berbew | 6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284f

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Size

45KB
MD5

caa520f4634b4976c3a9e8a14c9519d0
SHA1

3533a9145025d4797342a7d3e9c0793ed1e4b8a1
SHA256

6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284f
SHA512

abb4c6cfdba83a1a3035d3e161626e377428b2e429dba0cff028fcf8da279d33843034c6ffef5c41eea996ba08d32c4364ecddb2ba1eba9682a5853c9cfcc75d
SSDEEP

768:cjuUyJ8FGuCykGeMQd+3qKxyFLZO2gA6+dKPiQNvlbpm5Y/1H5xb:cdU8FGfx+6KxyxZO2g/NPiQ1l1Tj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beejng32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 14 IoCs

pid	Process
2736	Beejng32.exe
2876	Biafnecn.exe
2308	Bonoflae.exe
2656	Balkchpi.exe
1924	Bdkgocpm.exe
1584	Blaopqpo.exe
2292	Bmclhi32.exe
2132	Bejdiffp.exe
1548	Bfkpqn32.exe
2796	Bobhal32.exe
2948	Baadng32.exe
1624	Cdoajb32.exe
2316	Cfnmfn32.exe
2208	Cacacg32.exe

Loads dropped DLL 32 IoCs

pid	Process
2844	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
2844	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
2736	Beejng32.exe
2736	Beejng32.exe
2876	Biafnecn.exe
2876	Biafnecn.exe
2308	Bonoflae.exe
2308	Bonoflae.exe
2656	Balkchpi.exe
2656	Balkchpi.exe
1924	Bdkgocpm.exe
1924	Bdkgocpm.exe
1584	Blaopqpo.exe
1584	Blaopqpo.exe
2292	Bmclhi32.exe
2292	Bmclhi32.exe
2132	Bejdiffp.exe
2132	Bejdiffp.exe
1548	Bfkpqn32.exe
1548	Bfkpqn32.exe
2796	Bobhal32.exe
2796	Bobhal32.exe
2948	Baadng32.exe
2948	Baadng32.exe
1624	Cdoajb32.exe
1624	Cdoajb32.exe
2316	Cfnmfn32.exe
2316	Cfnmfn32.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Beejng32.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Biafnecn.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Balkchpi.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2428	2208	WerFault.exe	43

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2736	2844	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe	30
PID 2844 wrote to memory of 2736	2844	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe	30
PID 2844 wrote to memory of 2736	2844	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe	30
PID 2844 wrote to memory of 2736	2844	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe	30
PID 2736 wrote to memory of 2876	2736	Beejng32.exe	31
PID 2736 wrote to memory of 2876	2736	Beejng32.exe	31
PID 2736 wrote to memory of 2876	2736	Beejng32.exe	31
PID 2736 wrote to memory of 2876	2736	Beejng32.exe	31
PID 2876 wrote to memory of 2308	2876	Biafnecn.exe	32
PID 2876 wrote to memory of 2308	2876	Biafnecn.exe	32
PID 2876 wrote to memory of 2308	2876	Biafnecn.exe	32
PID 2876 wrote to memory of 2308	2876	Biafnecn.exe	32
PID 2308 wrote to memory of 2656	2308	Bonoflae.exe	33
PID 2308 wrote to memory of 2656	2308	Bonoflae.exe	33
PID 2308 wrote to memory of 2656	2308	Bonoflae.exe	33
PID 2308 wrote to memory of 2656	2308	Bonoflae.exe	33
PID 2656 wrote to memory of 1924	2656	Balkchpi.exe	34
PID 2656 wrote to memory of 1924	2656	Balkchpi.exe	34
PID 2656 wrote to memory of 1924	2656	Balkchpi.exe	34
PID 2656 wrote to memory of 1924	2656	Balkchpi.exe	34
PID 1924 wrote to memory of 1584	1924	Bdkgocpm.exe	35
PID 1924 wrote to memory of 1584	1924	Bdkgocpm.exe	35
PID 1924 wrote to memory of 1584	1924	Bdkgocpm.exe	35
PID 1924 wrote to memory of 1584	1924	Bdkgocpm.exe	35
PID 1584 wrote to memory of 2292	1584	Blaopqpo.exe	36
PID 1584 wrote to memory of 2292	1584	Blaopqpo.exe	36
PID 1584 wrote to memory of 2292	1584	Blaopqpo.exe	36
PID 1584 wrote to memory of 2292	1584	Blaopqpo.exe	36
PID 2292 wrote to memory of 2132	2292	Bmclhi32.exe	37
PID 2292 wrote to memory of 2132	2292	Bmclhi32.exe	37
PID 2292 wrote to memory of 2132	2292	Bmclhi32.exe	37
PID 2292 wrote to memory of 2132	2292	Bmclhi32.exe	37
PID 2132 wrote to memory of 1548	2132	Bejdiffp.exe	38
PID 2132 wrote to memory of 1548	2132	Bejdiffp.exe	38
PID 2132 wrote to memory of 1548	2132	Bejdiffp.exe	38
PID 2132 wrote to memory of 1548	2132	Bejdiffp.exe	38
PID 1548 wrote to memory of 2796	1548	Bfkpqn32.exe	39
PID 1548 wrote to memory of 2796	1548	Bfkpqn32.exe	39
PID 1548 wrote to memory of 2796	1548	Bfkpqn32.exe	39
PID 1548 wrote to memory of 2796	1548	Bfkpqn32.exe	39
PID 2796 wrote to memory of 2948	2796	Bobhal32.exe	40
PID 2796 wrote to memory of 2948	2796	Bobhal32.exe	40
PID 2796 wrote to memory of 2948	2796	Bobhal32.exe	40
PID 2796 wrote to memory of 2948	2796	Bobhal32.exe	40
PID 2948 wrote to memory of 1624	2948	Baadng32.exe	41
PID 2948 wrote to memory of 1624	2948	Baadng32.exe	41
PID 2948 wrote to memory of 1624	2948	Baadng32.exe	41
PID 2948 wrote to memory of 1624	2948	Baadng32.exe	41
PID 1624 wrote to memory of 2316	1624	Cdoajb32.exe	42
PID 1624 wrote to memory of 2316	1624	Cdoajb32.exe	42
PID 1624 wrote to memory of 2316	1624	Cdoajb32.exe	42
PID 1624 wrote to memory of 2316	1624	Cdoajb32.exe	42
PID 2316 wrote to memory of 2208	2316	Cfnmfn32.exe	43
PID 2316 wrote to memory of 2208	2316	Cfnmfn32.exe	43
PID 2316 wrote to memory of 2208	2316	Cfnmfn32.exe	43
PID 2316 wrote to memory of 2208	2316	Cfnmfn32.exe	43
PID 2208 wrote to memory of 2428	2208	Cacacg32.exe	44
PID 2208 wrote to memory of 2428	2208	Cacacg32.exe	44
PID 2208 wrote to memory of 2428	2208	Cacacg32.exe	44
PID 2208 wrote to memory of 2428	2208	Cacacg32.exe	44

C:\Users\Admin\AppData\Local\Temp\6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
"C:\Users\Admin\AppData\Local\Temp\6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\Beejng32.exe
  C:\Windows\system32\Beejng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Biafnecn.exe
    C:\Windows\system32\Biafnecn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\Bonoflae.exe
      C:\Windows\system32\Bonoflae.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 140
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Biafnecn.exe

Filesize
45KB

MD5
9a7dcd5543db504b08a8401056cba9ec

SHA1
9acde7cc618358461ea23f829e49cfa0761bb090

SHA256
0eec9a4b7cf6fc935b82700f7663ec219f91f53d1b7d17234becbe1d4ebae0e8

SHA512
06d50163e888e901293b5eb22f2c526a89fa89d50739091606039185ec065c952d67b60fe709b695c76779637b77a884c778f6799b113cc892f4a56db4a93505

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
45KB

MD5
389f7858dc2884ecdb4e45120cbd1bc5

SHA1
39b076285186bb75022551755e8d65dab0188de3

SHA256
08882253821b66e4d81e26dc1ce572cb6ed2d749e5900103a88d807ca871b6c4

SHA512
a5264e528d6193b13a002a2ea1c66fcb1e0270571794d86be007a7ebb6d727c1440be9059d58d45e846d3f52e54ef69d9fe7b42a7debbf86d29f4bd0d680fd38

Download Submit
\Windows\SysWOW64\Baadng32.exe

Filesize
45KB

MD5
a4d854d74b2a37de915b8920e91d6f90

SHA1
db2733dfeeeab6319205aa0568c25b9d8790c483

SHA256
24af0b9b099dde674752df839107f36f17e832962bc7ccfd74186a6947072f9c

SHA512
8de5d3e8128b9503d4bfb744f7c3330bf241f830d5575787cb4a61a4b94086bdd61caf90993f183bc146533e0f0582bd162422b4409974b955804d262c0ec12c

Download Submit
\Windows\SysWOW64\Balkchpi.exe

Filesize
45KB

MD5
19102a2e8d491323d98f3fe19045142c

SHA1
c564bbabdd1eb1c177092b0453b517212a36aa1e

SHA256
874d9126f807a93559a70e6234b67d8031d1650b02329822f753f43b1d7a0955

SHA512
01e33e97c31d550b8ac490caee25cddac0636b86f29ee0cc04e3f9361c0f334a38f468e7d267d0a3f5c31decf17b355bfce71abc7763698c9d4cfc1ded89855e

Download Submit
\Windows\SysWOW64\Bdkgocpm.exe

Filesize
45KB

MD5
74d714f5adc073ccb533172c873e4202

SHA1
ac266d7ab9daa7d220d03d7531b85a4b174186b9

SHA256
2966b3bed5c3be15353578b995ea5f710af3c383c13dca33747d0a497881f37b

SHA512
be99fea4fc34e032b452cb377c9e09502f48df14e5de0d7000be6020415c51bd313ab0d7f8eb8e802f71d3e6b28f5a7c0d451af90c35e07f4e18de522356503c

Download Submit
\Windows\SysWOW64\Beejng32.exe

Filesize
45KB

MD5
b4a7a9d3f632d51b82d3ab56d5fd9846

SHA1
31fde5e8fc2761a1193d34081f10a1baa6b5db8a

SHA256
c21b0bd5d5b08fe0fb4822a923d971b32af9b841f2f38988943811dbdd8f40e2

SHA512
27d8e7727f0a599b6e0d00703bd941d2cd79fcf71e308b58c42cdc409106f05fc596c4f79ebdfb01cb959b06d945b4eca59fbe388d1f74eeb59a1d70defd79ea

Download Submit
\Windows\SysWOW64\Bejdiffp.exe

Filesize
45KB

MD5
0d86c1ccba552b176a92068e58d1244a

SHA1
5504736680bb31e3fe580e38e0c98cee7d45eb36

SHA256
9e9c96f69bc05821946d2a20ca3943683bd2f756cd42aed381b92ed7e8221bf1

SHA512
ad330c50931a6156a4ee5787950095dc9cfda3add06d716aa94ce6db6202d4dfb5a2b7ac97c6ee476ef0e68011edccb6de9347be02e5440406bf9a45d132b0d8

Download Submit
\Windows\SysWOW64\Bfkpqn32.exe

Filesize
45KB

MD5
3de73d1f8c027a674c9da9d541eb6b35

SHA1
c2b99424d79eaed2505d272fca06b223dcc934c7

SHA256
3507dfbe14b2a41a2be86348f7a2e3ba53cbf982c8dc788a482a2249323bb51f

SHA512
2527461e3abc990cf7fba43534ce7671d93e97c556fd71d65f99000e50c9e684b8920c870456378849db9eccd4a5c85cac0a6718194d362e1663dc8acd189c40

Download Submit
\Windows\SysWOW64\Blaopqpo.exe

Filesize
45KB

MD5
820b2e375c36526b4e6fadffaa5ef6f8

SHA1
9b27b4a11ecc6ba13933fd8a2b850ce1019b452b

SHA256
7369611c3c100f6bd605bec709213584a6c17766b135d03ef2192df1f9fbfa5c

SHA512
48df23cc9d0eef617da247629847337948450fd87648f1f233129ad973900557ed57a3709e84a7efb47a9f5de1145069d0684f0aae996becc4904a3dba344271

Download Submit
\Windows\SysWOW64\Bmclhi32.exe

Filesize
45KB

MD5
7740764537001e1f6fea4e1dd9006d18

SHA1
ee5b8059ae0f6fc5c18f1cf63662e161caada720

SHA256
39ddbb05a2cddab1d2b5f84bdb96c0b724a26e5413103e2ee54dd14deed29167

SHA512
db87a8084be06cde82aa63809908ff2b74a390efa22785c805c6176daf77b8a0777d4d3b81042004b546951fb28aef9c68679879175edb467ff7e693592f69c3

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
45KB

MD5
b1121cd95d0d3f2489498843499b5134

SHA1
fcdf749a3e1374dad8512cb8354cbe5345ef9013

SHA256
56e092b8284cb82723fcce3d902071f2035086cf5362ba12fec36f633be0df18

SHA512
c580ef7e23bbb6b563abf9b16c4854577691ca954df2d9119a5566e6dafb82e0c29a15b5ef4c556c33b5581576e719b5fef9b606e174dd633afd5e4a20c7b201

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
45KB

MD5
810a0ada3673baa333ec4fbeaf02d04a

SHA1
1722ef2009ddc0eaa76122097580d2a1d2da48c7

SHA256
dc265b57db3558ea3af3e7cb0c0365eff5877eac804d08f6204bf83718d68e30

SHA512
6d4615506a3c65d2a497e72f53be6b139a5627bfb7c50d7bc6230e6e17dbaa5602ebcb653fbfb6bf5111069d8d305d8376b9eff0f73dac7bfea905d0ea0bb972

Download Submit
\Windows\SysWOW64\Cdoajb32.exe

Filesize
45KB

MD5
39a90d15427ca2916d660ffca90b480e

SHA1
1e4a89683eb8334245ae7abd911a4b2f8f664a2a

SHA256
7b3d18f6276ab4a3f22ff4867ce6f7cbabc43cb71a8f2b0844a26ad31adfb9f1

SHA512
cf237206092c5bd022569cfcae91fa48f95693a5584e36cbc316c12b2cc97d2e98f1e439560d6a4744ad79bd1b4da74cbeee50fb79f14141e571b52a6b5d38f2

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
45KB

MD5
25f765e82c5520d1a396c3758f6f2909

SHA1
4333c9880a79cd5fe19be4cad636f992a58bb8a6

SHA256
628c31636b01189ef2a3463ac092e3064423332827a34ca7ff68fcc7bbf3cda7

SHA512
7e273a267fccb479d2f982c59a1401c5f704414f876ff5c9e54471a7d912dc0c31819c1018165c445b7c88d0edb701f13b34435395e4afb5d5d1ac2f2ab2ac15

Download Submit
memory/1548-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-128-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1584-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-105-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/2292-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-198-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-48-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2316-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-184-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2316-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-61-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2656-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-67-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2736-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-145-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2844-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2844-13-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2876-193-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-35-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2876-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-154-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2948-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads