berbew | d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
Size

302KB
MD5

2f1645adf68a762d454e288403f26b65
SHA1

839a728e8f9078ec6bc9313d97d89bcc62a0b09e
SHA256

d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086
SHA512

cd0934c65f3c57dd6ecf7cad5f1b476fad6dc06943c5f7474e1c0284d981ac45469e640cd56c24faa35efb811b74a4e5a646a6e4172bf60d413bea578fcb50d9
SSDEEP

6144:XwYCClwCw3FF7fPtcsw6UJZqktbOUqCTGepXgbWHj:gYCClM3FF7fFcsw6UJZqktbDqCTGepX/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 24 IoCs

pid	Process
4328	Belebq32.exe
3736	Cndikf32.exe
612	Cdabcm32.exe
3520	Caebma32.exe
2284	Cfbkeh32.exe
4492	Cmlcbbcj.exe
4732	Cdfkolkf.exe
1900	Cnkplejl.exe
1420	Chcddk32.exe
924	Cmqmma32.exe
2332	Dhfajjoj.exe
4860	Dmcibama.exe
5088	Ddmaok32.exe
972	Dobfld32.exe
4948	Delnin32.exe
2416	Dhkjej32.exe
2056	Dodbbdbb.exe
4916	Daconoae.exe
4988	Dmjocp32.exe
4188	Dddhpjof.exe
3612	Dhocqigp.exe
1844	Dgbdlf32.exe
2944	Doilmc32.exe
4784	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process
3872	4784	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4328	4912	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe	83
PID 4912 wrote to memory of 4328	4912	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe	83
PID 4912 wrote to memory of 4328	4912	d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe	83
PID 4328 wrote to memory of 3736	4328	Belebq32.exe	84
PID 4328 wrote to memory of 3736	4328	Belebq32.exe	84
PID 4328 wrote to memory of 3736	4328	Belebq32.exe	84
PID 3736 wrote to memory of 612	3736	Cndikf32.exe	85
PID 3736 wrote to memory of 612	3736	Cndikf32.exe	85
PID 3736 wrote to memory of 612	3736	Cndikf32.exe	85
PID 612 wrote to memory of 3520	612	Cdabcm32.exe	86
PID 612 wrote to memory of 3520	612	Cdabcm32.exe	86
PID 612 wrote to memory of 3520	612	Cdabcm32.exe	86
PID 3520 wrote to memory of 2284	3520	Caebma32.exe	87
PID 3520 wrote to memory of 2284	3520	Caebma32.exe	87
PID 3520 wrote to memory of 2284	3520	Caebma32.exe	87
PID 2284 wrote to memory of 4492	2284	Cfbkeh32.exe	88
PID 2284 wrote to memory of 4492	2284	Cfbkeh32.exe	88
PID 2284 wrote to memory of 4492	2284	Cfbkeh32.exe	88
PID 4492 wrote to memory of 4732	4492	Cmlcbbcj.exe	89
PID 4492 wrote to memory of 4732	4492	Cmlcbbcj.exe	89
PID 4492 wrote to memory of 4732	4492	Cmlcbbcj.exe	89
PID 4732 wrote to memory of 1900	4732	Cdfkolkf.exe	90
PID 4732 wrote to memory of 1900	4732	Cdfkolkf.exe	90
PID 4732 wrote to memory of 1900	4732	Cdfkolkf.exe	90
PID 1900 wrote to memory of 1420	1900	Cnkplejl.exe	91
PID 1900 wrote to memory of 1420	1900	Cnkplejl.exe	91
PID 1900 wrote to memory of 1420	1900	Cnkplejl.exe	91
PID 1420 wrote to memory of 924	1420	Chcddk32.exe	92
PID 1420 wrote to memory of 924	1420	Chcddk32.exe	92
PID 1420 wrote to memory of 924	1420	Chcddk32.exe	92
PID 924 wrote to memory of 2332	924	Cmqmma32.exe	93
PID 924 wrote to memory of 2332	924	Cmqmma32.exe	93
PID 924 wrote to memory of 2332	924	Cmqmma32.exe	93
PID 2332 wrote to memory of 4860	2332	Dhfajjoj.exe	94
PID 2332 wrote to memory of 4860	2332	Dhfajjoj.exe	94
PID 2332 wrote to memory of 4860	2332	Dhfajjoj.exe	94
PID 4860 wrote to memory of 5088	4860	Dmcibama.exe	95
PID 4860 wrote to memory of 5088	4860	Dmcibama.exe	95
PID 4860 wrote to memory of 5088	4860	Dmcibama.exe	95
PID 5088 wrote to memory of 972	5088	Ddmaok32.exe	96
PID 5088 wrote to memory of 972	5088	Ddmaok32.exe	96
PID 5088 wrote to memory of 972	5088	Ddmaok32.exe	96
PID 972 wrote to memory of 4948	972	Dobfld32.exe	97
PID 972 wrote to memory of 4948	972	Dobfld32.exe	97
PID 972 wrote to memory of 4948	972	Dobfld32.exe	97
PID 4948 wrote to memory of 2416	4948	Delnin32.exe	98
PID 4948 wrote to memory of 2416	4948	Delnin32.exe	98
PID 4948 wrote to memory of 2416	4948	Delnin32.exe	98
PID 2416 wrote to memory of 2056	2416	Dhkjej32.exe	99
PID 2416 wrote to memory of 2056	2416	Dhkjej32.exe	99
PID 2416 wrote to memory of 2056	2416	Dhkjej32.exe	99
PID 2056 wrote to memory of 4916	2056	Dodbbdbb.exe	100
PID 2056 wrote to memory of 4916	2056	Dodbbdbb.exe	100
PID 2056 wrote to memory of 4916	2056	Dodbbdbb.exe	100
PID 4916 wrote to memory of 4988	4916	Daconoae.exe	101
PID 4916 wrote to memory of 4988	4916	Daconoae.exe	101
PID 4916 wrote to memory of 4988	4916	Daconoae.exe	101
PID 4988 wrote to memory of 4188	4988	Dmjocp32.exe	102
PID 4988 wrote to memory of 4188	4988	Dmjocp32.exe	102
PID 4988 wrote to memory of 4188	4988	Dmjocp32.exe	102
PID 4188 wrote to memory of 3612	4188	Dddhpjof.exe	103
PID 4188 wrote to memory of 3612	4188	Dddhpjof.exe	103
PID 4188 wrote to memory of 3612	4188	Dddhpjof.exe	103
PID 3612 wrote to memory of 1844	3612	Dhocqigp.exe	104

C:\Users\Admin\AppData\Local\Temp\d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe
"C:\Users\Admin\AppData\Local\Temp\d8f0861f7776a26cf96d6128983e7d67a318f78d2b543d076ba92158cf19e086.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\Belebq32.exe
  C:\Windows\system32\Belebq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\Cndikf32.exe
    C:\Windows\system32\Cndikf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\SysWOW64\Cdabcm32.exe
      C:\Windows\system32\Cdabcm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:612
    - - C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
      - C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 408
        26⤵
        Program crash
        
        PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4784 -ip 4784
1⤵
PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Belebq32.exe

Filesize
302KB

MD5
cd1bbc23453e2f521dae52ec5e5d926c

SHA1
76e4844fc4ce489f0be519b249fc834d0c4ce0c9

SHA256
9279cd4c2b2f943b8e2d9fb624854e1170bf2315d10c93c7cd46ba8a454f4a6c

SHA512
eace0f473b0405d8d366085929d282b4caf8ebae825a9e8b4864cc43cd7318f96ffec698faceb2561f661f5691b38f0f3ff47b3d899f16310c24cf25974af70c

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
302KB

MD5
cb7bddde6543a6f435a375e0ee6e8b35

SHA1
5bd78fffbe2dd953752df3cc64e72413a98c3eff

SHA256
593ff96bf9da1dce8eaa3747419a2221ab960c746c965ba2bebd45400c5b05fe

SHA512
2acff6e137830adbd281c378d2b3e7c5e569350df5095fe8828180ec96cdc4274d74e7b20b38284f8003c7f80408149885ea8d1edb3bb2a418ec43265d71e102

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
302KB

MD5
62d3770e1903db8c8b497ec96040a2c6

SHA1
ed5faf2bae509c7a6281b8ed6451afc90abd4481

SHA256
5595a25bb7a50306e801db9b086587012c25689bcdd0a2242ee28225fb728568

SHA512
ad2a23a3eee246e6192b853e04818feb12c675d799bdf242fbf146bc69b5b76582d02d39793738bddafc0b7bd9fc062f8394509a9afbb9ad288b2ab7f523a83c

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
302KB

MD5
057aeaee30d0200f21769da965e6531a

SHA1
b34f784977d471125992cb27617c28032eeba96b

SHA256
7c9e91ef713fd8e7ec18865d9f43eb5a5946e31c88bf99df36cecd085bc8153a

SHA512
b744ffd5d86e186ed2b46b11a1a7fab4eee5fa09a2dde1ca8c1776f8c87a744bfe3987bb2baf37712050b474ef1d5083e34fa09f5e9a9c47d5acbb854afe4b15

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
302KB

MD5
c5bf1d06f2d6ffeef12af3a9b17cd618

SHA1
83902b0f2743dc67946eda34d96c4042489e1dbb

SHA256
46f3847d9be488a14ccaee8f4eded4c67f9d2cfd05b9b920dafe7970ad48dc66

SHA512
126e427b59dcb9a12b5404b81c989f3b6652dae5d343d3f1afbebe5a37617f2fb4b3bfc40e2592950762261e9014739958c25f4ca1e03b7631f244e1786e12e4

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
302KB

MD5
ba9597f1c149ca62b2a55dda7811a8fb

SHA1
827bb90532c9426e0f161fe339928e2a17328f6f

SHA256
6e6e027a52a93e62339a28a162edc4ef2df0f90cef01760ca35c54c392d75dd7

SHA512
0d9ca168c166569f6ebda23061e1da58bab6c36648ce44c9913efc4419c0eee98afcbcea3283a19f62ad3be194b4f8493f435c29977f40c6caa493cf76eeb990

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
302KB

MD5
f4f13b234d2d0ebeeded485263b98585

SHA1
e099dd20eab164be5e3e9c2c7f7497e208baff8c

SHA256
52a9e39426c081dc24b6c78dd5a80d1e9d61fdbcc1d1041cf2ac8b551272d187

SHA512
ccf379e1e89741dad5670ae93156d27d9ad8eab3f0003237d6eca44b12acbec1e04f22926f2d026bff2db3b177f10a981dd57eefa4e8c8e3905b52057b4649a8

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
302KB

MD5
04ab3857330a764e86cfec710786b917

SHA1
0cf9cea43a5de7c4c10829ecfc18d0c7044e786a

SHA256
c551bcc9562aeffaabc3bd95214417d667963b808c99ea3b842e4235b7bb54c1

SHA512
c0fc716c9162929fd9c5d4e2b14e7507b232e826243698834c4ddd731c2a70ea726d069196106c79dc86bf54fea1f15c1f5543dda3cffa1741d26388a6c2f973

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
302KB

MD5
47d0fec60ab739b247e0854706c90bc2

SHA1
ac10913bb77a9c5833d13cbfc2dfa3b053f1cc9d

SHA256
bbe43aac140ca7d7135a62c21a59a43906c20c91726d898c95a3bb9df08cbaf7

SHA512
316614094d5baf91d8a1f1ece4781f8291888787fd477de382fcc5c79c0cf0c35e6268698c22557ef920ae3d74ebd9fbe93c24f3212ff01720cdb272bdcfabe4

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
302KB

MD5
f55fa838cbd9c1dc49585d1c951a196b

SHA1
18068c097b007e06fd12137eca2c82c7919f834c

SHA256
8b240c9ced4fe910041175df539f52fff6a0afc4dfdfc1648d3fe44e918df2b1

SHA512
718609614d238cf5d62be17cf6d7cc3dbf09002b4cd96b9b18472ca996ef5e795ba3b86989ca2dccc496d9feb527edc84d06b7e0901c77e4bcbc900833e4706e

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
302KB

MD5
a622e32c3b4a467c0d4b88d0a948bff2

SHA1
c6326d57e4605bfdc690b88b0ac726c3041a7561

SHA256
b840cadd2f07864ba721ae5c68258e97d426f5d905d24a1d450f24f872901765

SHA512
446607488f84bb53b555a3d851447e25001e1afbc87ea2716cbeb2a9d906c55bbb520b1afdf1026e3b46bbe2332d69ebefb4d4b2dd2c289f6c9e83e27d06845f

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
302KB

MD5
c818742dc610f4c8968d83a14806392d

SHA1
2c89e610fa962891b50e44f048c45a30f6309bec

SHA256
17a40014c91446a94a14c70046903666f87a7ea5561d94e32474da1ea8c27b01

SHA512
f04ca312c438f972571675d9a35ae8b92b48195e55ab42fe17b6f4688cb1c6456559abe7f53c9d876584645fe85e396c69f9799186346d66c7621ca4b2995daf

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
302KB

MD5
456d7385599307603dcd63f2fee71fa3

SHA1
5bd639a066d8497a801e4c1e46824702f2d8bb66

SHA256
04c36f938763e3045f83510bc0c2c840b1848314c92119e1a822ae576f8fefb8

SHA512
dfc280cf70fd6abe87321e094a8474a7b76a06a70b7f0ff9748cad3c95677b524d90733d8ca10d27ee9bc6e27fb5f6035c2d5f6256ae49b384cdd414ca63ecc7

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
302KB

MD5
313496ccd422c7544e47121a157900d1

SHA1
ce813e512523b719f25511fbc7ca5a66c1e6b2fc

SHA256
93d8025160ff881204ff838d273f15e80b28b5d08ae257c9282a6432eba766ed

SHA512
79c43197adebd500468d1a9911d0cd65b3ff6b2f6b6d93444343f5d2babe1e7fb112959d635bbf894704251afdb29b90ecc1f32c2cad6db6dfea2b13696d5abb

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
302KB

MD5
cbe80822c52071d9a8d247c9a2dd65ee

SHA1
7fbbd3bcd97c37fdc33af5e13db24e9a007739d4

SHA256
ab21ac7b11526a9076df07f9c6ae611f9a8e86a54b4944cb4e8974f8d9d3ed2e

SHA512
2cd0c68401701708889d69825e51df78e4fbae5f728b10918f44752fb545ca3505d28609e6f8f73c983ead9fe01c793ea8cb7ef93a4ab7956682776f404ab574

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
302KB

MD5
2921fed589467a55d35a74e63053defb

SHA1
b11b6054c62e52766f267d9f906c01ca66f88e08

SHA256
28b94610414fe9e50b9185e0ac151eeb38a5e9daf88978ee88668637c5357a48

SHA512
500f60ede245100d112d1d57739c9e01bd53428a8f2b0f6705ecefd81282a1738d62bc9b826426a7e1a3db6453b490133f00e10e2513c3276017cc6c9b8cd60c

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
302KB

MD5
e15ccffb345dfe15ec71f97867a5ec03

SHA1
e30a87d2e0a613c070b0433c589ab0773a221cc4

SHA256
931b2488798284576b6cb7343c6999b17bca7b753ee0e438845680fa82b05284

SHA512
575d7641646a5c432f0a523d9b507a5394ddd9b8e65056df971a16bf3fa931ad2a620e36626a1baad3845537bd51dd202f835426584a1706a8ddb34ca4df50d2

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
302KB

MD5
471ed5a7d49c9c30832b529b0b5c1fb9

SHA1
3f62bd9353074d7ad0bbdc437fa23bf25bff2342

SHA256
3cefe7b48ea0163f70420e1407db64bf3fb62600eb129110cb8d9a37d2877a3e

SHA512
aa79a0bb72807ef72ff0a41850a9ec4584464e079ff0c174ff3c50a112939a6fa2a4880c27a31f2878cde39e0ecf4e3a9dc3b41b0b3ae86914ec3b720a0f9848

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
302KB

MD5
47df4dac8a3d1e3d13a69c6511972dea

SHA1
66b6bd0ca2c21340d817232291987d0e1773ee3c

SHA256
72c35bd16b0f96989a87ecbf9e9cade5ffeeab458c061aa23cb5ddcde740da0c

SHA512
e48621a0644cb384c5dbb7f3309aa88e2f9373c2f416c1a3ffd5f6702d1cbdda739c722a58f3d0300d68e0965c916a5bcd3a0042e93674b8d261ad739215aec4

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
302KB

MD5
4b424908ed9ed97dbab21ece8c47e069

SHA1
5642ead6f71b27324a66f6a7b1bf0f378bfb3308

SHA256
56f43655bbadc5d1c29e73caff5eaeded9a7200c50464888953890d041a0789f

SHA512
b8f826302fb88e23ed9aec96fa06b967c57f38376c220b799bdedbed2f8d3e7929605536833504fa23f243b4c80e86188c1b2d7d34a612460412ae857d833b91

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
302KB

MD5
ad6321933ada72098c33feb45b21720e

SHA1
c5e9d5d818df2dc61fb6265a2eb57cb8997b90e5

SHA256
be06891c1d75451ab41ea1981fd7eea130b0c83b4fb9dd98f8950a79061d1705

SHA512
8bc2e0e878f5ab57bf3a6d6519cb95fd62b1bd6813799ada96f1f9c535f0bf62a4c9aaa52671e2734e1c1878b0b8b126767175e1dbe4e4213d6fcfcadde7e9b6

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
302KB

MD5
33f88d2d62ac2f4caa887cf15841a50d

SHA1
a494b33e83ec85fcb80155ea742e2158f6789028

SHA256
528944b8cbf3d3bfba123c37441cc1dec45e54ce23ef772b1557464ecc3b4f04

SHA512
210c682b5845b6a21b76a598b533cf0187dc162b20d2ee9bac13ad37422db21736226ac37bd0d45033d05fb8d64d7aee99911c9816c8ae5bf1c69315999e078e

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
302KB

MD5
83435d32f991a205aba057564ca1432e

SHA1
c5990f6d73c80de11d2b149b009cf3329733c63e

SHA256
7d98e1a1a973d5376611efbf3f0efe7864297965ad20ad757869bf8e9bab17cd

SHA512
8e63ed9324c50af07d5ad3fd0cc1163347067ccf8da0d46b3764ac158064128fe69a0b6b9b548298d3be33ff1355de82181a918444c167b220773cea5dd2f286

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
302KB

MD5
f2c04e5cda1618ef9df95c4c5a84e84e

SHA1
49e60277c83a8d482341f0211952a03dd82e20ba

SHA256
1ff12d181a86b8fd6b47c1faf7dc082960d7ec67437a3063487244d0be401d8c

SHA512
4d48d93381cc24fd0fc229a13869452860cfa859cb5eb5ef1f2db4c860907ea2cbbd851bf5be79e2186c4cbb5b427d855382cdfdc86bfadd456dae6ea5af5bc7

Download Submit
C:\Windows\SysWOW64\Ghekjiam.dll

Filesize
7KB

MD5
f51aabae84cd01e6203f4bb535949fbe

SHA1
6470be47f38b018e5cbefa01edbb611f46ecbb77

SHA256
85678782f18dfa984c722d3687125e31436f0eca7dd329eec9e373b0f5ba51e0

SHA512
111017fb3e3ac17255f2674954fee9cf85f2468a059c6ef4b760392c51052313418b5a6fd9d1b9b6fc3fb3825d8667e455be1c2ded3a3e33153cc59aa6a02c39

Download Submit
memory/612-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/612-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads