berbew | 7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
Size

1.1MB
MD5

cdc42b8a09d1610f767a2bacaaf46e95
SHA1

94fa189d618dbb4f4274f957a03cd3c9e251a8da
SHA256

7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a
SHA512

faac80fe8ea2b35067832ccb5d72b1e04d73da2d32d34c6521f5b4b2ee32fb1a2905325918a1c2274f4044f35fddc0662e68cb109a15c111cb42d4a1027826e7
SSDEEP

12288:zgeMUyYYrQg5Z/+zrWAIAqWim/+zrWAI5KFukEyDucEQn:MeMU7YrQg5ZmvFimm0HkEyDucEQn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cccdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Einebddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Einebddd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djoeki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejfllhao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkgldm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Embkbdce.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djoeki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dqinhcoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Embkbdce.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elieipej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkqiek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cccdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcemnopj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elieipej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcemnopj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqinhcoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fipbhd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 22 IoCs

pid	Process
2128	Bkqiek32.exe
2704	Bakaaepk.exe
2176	Cccdjl32.exe
2716	Ddkgbc32.exe
2084	Dkgldm32.exe
2948	Djmiejji.exe
1228	Dcemnopj.exe
2380	Djoeki32.exe
2796	Dqinhcoc.exe
2336	Eqkjmcmq.exe
2824	Egebjmdn.exe
2016	Embkbdce.exe
2120	Ebockkal.exe
2396	Ejfllhao.exe
2372	Ekghcq32.exe
908	Ecnpdnho.exe
2104	Elieipej.exe
1976	Ebcmfj32.exe
2256	Einebddd.exe
2492	Fpgnoo32.exe
2528	Fipbhd32.exe
1072	Flnndp32.exe

Loads dropped DLL 48 IoCs

pid	Process
1900	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
1900	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
2128	Bkqiek32.exe
2128	Bkqiek32.exe
2704	Bakaaepk.exe
2704	Bakaaepk.exe
2176	Cccdjl32.exe
2176	Cccdjl32.exe
2716	Ddkgbc32.exe
2716	Ddkgbc32.exe
2084	Dkgldm32.exe
2084	Dkgldm32.exe
2948	Djmiejji.exe
2948	Djmiejji.exe
1228	Dcemnopj.exe
1228	Dcemnopj.exe
2380	Djoeki32.exe
2380	Djoeki32.exe
2796	Dqinhcoc.exe
2796	Dqinhcoc.exe
2336	Eqkjmcmq.exe
2336	Eqkjmcmq.exe
2824	Egebjmdn.exe
2824	Egebjmdn.exe
2016	Embkbdce.exe
2016	Embkbdce.exe
2120	Ebockkal.exe
2120	Ebockkal.exe
2396	Ejfllhao.exe
2396	Ejfllhao.exe
2372	Ekghcq32.exe
2372	Ekghcq32.exe
908	Ecnpdnho.exe
908	Ecnpdnho.exe
2104	Elieipej.exe
2104	Elieipej.exe
1976	Ebcmfj32.exe
1976	Ebcmfj32.exe
2256	Einebddd.exe
2256	Einebddd.exe
2492	Fpgnoo32.exe
2492	Fpgnoo32.exe
2528	Fipbhd32.exe
2528	Fipbhd32.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dkgldm32.exe	Ddkgbc32.exe
File created	C:\Windows\SysWOW64\Imbige32.dll	Egebjmdn.exe
File opened for modification	C:\Windows\SysWOW64\Dcemnopj.exe	Djmiejji.exe
File opened for modification	C:\Windows\SysWOW64\Egebjmdn.exe	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Hmdkip32.dll	Djoeki32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fipbhd32.exe
File created	C:\Windows\SysWOW64\Bedoacoi.dll	Bkqiek32.exe
File created	C:\Windows\SysWOW64\Fhoedaep.dll	Ecnpdnho.exe
File opened for modification	C:\Windows\SysWOW64\Ebcmfj32.exe	Elieipej.exe
File created	C:\Windows\SysWOW64\Jhpgpkho.dll	Elieipej.exe
File created	C:\Windows\SysWOW64\Cljamifd.dll	Bakaaepk.exe
File created	C:\Windows\SysWOW64\Ippdloip.dll	Dcemnopj.exe
File created	C:\Windows\SysWOW64\Ecnpdnho.exe	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Eiabmg32.dll	Ekghcq32.exe
File opened for modification	C:\Windows\SysWOW64\Bkqiek32.exe	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
File created	C:\Windows\SysWOW64\Dilmaf32.dll	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
File opened for modification	C:\Windows\SysWOW64\Ebockkal.exe	Embkbdce.exe
File opened for modification	C:\Windows\SysWOW64\Ecnpdnho.exe	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Ebcmfj32.exe	Elieipej.exe
File created	C:\Windows\SysWOW64\Eqkjmcmq.exe	Dqinhcoc.exe
File opened for modification	C:\Windows\SysWOW64\Embkbdce.exe	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Fpgnoo32.exe	Einebddd.exe
File created	C:\Windows\SysWOW64\Jcngcc32.dll	Fpgnoo32.exe
File opened for modification	C:\Windows\SysWOW64\Bakaaepk.exe	Bkqiek32.exe
File created	C:\Windows\SysWOW64\Ngbpoo32.dll	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Hehaja32.dll	Ejfllhao.exe
File created	C:\Windows\SysWOW64\Cccdjl32.exe	Bakaaepk.exe
File created	C:\Windows\SysWOW64\Ddkgbc32.exe	Cccdjl32.exe
File created	C:\Windows\SysWOW64\Djmiejji.exe	Dkgldm32.exe
File opened for modification	C:\Windows\SysWOW64\Elieipej.exe	Ecnpdnho.exe
File opened for modification	C:\Windows\SysWOW64\Djoeki32.exe	Dcemnopj.exe
File created	C:\Windows\SysWOW64\Dqinhcoc.exe	Djoeki32.exe
File created	C:\Windows\SysWOW64\Einebddd.exe	Ebcmfj32.exe
File created	C:\Windows\SysWOW64\Nmkmnp32.dll	Ebcmfj32.exe
File created	C:\Windows\SysWOW64\Bakaaepk.exe	Bkqiek32.exe
File opened for modification	C:\Windows\SysWOW64\Dkgldm32.exe	Ddkgbc32.exe
File created	C:\Windows\SysWOW64\Malbbh32.dll	Ddkgbc32.exe
File opened for modification	C:\Windows\SysWOW64\Djmiejji.exe	Dkgldm32.exe
File created	C:\Windows\SysWOW64\Ebockkal.exe	Embkbdce.exe
File created	C:\Windows\SysWOW64\Ogadek32.dll	Ebockkal.exe
File opened for modification	C:\Windows\SysWOW64\Einebddd.exe	Ebcmfj32.exe
File created	C:\Windows\SysWOW64\Egebjmdn.exe	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Bdnnjcdh.dll	Embkbdce.exe
File opened for modification	C:\Windows\SysWOW64\Ejfllhao.exe	Ebockkal.exe
File created	C:\Windows\SysWOW64\Elieipej.exe	Ecnpdnho.exe
File opened for modification	C:\Windows\SysWOW64\Cccdjl32.exe	Bakaaepk.exe
File created	C:\Windows\SysWOW64\Peqiahfi.dll	Dkgldm32.exe
File created	C:\Windows\SysWOW64\Dcemnopj.exe	Djmiejji.exe
File created	C:\Windows\SysWOW64\Embkbdce.exe	Egebjmdn.exe
File opened for modification	C:\Windows\SysWOW64\Ekghcq32.exe	Ejfllhao.exe
File opened for modification	C:\Windows\SysWOW64\Fipbhd32.exe	Fpgnoo32.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fipbhd32.exe
File created	C:\Windows\SysWOW64\Bkqiek32.exe	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
File opened for modification	C:\Windows\SysWOW64\Ddkgbc32.exe	Cccdjl32.exe
File created	C:\Windows\SysWOW64\Baboljno.dll	Cccdjl32.exe
File created	C:\Windows\SysWOW64\Hclemh32.dll	Djmiejji.exe
File opened for modification	C:\Windows\SysWOW64\Dqinhcoc.exe	Djoeki32.exe
File opened for modification	C:\Windows\SysWOW64\Eqkjmcmq.exe	Dqinhcoc.exe
File created	C:\Windows\SysWOW64\Ekghcq32.exe	Ejfllhao.exe
File opened for modification	C:\Windows\SysWOW64\Fpgnoo32.exe	Einebddd.exe
File created	C:\Windows\SysWOW64\Mjpdkq32.dll	Einebddd.exe
File created	C:\Windows\SysWOW64\Fipbhd32.exe	Fpgnoo32.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fipbhd32.exe
File created	C:\Windows\SysWOW64\Djoeki32.exe	Dcemnopj.exe

Program crash 1 IoCs

pid	pid_target	Process
1296	1072	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqinhcoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecnpdnho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmiejji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Embkbdce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cccdjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddkgbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcemnopj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egebjmdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebockkal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejfllhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkqiek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakaaepk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebcmfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einebddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgnoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkgldm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djoeki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkqiek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cccdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcemnopj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djoeki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dqinhcoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll"	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djmiejji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdkq32.dll"	Einebddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclemh32.dll"	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djoeki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedoacoi.dll"	Bkqiek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cccdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecnpdnho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malbbh32.dll"	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elieipej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilmaf32.dll"	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baboljno.dll"	Cccdjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcemnopj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkmnp32.dll"	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippdloip.dll"	Dcemnopj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll"	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpgpkho.dll"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peqiahfi.dll"	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnjcdh.dll"	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecnpdnho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Einebddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljamifd.dll"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdkip32.dll"	Djoeki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoedaep.dll"	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbpoo32.dll"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacgio32.dll"	Dqinhcoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbige32.dll"	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Embkbdce.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2128	1900	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe	30
PID 1900 wrote to memory of 2128	1900	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe	30
PID 1900 wrote to memory of 2128	1900	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe	30
PID 1900 wrote to memory of 2128	1900	7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe	30
PID 2128 wrote to memory of 2704	2128	Bkqiek32.exe	31
PID 2128 wrote to memory of 2704	2128	Bkqiek32.exe	31
PID 2128 wrote to memory of 2704	2128	Bkqiek32.exe	31
PID 2128 wrote to memory of 2704	2128	Bkqiek32.exe	31
PID 2704 wrote to memory of 2176	2704	Bakaaepk.exe	32
PID 2704 wrote to memory of 2176	2704	Bakaaepk.exe	32
PID 2704 wrote to memory of 2176	2704	Bakaaepk.exe	32
PID 2704 wrote to memory of 2176	2704	Bakaaepk.exe	32
PID 2176 wrote to memory of 2716	2176	Cccdjl32.exe	33
PID 2176 wrote to memory of 2716	2176	Cccdjl32.exe	33
PID 2176 wrote to memory of 2716	2176	Cccdjl32.exe	33
PID 2176 wrote to memory of 2716	2176	Cccdjl32.exe	33
PID 2716 wrote to memory of 2084	2716	Ddkgbc32.exe	34
PID 2716 wrote to memory of 2084	2716	Ddkgbc32.exe	34
PID 2716 wrote to memory of 2084	2716	Ddkgbc32.exe	34
PID 2716 wrote to memory of 2084	2716	Ddkgbc32.exe	34
PID 2084 wrote to memory of 2948	2084	Dkgldm32.exe	35
PID 2084 wrote to memory of 2948	2084	Dkgldm32.exe	35
PID 2084 wrote to memory of 2948	2084	Dkgldm32.exe	35
PID 2084 wrote to memory of 2948	2084	Dkgldm32.exe	35
PID 2948 wrote to memory of 1228	2948	Djmiejji.exe	36
PID 2948 wrote to memory of 1228	2948	Djmiejji.exe	36
PID 2948 wrote to memory of 1228	2948	Djmiejji.exe	36
PID 2948 wrote to memory of 1228	2948	Djmiejji.exe	36
PID 1228 wrote to memory of 2380	1228	Dcemnopj.exe	37
PID 1228 wrote to memory of 2380	1228	Dcemnopj.exe	37
PID 1228 wrote to memory of 2380	1228	Dcemnopj.exe	37
PID 1228 wrote to memory of 2380	1228	Dcemnopj.exe	37
PID 2380 wrote to memory of 2796	2380	Djoeki32.exe	38
PID 2380 wrote to memory of 2796	2380	Djoeki32.exe	38
PID 2380 wrote to memory of 2796	2380	Djoeki32.exe	38
PID 2380 wrote to memory of 2796	2380	Djoeki32.exe	38
PID 2796 wrote to memory of 2336	2796	Dqinhcoc.exe	39
PID 2796 wrote to memory of 2336	2796	Dqinhcoc.exe	39
PID 2796 wrote to memory of 2336	2796	Dqinhcoc.exe	39
PID 2796 wrote to memory of 2336	2796	Dqinhcoc.exe	39
PID 2336 wrote to memory of 2824	2336	Eqkjmcmq.exe	40
PID 2336 wrote to memory of 2824	2336	Eqkjmcmq.exe	40
PID 2336 wrote to memory of 2824	2336	Eqkjmcmq.exe	40
PID 2336 wrote to memory of 2824	2336	Eqkjmcmq.exe	40
PID 2824 wrote to memory of 2016	2824	Egebjmdn.exe	41
PID 2824 wrote to memory of 2016	2824	Egebjmdn.exe	41
PID 2824 wrote to memory of 2016	2824	Egebjmdn.exe	41
PID 2824 wrote to memory of 2016	2824	Egebjmdn.exe	41
PID 2016 wrote to memory of 2120	2016	Embkbdce.exe	42
PID 2016 wrote to memory of 2120	2016	Embkbdce.exe	42
PID 2016 wrote to memory of 2120	2016	Embkbdce.exe	42
PID 2016 wrote to memory of 2120	2016	Embkbdce.exe	42
PID 2120 wrote to memory of 2396	2120	Ebockkal.exe	43
PID 2120 wrote to memory of 2396	2120	Ebockkal.exe	43
PID 2120 wrote to memory of 2396	2120	Ebockkal.exe	43
PID 2120 wrote to memory of 2396	2120	Ebockkal.exe	43
PID 2396 wrote to memory of 2372	2396	Ejfllhao.exe	44
PID 2396 wrote to memory of 2372	2396	Ejfllhao.exe	44
PID 2396 wrote to memory of 2372	2396	Ejfllhao.exe	44
PID 2396 wrote to memory of 2372	2396	Ejfllhao.exe	44
PID 2372 wrote to memory of 908	2372	Ekghcq32.exe	45
PID 2372 wrote to memory of 908	2372	Ekghcq32.exe	45
PID 2372 wrote to memory of 908	2372	Ekghcq32.exe	45
PID 2372 wrote to memory of 908	2372	Ekghcq32.exe	45

C:\Users\Admin\AppData\Local\Temp\7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe
"C:\Users\Admin\AppData\Local\Temp\7d615e0d7433eb880d3acf96839646a91cde768e7cdf8c84830a763c92d1303a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\Bkqiek32.exe
  C:\Windows\system32\Bkqiek32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\Bakaaepk.exe
    C:\Windows\system32\Bakaaepk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Cccdjl32.exe
      C:\Windows\system32\Cccdjl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\SysWOW64\Ddkgbc32.exe
        
        C:\Windows\system32\Ddkgbc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\Dkgldm32.exe
        
        C:\Windows\system32\Dkgldm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Djmiejji.exe
        
        C:\Windows\system32\Djmiejji.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Dcemnopj.exe
        
        C:\Windows\system32\Dcemnopj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Djoeki32.exe
        
        C:\Windows\system32\Djoeki32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Dqinhcoc.exe
        
        C:\Windows\system32\Dqinhcoc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Egebjmdn.exe
        
        C:\Windows\system32\Egebjmdn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Embkbdce.exe
        
        C:\Windows\system32\Embkbdce.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Ebockkal.exe
        
        C:\Windows\system32\Ebockkal.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Ejfllhao.exe
        
        C:\Windows\system32\Ejfllhao.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Ecnpdnho.exe
        
        C:\Windows\system32\Ecnpdnho.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Ebcmfj32.exe
        
        C:\Windows\system32\Ebcmfj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Einebddd.exe
        
        C:\Windows\system32\Einebddd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Fpgnoo32.exe
        
        C:\Windows\system32\Fpgnoo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bakaaepk.exe

Filesize
1.1MB

MD5
d0193221af52ef87b591e767d4d35df5

SHA1
4e67fc41e46ab0ef4840c560668bf244d4d2e00a

SHA256
e176eddf6b7f329e360c89f760bbc0347a9ac974a7dff0d36ae8c1f18d799cfa

SHA512
fa225eadb7406201b7140f69de38bd3690c15a9b2f6dcaa8cf2edab1a66090c730ff497d0028254a85356c7722fa7952d208f4361a0a9e06e08812f5a983bed6

Download Submit
C:\Windows\SysWOW64\Bkqiek32.exe

Filesize
1.1MB

MD5
446954829e3202cb1307745a339bacc2

SHA1
bd15965994603473d6c3cda85cec0c6699a80f4a

SHA256
0e8636c762425d46618188cd343a9952cb8e994bac02796c1d6f44aff1fc3a4f

SHA512
b45bd1cd9dc799be20280361985dd550ac8bdb861dc6da1e06034deb1dc97da64966ea7ba7b94d38ca5eabd9d8579060c7782462338bb0d895fb343b5e34fd65

Download Submit
C:\Windows\SysWOW64\Cccdjl32.exe

Filesize
1.1MB

MD5
1b94eef6481101d4ea70519ce18641a6

SHA1
eb7c9e3ccfcaa30d766a34d198e8c8f6a08189fd

SHA256
f9f262cbaeaa6f88924e7dbdec32f910f1b4fdb9c338712200454629d256e92a

SHA512
fafe87abb236b000e57d1ff0cf89e6986d05e3a6c762673a3c93339cf52c082febd6462b4113a4214f7dfcc153a873a31e74678daf43fe5f976b1fd56a8dbe7f

Download Submit
C:\Windows\SysWOW64\Dcemnopj.exe

Filesize
1.1MB

MD5
b8576c7551b31a3cadee6d07226d84c7

SHA1
20b6da33ed403fb99c716059c66f2d8f4acf31db

SHA256
714803e315512d04c8404cd9d41f3da56ef4cd17520fb6897920672dbfa92aaa

SHA512
cdcd14566486136afd85f688e8a20fb7aef3cc09c66bdf10d8652ce3077724757398c1ad1e0b7f466b52b6f983ed74d9bee51d9f5df108616e68426c3599da40

Download Submit
C:\Windows\SysWOW64\Ddkgbc32.exe

Filesize
1.1MB

MD5
74791042d5bbdf0fa651599346a02931

SHA1
0872a11eadc2855afbfbb654b65660a72125930e

SHA256
93002b483ea28cec0fc26216ebd49b96abe99566728a021884df26ff3dfb1537

SHA512
923391d78c74fd05c2d3ef4308ed7f2ffbf8a4fc57802a917ffd9f9fafc2208d74b137858e6aafddd66212b71639430e019c8b41d85b946365295f7adc01dc66

Download Submit
C:\Windows\SysWOW64\Djmiejji.exe

Filesize
1.1MB

MD5
ef1aa074c131a0399b4ed80b820ce4e6

SHA1
2eac6d752feab5bbb71dd218ad5651da271e0a1b

SHA256
69b468303373539b28d6193838b1fbbecf372bab487f3617127b29117cbcd46a

SHA512
892e52e00797cb275d2025fe1e59faa3018a72154e546e731bed5a1fd61f0a878563b71e3add4089671d4d865bc57167385c228319717fb39e648692f95cb20f

Download Submit
C:\Windows\SysWOW64\Djoeki32.exe

Filesize
1.1MB

MD5
ad0e46d8eedc489cbb5e4e6c7d790566

SHA1
95e053a9512baf73724132a3e796bfa16ce7ef35

SHA256
bb798e11428df2b20deca922fc540e39219c07a978e3fb8b1c232b9822d8f708

SHA512
b1b689865da06d38a6c3876e86dee557cf87dadbfbf2fdcc7018e82357e4c3b12300c9a5c7411d232cb95c56def4f2a5216f3440bff838aa581342a523038716

Download Submit
C:\Windows\SysWOW64\Dkgldm32.exe

Filesize
1.1MB

MD5
577c136c88bfaea835cb46941725d49a

SHA1
0d404519ddb1772c66ba47a5692a12c6ba861135

SHA256
937c43398eb76aee8184d0287fe30ef64ed5d60ba8d651285a8437864cea340c

SHA512
fda35e8755a5921b02ccfc1f63e37e0378d09e44238730e2ea037afce9224f6ef509da8350ad2199ed10189995b941c42cc150de557f302ed1732190aec467fd

Download Submit
C:\Windows\SysWOW64\Dqinhcoc.exe

Filesize
1.1MB

MD5
1a76daea75b034a781811f7773ff44ca

SHA1
3987c0da4f0742a5d9bdc4eb0c28c15b95485749

SHA256
f505b5425b640cab35b495c30eb4398f36f8ca56312376be2ef94c7f5bb0ae07

SHA512
9270f3d4c903a827c51947421fde3023b82c81bb55165bed58fda3da558b6a946dffc725bbd2ddcb9a7cea11ec2fa969eaa540a3ab232aae6381308bd57bcd4b

Download Submit
C:\Windows\SysWOW64\Ebcmfj32.exe

Filesize
1.1MB

MD5
1355de5f41f4e97137ea36c5a606f8b7

SHA1
e1d0e10defc971711b66a17d77994194e9f5fc36

SHA256
8225de83ca780c95a68a65e88d9f3fbbaeaf5444e1bba8c450ba6d04def68a66

SHA512
1e305627ef5c2b995df02cb343b66ff759016c96501dccf53f60f469da75c4b7e964d48dda2c2743618de998a13db1a9ae0b5414a095b5dc573fb4cde556e5f0

Download Submit
C:\Windows\SysWOW64\Ebockkal.exe

Filesize
1.1MB

MD5
26c835ae99ddf186780954cf4ed87f15

SHA1
0074e2bd92887ff49549c0852f7afe8f02d80307

SHA256
c41f272cf51805910738720e1bc2445fcf858ae55883bc32e9295c290a98e917

SHA512
b0c089639e715280c3686cc16837aab2ea6c9b83c1627257f5543111a7f1c88e36b559fb0ede7436cf0abcb861ba9637f24d8506dd2ec95320dd614122d73485

Download Submit
C:\Windows\SysWOW64\Ecnpdnho.exe

Filesize
1.1MB

MD5
97810efa5fefc7c3cbcc173360752f05

SHA1
d0c11a5a67b709f17ba26d0da9c484b1523170fd

SHA256
dc2111fcb46651b24104b2a185fb6078de0ef56dc1be11e08c90a0ff36293e2d

SHA512
f06d1454202ce865e1e737ed08461f2b23b7177c47fb8d51660c2ccf0cd7500008b09e0864acdbc64a6f28b230f7c2b6731f0cc05069fc602f0f902e517c3432

Download Submit
C:\Windows\SysWOW64\Egebjmdn.exe

Filesize
1.1MB

MD5
782bbc0aa148aa4c86a09a903a8a8a82

SHA1
5a195d7147c4416af81935cd87cfcad6ba82ebbf

SHA256
1197c687a7e5e16c317dbecbde9dac6d799db9dcc05a62fb7f4d663d0a51647e

SHA512
43311aa54cbfc6669737bf0451f1b1a3c0d1ca6319bfa5fe8c089ef6893bce4421fae968ab84041bfa54104c8edebe1ae38a868451374d710121a99963f10569

Download Submit
C:\Windows\SysWOW64\Einebddd.exe

Filesize
1.1MB

MD5
5176a5c0bb05fed389492308a604b8b4

SHA1
aa8df958bbcd472c26380133feb44529d25704b2

SHA256
a82a62cd5ef341bb6d4dd99dc1730df72074456614b10bbcd93c728b050752e8

SHA512
4d42bb7e04593bd32044111aea55691f0fd55d4f932c64b84d6b88da8d9aedba7f830d54761ba2cb4b87867c49c2999d54ec4f6c8ddd6a067e08f08dfaaf2c1a

Download Submit
C:\Windows\SysWOW64\Ejfllhao.exe

Filesize
1.1MB

MD5
bdf6468bc22ddafbb464b85bb9c530f9

SHA1
905f3d61a2a959afbe3df7c00fdbf899f1cf0d97

SHA256
6b240a133afd46a4d99a40dfe381eb0890d7899107e4a904fe9a3f23994c5e47

SHA512
70ac55a43a1690f6f3476f3fa44dd0686038af84ed39c399f0ace87159bd495a0939f7cccec527ce3637c1253e4dbd780f68ae254db74b7b3e6831e98655fdd8

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
1.1MB

MD5
ea95a35d312a980deb8b43874a00c1e6

SHA1
a8fae92e7422a311c4997dc778af2b76543bc1bf

SHA256
ee7dcf97ff43ab1a350789f70a0a0a3c18496ca06776f0507580ddcef2b914c4

SHA512
28694cb1fb11ac1f9dfb2d5f76163288e83768a4f14244445983eb76a130dd552739e1f0d386d2ccd08ed3bd45357c70bec0285caeec58855fe5a395dd17c09e

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
1.1MB

MD5
a95794f03e0949381ce2856a894e39a3

SHA1
8064633e6a0c44f6d17674743ffa7b81ebd30c76

SHA256
510bc23358fc6db9cbc378f5039110a15a0d737ece6faef1826e0174a97b02ed

SHA512
1434f5a8900cded51d1eccb0c5b68157e312f4692fc45b615423976bd28955c6329e694613575a59cac17e6854af03700b1999003a3d02d55eec53b2412c087e

Download Submit
C:\Windows\SysWOW64\Embkbdce.exe

Filesize
1.1MB

MD5
945a07285378fb63a2df38d93a55792c

SHA1
fdaf6221a2937f15a19d1873cc7450a3cc9aa498

SHA256
f35167b24fab2407fbeeb18c91299f79a985bff1dac58e0d720529b7c354f5dd

SHA512
38f94395cb7c9dc17e96a2c90420ccbc6441989c3490251ea4e72a85d8d9c532daaf6f1339adb5cb25fbf063f772767f3e69efb4d2bf0ae5110cd4d43b9d9d41

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
1.1MB

MD5
a56de9e783162c4c7f06af3e199544f3

SHA1
db8832c09c8d1c5616fe71f924ae527aea4f89d2

SHA256
c59f23d8e36b951d11276d4c0988833307abb57a9b985714bc06755160cf4e6d

SHA512
0dfdd2ba322b4824da30ad76acf237399b59a42b4de82584260a4c00c2e2398795ef7e39017eb9cc02c6df8d9e8533016b4d66d10d5688a0a58daca9278b1ee9

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
1.1MB

MD5
73fe7a9385bf0df18b20604095c4b633

SHA1
8b7acd6110bce7de339bae1d23fe36bfecde5026

SHA256
8a6097cc4fef82a5ce4cb7169cb51369848ca00cef130c39dfcf48205563ddc5

SHA512
c6bee9baa0ae6dc433c660a3c63e392c3c375b492c6fbcccd6483efeb02698950274dbabddc171c1ad8b7938e5fc6a0c1a57162efa294b01a66a489ea933c579

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
1.1MB

MD5
ce142ed2bbf77ddf912a867261c939ef

SHA1
f27e194972f55168941f4c3bedc9138771091af5

SHA256
edda1a0b216f2269b286165feb9ba315258a5d884cdcc61f0d67edabf7e7c596

SHA512
7381391375eccc211f90082826a6a5a60d21a6dd0f5fd1c57b7606d77c3d7a9b38c3a31ee52b1a6cf3b977f893ef4a207e1306f54500e3ee385b48fcb37ecce3

Download Submit
C:\Windows\SysWOW64\Fpgnoo32.exe

Filesize
1.1MB

MD5
0876f5b195fe1bd33fae6229bf6b09c9

SHA1
9e63c3d1520f05cc085c8506500c0357c3f360d8

SHA256
4394d193c9468c0c9a08aa63f7073d941fb4a2b0640fe4e16c721b525fad5572

SHA512
0f9af70afd94ecb1934881019bce4eda90b8174aba29f3e32d8e31a62692f1c0b76d6341cdd82df5478a30a8a287275034a42dfba521dadb1d2aef7880453af6

Download Submit
C:\Windows\SysWOW64\Malbbh32.dll

Filesize
7KB

MD5
961bbba0e4e42705216bb207dc2da479

SHA1
f5a3908d537833c2cbaaaed2514916c3e042b2b9

SHA256
caffe9c96deb6c4570374240c72514142729efbd06664ad47d9d95ca40615c95

SHA512
57cbf64947aa8a8981879e5d3258ed21ed6aa04a622eb261f612b347b28fb234a99fb35c7f479ae15cdb5163fa81bf3db91961e97275640a9214745ea977c397

Download Submit
memory/908-241-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/908-287-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1072-298-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1228-106-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1228-182-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1900-13-0x0000000001FA0000-0x0000000001FE8000-memory.dmp

Filesize
288KB

Download
memory/1900-12-0x0000000001FA0000-0x0000000001FE8000-memory.dmp

Filesize
288KB

Download
memory/1900-59-0x0000000001FA0000-0x0000000001FE8000-memory.dmp

Filesize
288KB

Download
memory/1900-54-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1900-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1900-58-0x0000000001FA0000-0x0000000001FE8000-memory.dmp

Filesize
288KB

Download
memory/1976-262-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2016-247-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2016-184-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2084-149-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2084-75-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2084-164-0x00000000002E0000-0x0000000000328000-memory.dmp

Filesize
288KB

Download
memory/2104-248-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2104-297-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2120-261-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2120-194-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2128-21-0x0000000000290000-0x00000000002D8000-memory.dmp

Filesize
288KB

Download
memory/2128-14-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2128-60-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2128-28-0x0000000000290000-0x00000000002D8000-memory.dmp

Filesize
288KB

Download
memory/2128-92-0x0000000000290000-0x00000000002D8000-memory.dmp

Filesize
288KB

Download
memory/2176-119-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2176-51-0x0000000000250000-0x0000000000298000-memory.dmp

Filesize
288KB

Download
memory/2176-43-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2256-268-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2256-299-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2336-155-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2336-236-0x0000000000320000-0x0000000000368000-memory.dmp

Filesize
288KB

Download
memory/2372-223-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2372-277-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2380-133-0x00000000002F0000-0x0000000000338000-memory.dmp

Filesize
288KB

Download
memory/2380-123-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2380-193-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2396-267-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2396-211-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2492-282-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2528-288-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2528-300-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2704-93-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2704-37-0x00000000002A0000-0x00000000002E8000-memory.dmp

Filesize
288KB

Download
memory/2704-104-0x00000000002A0000-0x00000000002E8000-memory.dmp

Filesize
288KB

Download
memory/2704-31-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2716-148-0x0000000000350000-0x0000000000398000-memory.dmp

Filesize
288KB

Download
memory/2716-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2716-74-0x0000000000350000-0x0000000000398000-memory.dmp

Filesize
288KB

Download
memory/2716-73-0x0000000000350000-0x0000000000398000-memory.dmp

Filesize
288KB

Download
memory/2796-207-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2796-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2796-154-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/2796-221-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/2796-222-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/2824-166-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2824-237-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2948-105-0x0000000000250000-0x0000000000298000-memory.dmp

Filesize
288KB

Download
memory/2948-165-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2948-94-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads