to memory of 2880	2052	Bdcifi32.exe	32
PID 2880 wrote to memory of 2776	2880	Bjpaop32.exe	33
PID 2880 wrote to memory of 2776	2880	Bjpaop32.exe	33
PID 2880 wrote to memory of 2776	2880	Bjpaop32.exe	33
PID 2880 wrote to memory of 2776	2880	Bjpaop32.exe	33
PID 2776 wrote to memory of 2372	2776	Bgcbhd32.exe	34
PID 2776 wrote to memory of 2372	2776	Bgcbhd32.exe	34
PID 2776 wrote to memory of 2372	2776	Bgcbhd32.exe	34
PID 2776 wrote to memory of 2372	2776	Bgcbhd32.exe	34
PID 2372 wrote to memory of 2760	2372	Bjbndpmd.exe	35
PID 2372 wrote to memory of 2760	2372	Bjbndpmd.exe	35
PID 2372 wrote to memory of 2760	2372	Bjbndpmd.exe	35
PID 2372 wrote to memory of 2760	2372	Bjbndpmd.exe	35
PID 2760 wrote to memory of 2736	2760	Bjbndpmd.exe	36
PID 2760 wrote to memory of 2736	2760	Bjbndpmd.exe	36
PID 2760 wrote to memory of 2736	2760	Bjbndpmd.exe	36
PID 2760 wrote to memory of 2736	2760	Bjbndpmd.exe	36
PID 2736 wrote to memory of 2572	2736	Bieopm32.exe	37
PID 2736 wrote to memory of 2572	2736	Bieopm32.exe	37
PID 2736 wrote to memory of 2572	2736	Bieopm32.exe	37
PID 2736 wrote to memory of 2572	2736	Bieopm32.exe	37
PID 2572 wrote to memory of 2980	2572	Boogmgkl.exe	38
PID 2572 wrote to memory of 2980	2572	Boogmgkl.exe	38
PID 2572 wrote to memory of 2980	2572	Boogmgkl.exe	38
PID 2572 wrote to memory of 2980	2572	Boogmgkl.exe	38
PID 2980 wrote to memory of 2524	2980	Ccmpce32.exe	39
PID 2980 wrote to memory of 2524	2980	Ccmpce32.exe	39
PID 2980 wrote to memory of 2524	2980	Ccmpce32.exe	39
PID 2980 wrote to memory of 2524	2980	Ccmpce32.exe	39
PID 2524 wrote to memory of 760	2524	Cfkloq32.exe	40
PID 2524 wrote to memory of 760	2524	Cfkloq32.exe	40
PID 2524 wrote to memory of 760	2524	Cfkloq32.exe	40
PID 2524 wrote to memory of 760	2524	Cfkloq32.exe	40
PID 760 wrote to memory of 1512	760	Cmedlk32.exe	41
PID 760 wrote to memory of 1512	760	Cmedlk32.exe	41
PID 760 wrote to memory of 1512	760	Cmedlk32.exe	41
PID 760 wrote to memory of 1512	760	Cmedlk32.exe	41
PID 1512 wrote to memory of 1564	1512	Cbblda32.exe	42
PID 1512 wrote to memory of 1564	1512	Cbblda32.exe	42
PID 1512 wrote to memory of 1564	1512	Cbblda32.exe	42
PID 1512 wrote to memory of 1564	1512	Cbblda32.exe	42
PID 1564 wrote to memory of 2832	1564	Cileqlmg.exe	43
PID 1564 wrote to memory of 2832	1564	Cileqlmg.exe	43
PID 1564 wrote to memory of 2832	1564	Cileqlmg.exe	43
PID 1564 wrote to memory of 2832	1564	Cileqlmg.exe	43
PID 2832 wrote to memory of 2216	2832	Cpfmmf32.exe	44
PID 2832 wrote to memory of 2216	2832	Cpfmmf32.exe	44
PID 2832 wrote to memory of 2216	2832	Cpfmmf32.exe	44
PID 2832 wrote to memory of 2216	2832	Cpfmmf32.exe	44
PID 2216 wrote to memory of 1596	2216	Cinafkkd.exe	45
PID 2216 wrote to memory of 1596	2216	Cinafkkd.exe	45
PID 2216 wrote to memory of 1596	2216	Cinafkkd.exe	45
PID 2216 wrote to memory of 1596	2216	Cinafkkd.exe	45
PID 1596 wrote to memory of 2436	1596	Cbffoabe.exe	46
PID 1596 wrote to memory of 2436	1596	Cbffoabe.exe	46
PID 1596 wrote to memory of 2436	1596	Cbffoabe.exe	46
PID 1596 wrote to memory of 2436	1596	Cbffoabe.exe	46

C:\Users\Admin\AppData\Local\Temp\a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe
"C:\Users\Admin\AppData\Local\Temp\a123cc1c06b7120f8956bd8b2ec1174169bdbc90fe5a023b9cc3d72df4f4b24a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Bdcifi32.exe
  C:\Windows\system32\Bdcifi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\Bjpaop32.exe
    C:\Windows\system32\Bjpaop32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\Bgcbhd32.exe
      C:\Windows\system32\Bgcbhd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 144
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bieopm32.exe

Filesize
161KB

MD5
6e7eb2408f38a60096db89c39a6361ef

SHA1
3576dd087fc242d720b9935858111edc8e60431a

SHA256
c79830d992eae817b97792845905db8585ac7c57f106574ca07e1d523dc36131

SHA512
9ec05b8171a7482f8e95fb9337ca47a35fc7d8cd983e160fc1eae5a32ba1b4841b68d357ffbd5c6454f17829e95982639711651200b4d9c472259a42af79def2

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
161KB

MD5
0b5acb9fc81f5f4b9c4913bed7b683e2

SHA1
7466276e64c27019bb48ccf2702ceaaaac7d1baa

SHA256
79425498af064365d9e896924a123c7ff4c92ff3e898de64be653bac824826c3

SHA512
146023535711ae4aca378de2ea2a75226d49baf936a9b678132ab14e946d314b56e7c9a791e0275d536dded4dfca17d21a3e932e87096df51ab24db9e45a727c

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
161KB

MD5
e3ae73bc121bdececf0be2736857d434

SHA1
80f046d463574524b55bfb58dbe707fa3e2846fd

SHA256
e0fe407f4c01ab0a4ffdc5feba045cb0da7c86eb7e859fdab0fef79e36b980df

SHA512
7ed27635f7f92db10aaad8d61f166715a04f896441b87c516a0560859d0b967769abe57e2790f2a4d631dc11da8a2620e169cebf9b435d8eae627e03cbb30e02

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
161KB

MD5
3aced00565de95309b3def4337df0c71

SHA1
31f352ffd2a5780f419f5362459921176458307d

SHA256
99bfd8d86773279c97e7323d1d9a56ce92e8f54213e363be429c877819ee70e1

SHA512
0d11b1caea6684016c989922425df2544986c6e1c2993a96c627c8e41abb129a132c0f0025d6d7dc418821c50862c78dc4636f78d63e194bdc6b0cbf2f146b7e

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
161KB

MD5
0008b8e74d28850183ac5a9f57417448

SHA1
7aa955b7c2b367b814d1960caa5563049d53706c

SHA256
4fcfaefdaf3baa6d2b6c17d9ca5e9943205487d566af80d4b665b12a5864e611

SHA512
39e64db2e9176eebd6bfdafbb19c4330cb2393cb5a629af4f0189aba6bc1248f8be6b8e195149a524b7fb8735aa6d6ff567d938d273a6fcc22281a3336dc7d19

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
161KB

MD5
a58eb206c8824d4ed4cae4f13cb8c835

SHA1
75d9acf4b839476ff360245ede35d94dd1ab02b3

SHA256
cd748795e5d300c96751c3ce3dc4f377cf3d687b12947c923567f84246e178d0

SHA512
dc7929ae90f888d041c8ce62431f66a41bc59db77922432e6f9c3888cece7c262ca79151db76c0a78193a6c18f3f5fd4e30f3e6ae4447f7ca3bdf01cece5bc94

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
161KB

MD5
bfe4af69d4f63fc6649430a8f9b84260

SHA1
bb15d5f150dfa74ef1e5c71042a6beaa191fe9fa

SHA256
0dd7a1bbeb6ca47b13feb023fae010eaae0a42d51aee2567d6373fba40ad90be

SHA512
fa55872e4cfcc6e3f95b92c5d7807f586ee44fb67e93434c4073f0ed7ea5ec7a780889f9175adc2c4d328319f907379a881d1fe542e2bafda8b11756410cbed7

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
161KB

MD5
a64b510d67a64526a8c55d836d2808f8

SHA1
9d77095dddf4199dd29145217bd719641464ec05

SHA256
34921429ef018fcb3209a21ceae43d509c7d4e6d44bb02dec36374ad8e2c30b5

SHA512
fef34857082f2790e75388b2f408d646f485ee28330afbba8db7f7be2e733d13af894316c6cdb876f595db396902585adc7235b1f90a0f33ea3535c95da83e6a

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
161KB

MD5
3b601d54632a59556ddf9c3c30b843c3

SHA1
8e8e61a0fda93c189f7b6558ca79b53b242e0871

SHA256
f7d4ac183d844fce1220ae3d4ad3ee4031c49333e655341e301b8e84a2bac439

SHA512
b3aac015e9f343818033c9884e3fb5329cb9f2a11b4cf551f24af6b7030b080b6df29a34cba3b5dc868f6fc0ee48b2fd548b2c792904315a194afe0011f2f891

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
161KB

MD5
5557708646c6a2dcf1c9763b3a92b18b

SHA1
56be42680f4ca02ca783805d4e45d0c09f3d2f74

SHA256
fe946a657eeb292d24c0c9501aba8265b660c015e8530013cc17708c0a446738

SHA512
0c042be2c2cca48b05dd2c9da2b5712cebf242fbb3bd9959349e24612c9697a7c36c7142ac8652ef2800e16e157c3e974293e69f520dc78a1d8ac1bf844107b2

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
161KB

MD5
73a30a4a541145ae53f470da187de8ab

SHA1
e040e5e95824d8e3e94278310b515383a5068df0

SHA256
201e0e513d280e302371ec0d3e96d1f482fbb5ed5f464ccef27d41d22cc0eb14

SHA512
d4ae6c3f562eb2b2228ef04047d70d0fde51d32dbc84d55b7f3a9b2418f1be0e63c5a30aaba98f17568903358f1f1b1e56f9b7a67cf715d34f857883b4519bb4

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
161KB

MD5
655b66cb8c9c549ab92c4022ae6aa49a

SHA1
03e5f90a51e8c1e873189d04efb1fcf6dfc8e998

SHA256
6117485426d2a41c255fc6c31962c41eaaa811830dd23babfe7198eca0062831

SHA512
d6ffdc00a763c0ec47b2bec31bb68775a05849377666800e5bbdc3e983149b33514cce3b53565e4bf3c7ba7308db540d50acbda29cb411dddebaa7451a921c4a

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
161KB

MD5
c8869c6aaac0e957cc0ce5cecf3e9a77

SHA1
8b2e728765639dccbc4aaf30b5f2abaeecb4008f

SHA256
4255ac0294cbd6e2a923f9998460a1bc2c9d089ffd0da7ca6bc93883a050008c

SHA512
070dda0d2184ca380b6f8ad2f78f75cb91c1c62736836128234eae5e48d133bcc5a605dc2e2914176b05b774f4a464515c11af463a4fb689bb7e672fe21096aa

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
161KB

MD5
5ed90ae0c98669a02587e3f77e3d460c

SHA1
a83e86d0b558782822251d05316e7b3868ef1fc6

SHA256
2a81cf9a10a74e08111d19fb131172df14c9c5fd0b0aa3a670a0305c052e92be

SHA512
47360fbcb9152091defa66d64e3b77cdc66306ad39ee64a22a1672fa025bc666ec69f6c6238f2476e5ea72d2a6663f501ec324053ced03b3cf2372ca02d7e270

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
161KB

MD5
242d4ccf3c60c0769797bc165a56759f

SHA1
907a633fca6f4dff7f8ddb36e4ca138bf4b5a87b

SHA256
55f4519b3a949bd6b77a0da05ffab08e4906b10558fa35e5da27b167a8330972

SHA512
d9a4bb0cc6a03750172905acbc40a2b516eca5e20b294456dda6604c1ad933bd2755dd0707762cb85f75e55e0519adf91cdc425d4d4d92340dd593dbf9c23950

Download Submit
C:\Windows\SysWOW64\Gfikmo32.dll

Filesize
7KB

MD5
196f80a32b1a9ca20877bb1925e724e9

SHA1
99dae92419f1e6c206453cde3225c725193532fb

SHA256
89ba149b9150147f944fe155eb9daa9d0be062490070b8888965c86911cb2a3d

SHA512
ccbad44d60d24f2ef00cd92245bec91d28e922a9f0678340b1c3581936ea3ad0d67ea62ee21ec0cdd9dcbf63447188af11c09b2e62d456a385188806fb1990ae

Download Submit
\Windows\SysWOW64\Bdcifi32.exe

Filesize
161KB

MD5
7ff3f526f453f861013e5ebcc09da16d

SHA1
2c1cb1e98733ea9954efc2c9d3abc234dd38e609

SHA256
5e07840a5823577e247b1419d3b01c0f44b17921cd9a3362f083f2b27c7f9cdc

SHA512
a3796ac35729e37c633cf9bacc6f33555b8de1aff2d73357cc34ad1a233c3af3122b1d6a4a1256ea8be3394586c8ae85f9f71255c8b1b6290e3e44c013a2c13e

Download Submit
\Windows\SysWOW64\Bgcbhd32.exe

Filesize
161KB

MD5
792347ae448ae82e266216acec18f6a8

SHA1
d635d752a09734769fc42195edb25f47ae11ba9c

SHA256
748ea1119199a6be1e8ca93d767bee619003b23c9474669a189be1a3631a7436

SHA512
3ca8bc1e1a86f5c05b1b94d7f9b2fd585571c718043ae4da934701e229f08c5de986adcb10457871b732423929fbbf6fd1b2b78cdd60d55ccb0579dfbe7df84f

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
161KB

MD5
74334f4be224b2ed79d00a0ebd28fa72

SHA1
db3fa51a676ccd3cc443b57347dd9d35d2dc200f

SHA256
a990b156722ad032f012ba6a585ac87bca79466f3005305ccf0083bba463d497

SHA512
1aadffcc7cc3c6c18269fb3d088e592b12b2da46d74c42b5515e86ad813f4b5b0647a0eab3ef35103bd99073f2300b17e5c541189a40e4090ad6341a2dd4fa85

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
161KB

MD5
d20a20b267fd830ceae4e6b9b6a5e0a6

SHA1
e1b66b22351a2b23540b588b0fa332fee70d9dce

SHA256
f37aeca2ef2f71ceec676b64851158afebdaa65c5badcf179002e484967f61de

SHA512
516ed050bcf8d943e2b52a3b1b8f92c5e865bdd82b4ed3ea97d93163d7ee35e02183c5a6c048e1b4a440a2e2c5f12eca95a2b9946eeed518b299ec12e119438e

Download Submit
\Windows\SysWOW64\Cmedlk32.exe

Filesize
161KB

MD5
286815d8a17bba360782f0996d67535a

SHA1
7d8fdf7c643c2633b76ccafef90b21dd9dd31317

SHA256
fd5f81d745f36c65cc3560b5216f85beab826e44628fb80c5ff2f4791bfd3160

SHA512
859762101ef8c627551fe279813fb11a93eff9576081dcb5ef5f8cb50688e6c76c6b3418951ff96f48b445a4a88eeb75a8db7f2b0499fcbac847b14bc8475f31

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
161KB

MD5
fe9e7d454c31b3d4495ac66a23bfd289

SHA1
807da394eafb2ce6a333b5d522f9a323fa5fb8f1

SHA256
cff4f3857918ef54d4b4d0b87b0415358f8e4d3c70e07666d5abb0b04ec908ff

SHA512
03e8d502ac967948e1a1e408950490f30c684b49e36bf7d98dd93bf4877f2cb9f0fc948922ebfd220da940c84386ab84b67e54ed6f03bf522e09ba47944118fb

Download Submit
memory/760-137-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/760-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/760-145-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1512-213-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1512-165-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1512-164-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1512-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1512-214-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1536-284-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1536-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1564-232-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/1564-184-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/1564-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1564-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1564-178-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/1596-230-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1596-225-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1596-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1596-267-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1732-262-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1732-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1848-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1848-273-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2008-245-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-255-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/2052-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2052-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2108-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2216-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2216-260-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2216-215-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2216-208-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2216-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2280-82-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2280-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2280-11-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2280-12-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2280-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2372-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2436-241-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2436-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2436-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-136-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/2524-134-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/2524-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-96-0x0000000001FA0000-0x0000000001FDF000-memory.dmp

Filesize
252KB

Download
memory/2572-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-163-0x0000000001FA0000-0x0000000001FDF000-memory.dmp

Filesize
252KB

Download
memory/2572-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-102-0x0000000001FA0000-0x0000000001FDF000-memory.dmp

Filesize
252KB

Download
memory/2736-78-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2736-122-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2760-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2776-59-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2776-46-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2832-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2880-110-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2880-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2880-117-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/2880-118-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/2980-112-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2980-120-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2980-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-176-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2980-169-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3008-298-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3008-289-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads