berbew | 236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
Size

520KB
MD5

e079b1f08e1a743d17a55b8dddc76e00
SHA1

1d60144e0c0c71f356de0b13b019b07e6d68085e
SHA256

236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21
SHA512

1baabff3fb6d0ba4727c0cb0311f0272c08e13bd197a3192292ec2709f4a721af78a7a11cd9ab309f070b680bde2d0eddc64fc87e0eb72b17ec84c94bd30e1a9
SSDEEP

6144:CE90dPWPyFM6234lKm3mo8Yvi4KsLTFM6234lKm3r8SeNpgdyuH1lZfRo0V8Jcg6:CO0lFFB24lwR45FB24lJ87g7/VycgEH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 23 IoCs

pid	Process
4588	Bcoenmao.exe
644	Cndikf32.exe
3896	Cabfga32.exe
4544	Cenahpha.exe
3112	Chokikeb.exe
4896	Cmlcbbcj.exe
2152	Chagok32.exe
3428	Cajlhqjp.exe
3408	Cjbpaf32.exe
3076	Cegdnopg.exe
4548	Djdmffnn.exe
4976	Ddmaok32.exe
4624	Djgjlelk.exe
4608	Ddonekbl.exe
60	Dhkjej32.exe
4880	Dodbbdbb.exe
3660	Deokon32.exe
2548	Dhmgki32.exe
1204	Dkkcge32.exe
1512	Deagdn32.exe
2600	Dhocqigp.exe
3420	Doilmc32.exe
5000	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cjbpaf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4580	5000	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 4588	3148	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe	83
PID 3148 wrote to memory of 4588	3148	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe	83
PID 3148 wrote to memory of 4588	3148	236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe	83
PID 4588 wrote to memory of 644	4588	Bcoenmao.exe	84
PID 4588 wrote to memory of 644	4588	Bcoenmao.exe	84
PID 4588 wrote to memory of 644	4588	Bcoenmao.exe	84
PID 644 wrote to memory of 3896	644	Cndikf32.exe	85
PID 644 wrote to memory of 3896	644	Cndikf32.exe	85
PID 644 wrote to memory of 3896	644	Cndikf32.exe	85
PID 3896 wrote to memory of 4544	3896	Cabfga32.exe	86
PID 3896 wrote to memory of 4544	3896	Cabfga32.exe	86
PID 3896 wrote to memory of 4544	3896	Cabfga32.exe	86
PID 4544 wrote to memory of 3112	4544	Cenahpha.exe	87
PID 4544 wrote to memory of 3112	4544	Cenahpha.exe	87
PID 4544 wrote to memory of 3112	4544	Cenahpha.exe	87
PID 3112 wrote to memory of 4896	3112	Chokikeb.exe	88
PID 3112 wrote to memory of 4896	3112	Chokikeb.exe	88
PID 3112 wrote to memory of 4896	3112	Chokikeb.exe	88
PID 4896 wrote to memory of 2152	4896	Cmlcbbcj.exe	89
PID 4896 wrote to memory of 2152	4896	Cmlcbbcj.exe	89
PID 4896 wrote to memory of 2152	4896	Cmlcbbcj.exe	89
PID 2152 wrote to memory of 3428	2152	Chagok32.exe	90
PID 2152 wrote to memory of 3428	2152	Chagok32.exe	90
PID 2152 wrote to memory of 3428	2152	Chagok32.exe	90
PID 3428 wrote to memory of 3408	3428	Cajlhqjp.exe	91
PID 3428 wrote to memory of 3408	3428	Cajlhqjp.exe	91
PID 3428 wrote to memory of 3408	3428	Cajlhqjp.exe	91
PID 3408 wrote to memory of 3076	3408	Cjbpaf32.exe	92
PID 3408 wrote to memory of 3076	3408	Cjbpaf32.exe	92
PID 3408 wrote to memory of 3076	3408	Cjbpaf32.exe	92
PID 3076 wrote to memory of 4548	3076	Cegdnopg.exe	93
PID 3076 wrote to memory of 4548	3076	Cegdnopg.exe	93
PID 3076 wrote to memory of 4548	3076	Cegdnopg.exe	93
PID 4548 wrote to memory of 4976	4548	Djdmffnn.exe	94
PID 4548 wrote to memory of 4976	4548	Djdmffnn.exe	94
PID 4548 wrote to memory of 4976	4548	Djdmffnn.exe	94
PID 4976 wrote to memory of 4624	4976	Ddmaok32.exe	95
PID 4976 wrote to memory of 4624	4976	Ddmaok32.exe	95
PID 4976 wrote to memory of 4624	4976	Ddmaok32.exe	95
PID 4624 wrote to memory of 4608	4624	Djgjlelk.exe	96
PID 4624 wrote to memory of 4608	4624	Djgjlelk.exe	96
PID 4624 wrote to memory of 4608	4624	Djgjlelk.exe	96
PID 4608 wrote to memory of 60	4608	Ddonekbl.exe	97
PID 4608 wrote to memory of 60	4608	Ddonekbl.exe	97
PID 4608 wrote to memory of 60	4608	Ddonekbl.exe	97
PID 60 wrote to memory of 4880	60	Dhkjej32.exe	98
PID 60 wrote to memory of 4880	60	Dhkjej32.exe	98
PID 60 wrote to memory of 4880	60	Dhkjej32.exe	98
PID 4880 wrote to memory of 3660	4880	Dodbbdbb.exe	99
PID 4880 wrote to memory of 3660	4880	Dodbbdbb.exe	99
PID 4880 wrote to memory of 3660	4880	Dodbbdbb.exe	99
PID 3660 wrote to memory of 2548	3660	Deokon32.exe	100
PID 3660 wrote to memory of 2548	3660	Deokon32.exe	100
PID 3660 wrote to memory of 2548	3660	Deokon32.exe	100
PID 2548 wrote to memory of 1204	2548	Dhmgki32.exe	101
PID 2548 wrote to memory of 1204	2548	Dhmgki32.exe	101
PID 2548 wrote to memory of 1204	2548	Dhmgki32.exe	101
PID 1204 wrote to memory of 1512	1204	Dkkcge32.exe	102
PID 1204 wrote to memory of 1512	1204	Dkkcge32.exe	102
PID 1204 wrote to memory of 1512	1204	Dkkcge32.exe	102
PID 1512 wrote to memory of 2600	1512	Deagdn32.exe	103
PID 1512 wrote to memory of 2600	1512	Deagdn32.exe	103
PID 1512 wrote to memory of 2600	1512	Deagdn32.exe	103
PID 2600 wrote to memory of 3420	2600	Dhocqigp.exe	104

C:\Users\Admin\AppData\Local\Temp\236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe
"C:\Users\Admin\AppData\Local\Temp\236665131a94527353dae973f85748d4f78fbad2a1e3e9efc771622f65f8ed21N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\SysWOW64\Bcoenmao.exe
  C:\Windows\system32\Bcoenmao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\Cndikf32.exe
    C:\Windows\system32\Cndikf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\SysWOW64\Cabfga32.exe
      C:\Windows\system32\Cabfga32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 416
        25⤵
        Program crash
        
        PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5000 -ip 5000
1⤵
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
520KB

MD5
d33e5ecfc1a1ef52e4ebdb01f61d0190

SHA1
11252dd8e35d07148de520f582c41b7fe2a144b5

SHA256
9bb5ddbaf2773075b721195070a85bece4d6c50dc7a4fd1c098883967403d0cb

SHA512
348aada48233ebdf7d37c7f24c6665db43f2857516be65912fd34af976106e23d0c8b5859984b7591183edc75955e0f0e3233fecf07e846a76b6538fb1c17d15

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
520KB

MD5
548ed509717b753194c711bb2499eff4

SHA1
f1c59fc4e27c9a2e45cd644a8b9059cc0f1b3b9c

SHA256
5d22c44a4722f3c104a74ccf9e837c077738649575342e89b0af63b32ad2abce

SHA512
aae143a7097cd03d806c95daf89380fd0bfafcb4ba1f288fde64669d4c9a5948ca6e459a70b6eb623182e5100cb9e91189bf28dd6b4f6f32a10269f40348f630

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
448KB

MD5
09b0cc8d864e84973d965ef6b742ac76

SHA1
95fcec9e485cbb4309a1a5588e0e2ad3ef87eb68

SHA256
82ed6da031f7f48a9fbcc426ca2efdc523e83cd9a35c9280ebd29c6358284d4d

SHA512
2ab49b97a81cac1ee44d00e9d96fe5dbe25f014522218be916f2972db9d3a93a3c0da342223bcd9cdd7acaca2a49352bb3038b23d2d596d280a4c2a7a1203983

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
520KB

MD5
c2da10fad305561578e6af3e8c7e99e2

SHA1
0d2722c816d40e460db64aebddeefba4478620b0

SHA256
7e8bc490e345bac679fcb6985787dd8e483f8793e092c9098a3ebe5a10c23a69

SHA512
f11690ec8d4b93237dcbf5cd29257689c735705a64e5b6d9af8308fb13c040c1c890299c7f15973171659a2c3a1da6847d24622a1b21dbd05574ffe0c4ab51cc

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
520KB

MD5
15de39350fc1de06e60517479353054c

SHA1
8bbbf99d28b88607b3b269c6f1c12d612046f1b1

SHA256
12e267a254d12d0bb8a7519b0533360a035139cc1cb7ad262f3f8d1976d0b8cc

SHA512
459350e20a4043d2d54d06f79697684411b71553ef5815ed23c74fe49afc0fe8433e5ba51f2ef872525a65736d77dc7257ac42621f8e3bd8b8694f5e7942dc0e

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
520KB

MD5
cbcf02d806f067d17dcea29c8785bc10

SHA1
44f389afe0cbc90ea2ec959582dc49d4da25d144

SHA256
3b665fded82de01c8c390497ec0c69fb2a887abf354ce2bd64ceb63595b8c73b

SHA512
983e97a81d574fc01e62bb05ee46fbcde91d42908a4f7baad7eaad516c9f8101584aa042a0f21b937485a2e24bd60a62ae356f6edf275801b6eb2992d5860edc

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
520KB

MD5
3d838778212e2b24d55b1fccfb889c77

SHA1
40809c1e36e5365f2ddf336fd1ec4c07f7f5c17b

SHA256
863fd2de51407389f46efdf41289cbacb4ca8319245754c6ef5a377db5beb4bf

SHA512
a3c76fef5119c813d68e232915c36e986116a60e29d1c74375c5c5007988a9321cda3bfcb3995031753fd7c7843bf8a75a07bbd63dc02f1de3a4faa016756540

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
520KB

MD5
d11b188e2ab692d29a55ca0ed0170dbe

SHA1
5c8df130a229a3eefb49b04fa6f34de6ded491a3

SHA256
2e9a88e4fb6e35b4807003f3aef28eb1124a9400cc6182b2ab835b644b59fc09

SHA512
2548c8702b1e68ff529d23de1e7265f5b0abe1fa6032196c038497993930968f52448506dc6a22bec6ab0c077ed2ec1e713b73ca7132b04289059efcc4f9c047

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
520KB

MD5
4aac3c145a32d9a22540a3c898f24091

SHA1
ea6c2aa48d99b9bd065f3bdf1ff1e63a23197b14

SHA256
7261f9f6a71543d5d2561aa358db5cffaf0e176cb4c77404673ec185887295bb

SHA512
1377b6505ff88f29e4f9b4814a6ede73208a465ac7efaa3fbe70127ff91ef7014b715761d55307efac146a8ab161029fee90d406701269d1357e771228f3778a

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
520KB

MD5
87e85535a8e341fc6639177d4eaf8c2e

SHA1
0a96cee831b6555b101562a4f1154a860405db16

SHA256
1c6da9793016b3ec413f8a10679c5c3d7cd4f2168bb48f0862c9ae6bc9d491b7

SHA512
be0151f6c7f65477d7bb535e6af8290e98bfbd6b1e49500b8322ff2f7e49b92d86a57f62b693c25e517947c0e32c28c17d1ffa7ed9113ee8f213764634c1fa54

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
520KB

MD5
a539ebb1d5faacddd1465992dcfc2af4

SHA1
9b110b16ff606f8514118e32b12e655204438a0e

SHA256
eba84787b927bd43984b53642131aadb5e2235bc68af2fb8491bac073b4eb21c

SHA512
6c951700ea3e297b821f24da8ff9a31392a8959084e1390e2f92ae47f70d20395a365b7298f30136be074b16d46c71f8d0c40a9c5c9084f4ff0bb74992e884c3

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
520KB

MD5
05eb86e0293248330ab154f1f727f4f5

SHA1
03f7c3388e3bee941c59ca498bb7e3386c004404

SHA256
afa7af13c7a5b57bebffca358d6ddc363e07af7ab4bab54f349a12780a2585d9

SHA512
3ac04479fbad121064011757b3bff5693e038bfad8ccc8090257422d6a511a05a785441be3f9b245d05f4f54cbadf4198609df4bb60e5116bd1e7ff45a4377c8

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
520KB

MD5
e24c8e6d228db3d39c2cc667491f3f86

SHA1
4c7b8d9efb8e617a130da64e6a7f1292c83f97bb

SHA256
26da8d876ebb72cf0505a70b160e27839ccefbc1e260ff608652e0a6a69876d2

SHA512
eb36204d45031b9074f2a1b89cdf9c9ab5dd519963664b902248b139a18c721f29520c4ac03e40a9aa623aa8f9c2a0347f5759179dd311119c7fd581d69e4ac3

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
520KB

MD5
94e25a36d0628326be9be0809a7b5f01

SHA1
443bb609ad016717d64946b808da1f1c22bcbf11

SHA256
02f1247b16f0f8434bb02f5b9e0e432f5789399b05c9dd7f214ea67d30fa257a

SHA512
1d1a9a622a913d0fcd5c7170764968600170a754000920911e350129ecbaf5b731103b20596aacd7aeaedc7a806f5cde0de60bc0b9b51074ee67e13c866c6f89

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
520KB

MD5
e16eccf00af636dbf2aabbeafef205e9

SHA1
6e9600a0ae30818c39b3e47cafa6c30a3dd9e129

SHA256
2730a0c14951cbd0470edb18b278d88800df59dfecc385cdd97a483e313208cc

SHA512
f9c8444f76ec544bcaefc04d248896405a0ae61ea136cce6bc0e130f03be1bcaf6b30a6f4e8aee6caba7554dd9856b8b19f78e1773fcdc3c0fa855aac20ea22d

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
520KB

MD5
411d02e282f15cae30ff1414ac6a3e04

SHA1
32d05609fb8ad7b469476e9ac47eecdd6522fd86

SHA256
0486fe124127d94891b1662d8346c70b909cdd4f0ec3acb684f69b0c7868afe9

SHA512
9e4c431cf9456542fe250aad12724ded72af94f2dca239dfb64595dc72b6967c31c453bf4591b9d74a2a50671d7bb5d9395f43287014349e9002967fb6c79773

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
520KB

MD5
fb42e4d2d211202a53124f7ac7301a40

SHA1
9336efda7ead0e2281bacb5b2020199636f36469

SHA256
8c9a78867dfd36f5842847ac062b6163cebbad5f9c521364246a743fc8b8b698

SHA512
82c5572ee2fa25990872bfb1dd837790acac87a802f2e6a61695840d910ff19b4da2c8abee229777fbce7f6e8229e5dae580e38ab99260bfc934dc922778e5cf

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
520KB

MD5
017acdd1191b308c3325e6ebbed19089

SHA1
93f93b60174600ee6863abf8b7e51c7a641367ca

SHA256
a01b57e7d7e093573f5b848ab6e4d399595316d7d4bafa82d3a7403d475805cd

SHA512
2b2d512674633d98a22863e4628865bec567caa4379262c252877afa9eead7dc0044607b44d24d92345ba0be17ef84ebcb576f9c8e24410154926ad670050423

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
520KB

MD5
976771196250ad721a12beb3e489e2d5

SHA1
29138b87212b895fafb15fc1bc870caff4f3bc47

SHA256
4f1d91632b6e1a6a1af1b51c1fad41268f95133072380fd926f6641ba704dd64

SHA512
0f0ccf51f90297b99d41d6727879911c8c141b6141eb16ae22235ecb140c4e0519be4d80932eea8b370720d8b5343b90f7dd918dc41719c64477495d96554b35

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
520KB

MD5
8332bc81f19426c193d338b93d4154a7

SHA1
7c19988418da823810d3096113938c4026b1b57d

SHA256
34404d660c5475b6623032925570b3ba30c80a12fb3b99349c2e32b26316d55f

SHA512
579366f5e3fa01b1526e4b160e431284679bdda68e8d71a1e9b5af5ac697eacb3bd36cfcb1580c13475342169b27e5b218b01116479d9bb992413e467ca15557

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
520KB

MD5
d13c8d05d456b1089b32863ab8fcee5c

SHA1
ed15744700e10bea921d99e16bccb0862b02e452

SHA256
76287c4d161dfb7321e22b90d7b320be9aabc94316fa53d2e3280c76248b9b95

SHA512
12ec63c8cd8b868e8c2084c1826991819ef8588be7343e30436aa1ad19adcb249a1054eb8e19f38e09909a03bbccfedf0c293f8f18344d64506540cd153f57be

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
520KB

MD5
7bec4eecf4ecbfb1b13bec03993f70c7

SHA1
032c6aa21a049c2df16ce87d02a1349fe0e09e61

SHA256
946a16eea6d9da19963ad1dd894600537f41d4fd7eb59b0332a04e9f94c8de49

SHA512
f99d1628a226d78b3c621ebcf9fcc3a0a1e03fb714a2223181c9a92b9ad29872a968857e7c2fb633d2a74e859f687f98069d08b3bd571e50437faa9d81395b5b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
520KB

MD5
68935985159cb9b91f7e65f4d0e6c03f

SHA1
f4f182ef0184f0e5840a5bde315f97ae700e96ee

SHA256
61af6affb1f22f8803c1ab66f786d031e4b383fa796adeaa574934abcd6e23c4

SHA512
25b563cdfc04d53b3a5d28da634baae407aac1707ba88feb353a6f382dc1125d2a8652b7bc385f448735111fd2a04ed5b01f88260ee993827328b5d7718c097c

Download Submit
C:\Windows\SysWOW64\Dnieoofh.dll

Filesize
7KB

MD5
cb1ead1ec0c169d42e5326151c7dcf9a

SHA1
1a643ee90c77a9a2e9b522dad0668ac8126300a1

SHA256
e62fed2cde5e0e6f97d0d88f35024ca64fe706b1bec9861eacdf28daa33e8e64

SHA512
3b1d847423256406bdc8a073e6e483cdc6ace4477088afd9e50244b04468c32aa708b5e0481f5ade93767efe0fbc3dd659fba49d0d20954ae5c2b4b48f604e98

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
520KB

MD5
5d719b232e4e17c5554f66480b00f0ee

SHA1
c037a16b9c9ffe6ba67e22358c4f4f959e77b8b0

SHA256
5019c337bed67e986791faff5ac1c77aa739d7c0d1e3e650a054ce9d056c6e36

SHA512
a751e4de34bc1a5cd62d7570ff65b1a7a42b13fe1bf0ffe9e2eab5720c9c677cddc524b845618daeb2b3c898a63d6c451902a7ba01a9558c49cfb9b5a6db4fc9

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
520KB

MD5
e5aa3ce9936bb3a747e1e8cd87bd699f

SHA1
33f79fc53cbb161cc2bd1d655d3bfcd4e7b65126

SHA256
944909406681922cba659bba1977f484359ca6d0d12c0949f4c3843c5b4a8f59

SHA512
a00290db3851de7cb5f3cda74bd97b6875bf23a84a42e949f2980d31496e14a57c86cf35c7d8dc30b72f7a60c7314c2908a54c6b82a20259cc9e1d31a8cbdd0a

Download Submit
memory/60-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads