berbew | 4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 00:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
Size

94KB
MD5

9621cbfbe91f4d6a241ed791e161a150
SHA1

848471aa7753f625e3aa442d0867c77a1232bc23
SHA256

4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471f
SHA512

23c467d0605fcec603deb4012ea47c39d4f35f8cde8b6796bc8f2b16c50ef0d61912df026cd92aecbe8fab15cfd38a8cb9caf8b332390c1db0d37a370d5082f5
SSDEEP

1536:sCqbNHMieNDHXa+Gnl3WQLow2M6t1S8JW5LPHq39KUIC0uGmVJHQj1BEsCOyiKb5:szbNsicDXa+Gnl3WUuPt1dJW5jH6KU99

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 14 IoCs

pid	Process
2344	Boogmgkl.exe
1960	Bfioia32.exe
2704	Bigkel32.exe
2884	Cfkloq32.exe
2964	Cnfqccna.exe
2712	Cgoelh32.exe
2628	Cbdiia32.exe
1656	Cinafkkd.exe
2868	Caifjn32.exe
2780	Cgcnghpl.exe
2316	Cnmfdb32.exe
2336	Cegoqlof.exe
2176	Dnpciaef.exe
1788	Dpapaj32.exe

Loads dropped DLL 31 IoCs

pid	Process
2544	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
2544	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
2344	Boogmgkl.exe
2344	Boogmgkl.exe
1960	Bfioia32.exe
1960	Bfioia32.exe
2704	Bigkel32.exe
2704	Bigkel32.exe
2884	Cfkloq32.exe
2884	Cfkloq32.exe
2964	Cnfqccna.exe
2964	Cnfqccna.exe
2712	Cgoelh32.exe
2712	Cgoelh32.exe
2628	Cbdiia32.exe
2628	Cbdiia32.exe
1656	Cinafkkd.exe
1656	Cinafkkd.exe
2868	Caifjn32.exe
2868	Caifjn32.exe
2780	Cgcnghpl.exe
2780	Cgcnghpl.exe
2316	Cnmfdb32.exe
2316	Cnmfdb32.exe
2336	Cegoqlof.exe
2336	Cegoqlof.exe
2176	Dnpciaef.exe
2176	Dnpciaef.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	1788	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2344	2544	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe	31
PID 2544 wrote to memory of 2344	2544	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe	31
PID 2544 wrote to memory of 2344	2544	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe	31
PID 2544 wrote to memory of 2344	2544	4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe	31
PID 2344 wrote to memory of 1960	2344	Boogmgkl.exe	32
PID 2344 wrote to memory of 1960	2344	Boogmgkl.exe	32
PID 2344 wrote to memory of 1960	2344	Boogmgkl.exe	32
PID 2344 wrote to memory of 1960	2344	Boogmgkl.exe	32
PID 1960 wrote to memory of 2704	1960	Bfioia32.exe	33
PID 1960 wrote to memory of 2704	1960	Bfioia32.exe	33
PID 1960 wrote to memory of 2704	1960	Bfioia32.exe	33
PID 1960 wrote to memory of 2704	1960	Bfioia32.exe	33
PID 2704 wrote to memory of 2884	2704	Bigkel32.exe	34
PID 2704 wrote to memory of 2884	2704	Bigkel32.exe	34
PID 2704 wrote to memory of 2884	2704	Bigkel32.exe	34
PID 2704 wrote to memory of 2884	2704	Bigkel32.exe	34
PID 2884 wrote to memory of 2964	2884	Cfkloq32.exe	35
PID 2884 wrote to memory of 2964	2884	Cfkloq32.exe	35
PID 2884 wrote to memory of 2964	2884	Cfkloq32.exe	35
PID 2884 wrote to memory of 2964	2884	Cfkloq32.exe	35
PID 2964 wrote to memory of 2712	2964	Cnfqccna.exe	36
PID 2964 wrote to memory of 2712	2964	Cnfqccna.exe	36
PID 2964 wrote to memory of 2712	2964	Cnfqccna.exe	36
PID 2964 wrote to memory of 2712	2964	Cnfqccna.exe	36
PID 2712 wrote to memory of 2628	2712	Cgoelh32.exe	37
PID 2712 wrote to memory of 2628	2712	Cgoelh32.exe	37
PID 2712 wrote to memory of 2628	2712	Cgoelh32.exe	37
PID 2712 wrote to memory of 2628	2712	Cgoelh32.exe	37
PID 2628 wrote to memory of 1656	2628	Cbdiia32.exe	38
PID 2628 wrote to memory of 1656	2628	Cbdiia32.exe	38
PID 2628 wrote to memory of 1656	2628	Cbdiia32.exe	38
PID 2628 wrote to memory of 1656	2628	Cbdiia32.exe	38
PID 1656 wrote to memory of 2868	1656	Cinafkkd.exe	39
PID 1656 wrote to memory of 2868	1656	Cinafkkd.exe	39
PID 1656 wrote to memory of 2868	1656	Cinafkkd.exe	39
PID 1656 wrote to memory of 2868	1656	Cinafkkd.exe	39
PID 2868 wrote to memory of 2780	2868	Caifjn32.exe	40
PID 2868 wrote to memory of 2780	2868	Caifjn32.exe	40
PID 2868 wrote to memory of 2780	2868	Caifjn32.exe	40
PID 2868 wrote to memory of 2780	2868	Caifjn32.exe	40
PID 2780 wrote to memory of 2316	2780	Cgcnghpl.exe	41
PID 2780 wrote to memory of 2316	2780	Cgcnghpl.exe	41
PID 2780 wrote to memory of 2316	2780	Cgcnghpl.exe	41
PID 2780 wrote to memory of 2316	2780	Cgcnghpl.exe	41
PID 2316 wrote to memory of 2336	2316	Cnmfdb32.exe	42
PID 2316 wrote to memory of 2336	2316	Cnmfdb32.exe	42
PID 2316 wrote to memory of 2336	2316	Cnmfdb32.exe	42
PID 2316 wrote to memory of 2336	2316	Cnmfdb32.exe	42
PID 2336 wrote to memory of 2176	2336	Cegoqlof.exe	43
PID 2336 wrote to memory of 2176	2336	Cegoqlof.exe	43
PID 2336 wrote to memory of 2176	2336	Cegoqlof.exe	43
PID 2336 wrote to memory of 2176	2336	Cegoqlof.exe	43
PID 2176 wrote to memory of 1788	2176	Dnpciaef.exe	44
PID 2176 wrote to memory of 1788	2176	Dnpciaef.exe	44
PID 2176 wrote to memory of 1788	2176	Dnpciaef.exe	44
PID 2176 wrote to memory of 1788	2176	Dnpciaef.exe	44
PID 1788 wrote to memory of 1776	1788	Dpapaj32.exe	45
PID 1788 wrote to memory of 1776	1788	Dpapaj32.exe	45
PID 1788 wrote to memory of 1776	1788	Dpapaj32.exe	45
PID 1788 wrote to memory of 1776	1788	Dpapaj32.exe	45

C:\Users\Admin\AppData\Local\Temp\4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe
"C:\Users\Admin\AppData\Local\Temp\4179dbb6bf41497710449f6ce9f2f23fd53c0aa1230f27fe5423e9e812bc471fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\Boogmgkl.exe
  C:\Windows\system32\Boogmgkl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\Bfioia32.exe
    C:\Windows\system32\Bfioia32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\Bigkel32.exe
      C:\Windows\system32\Bigkel32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 144
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfioia32.exe

Filesize
94KB

MD5
0b3eedcbf2584b17c67ea14d3e31eb37

SHA1
0f45d9e4548edf6fb27b830af21fa2592e88f20e

SHA256
8afcb083fcba4524a2e3af3f99218b35862cb80b4143bd69c0be338b9dd8d5a6

SHA512
af478ed4ae3045d5143974bf961f22d020712c3d35d280558dfa8274bdf8c500a419cf405c7ab7ccec7150faadc1f9d3b7ec740a38920c7f7de3eb76a921cab5

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
94KB

MD5
259f098788ee39380878330184389ccf

SHA1
2de9ed7fdb8e411c41efa68a03f8f74ad2ff0286

SHA256
523036d468364664552a0ebfb36345fac22341798539a1faed7da599c4d1e1c1

SHA512
85119dd361204da408922a54f3f2966a6e49d7073af3e5916c533aa1f416ba4ace59b359404e72b5b2b5619b95f2dde049d05c3624f39d1747da5f9a7122d403

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
94KB

MD5
6aca25fdcddfb6d86e013b8a9ee031ab

SHA1
166cc6d5b40b844874491bcd1d807d15dc0a6820

SHA256
464fe39a91a095f0cae1ef15fc0908ad7369aa10093fa730baee5b4994bc1fd0

SHA512
92b02e8bbe685cba9016540ce943d6c8f4a4c1a78dedd9cc470b14aa8e683464e0801fb3c30a7090ca8dbfd91807849455e1526034be19a693792d2cde7554a1

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
94KB

MD5
25ef830c6644cc909f6e73c1203cf021

SHA1
5bf97e7f08e1fac170b8f60c9af67e328890d6ba

SHA256
8b02da8b5a6d8802258b0da7808e7f68e875b3a4739d1af8c3c74a26f65c564b

SHA512
24e5f68b042803460b0a97369f62edf37f68009ff4071834d24b2311e93fc0f1e98c2418a6994dbc78516decc7cfecb4981c3fcaefd2984b01b53579b53dd8f4

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
94KB

MD5
3ff3c0a4477ad133e1512550e16fe2c6

SHA1
f156077a018aeab4957473f95dc8c5174c0a4d05

SHA256
0bbf6fbc0d83e4f022e73f54fc1975a5ec203a5fb88d7a2cf26eaa0b810cadc6

SHA512
2e08d938f563adb20cd7ae2f59cb6a99f82b27cc256e15c41e6c5ed18e62733b8d860380fd86f8dae040f31a5691d368d3135bbffdf7bf8383a5d4ac168b4779

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
94KB

MD5
5d1dc177ecd8843cfb7e15e12da32dc3

SHA1
5d4b3b3e683ac300bfa79706f27a6c612c6f2192

SHA256
893dc7d1ea2b24b4a6a13a404f76831da02991d461851ba324c99a5ccb64328f

SHA512
18863bbd723c5c937ff2750e0c924be590bcde00a47d4396b546ed1ec1bb7a2720b02f876ae344215f37586744215686e844b3232c0cc03335aa7521c10880fb

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
94KB

MD5
49182a61b0771677d83a4811618ba45c

SHA1
00c1cfe7913f0fee33c1ae4cfd4b121c12fdbbbb

SHA256
32a3292b79925581b92dfec9c1680cb56466b1564a1304d962381c8bd9de81b2

SHA512
8958614061076b8c43182fdb6b06bdb16e610de618ff805149ece042b88e5662579372433d4c81bdb58d6207f3644aa023f892ae16d1aa918631a16bb16c2d22

Download Submit
\Windows\SysWOW64\Caifjn32.exe

Filesize
94KB

MD5
dd96c212a029b6e57f18a62e199261a0

SHA1
5942db8ecd1b755be737352e3a8a896aef63759d

SHA256
10f93c551f0477ec0400c1d448c612fce7d4a1c72a123f2ee2242dbbddfcd6e4

SHA512
fa78581607c93f1a0e31baf87aef4787791993dfd91162e50cb726558f1cbbf53768e5a811161a338a1bfc473d317e7b0ae548355ed91da73b068a653732d45f

Download Submit
\Windows\SysWOW64\Cbdiia32.exe

Filesize
94KB

MD5
547ba5b74a8656a82ec7546e536a2ee5

SHA1
96f230c69c30565f073e5a983d2b1a5168cd435c

SHA256
11815958980f513295c2a9309edd3ecd3613a8d289897c55b966309f9b22e9b0

SHA512
124ebb224d5d265afe3560d593bd5329fb1bed504466375b28f65d31adc2cce2f342714189e81fbb17de30d27d912bf3720d988faf4247496e4561e3a7ba71ef

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
94KB

MD5
1323b96f8c03155194b2fa3f01cac2fc

SHA1
a2e8aa91040ac2f6906b34272493a5c770a2b1a6

SHA256
20f6d52f7af69e672319331a939ba2d5d8505857cbe1928eaaad7ca706e4b2ae

SHA512
6cf40fe205ceb75ccb5405287ba7ba608d0bf8d39e6820aedf2c70a3cc1d047510cdb024db6d83bda6277f3ce06d8cf3b0f7b9294f61fe8d461fa744bff53eed

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
94KB

MD5
88223c56c1625b424c1ccb2c648b91ec

SHA1
0c5fa3a8947665e3737ba37af02920f694d7173f

SHA256
e471e0a33c89a246543d4c141e9397cfe3630b15a862293adc8d015b5f36ff43

SHA512
ebae9e8ffc6a29b200bd3bf39b15ac7ecffcea51ebf8989287b099a7b7805d4941adffdc461e606b668635b1d2b6d3d5610b607525dcae5018fe256a2ad1f092

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
94KB

MD5
24ed921df46ba532ab66d484127adfa6

SHA1
7dfece6bcdacc4bbb5cbf6add647f6cbba32f004

SHA256
080f88685b200ac76fa7ffed020621d77c9b01fc0e92059c873ac978aae726bb

SHA512
35178888f276bcfdad55af13661558ec6c927d6fe62b69cda6051b518278f30614253cd5e3fbea6121307ecdb546ad88e82627ab486412db6728a18d56577db6

Download Submit
\Windows\SysWOW64\Cnmfdb32.exe

Filesize
94KB

MD5
e872a7586915ee26377fd1a2d27cff8b

SHA1
3391944c8fce44f7829f4ab4d32280ddd19ad926

SHA256
4b02273127ce169d05eb3cdd7f3aaf3c21a473f9e4df5cdd07b80904b7d715a5

SHA512
f28f8b3492628aa49a1df549c6c6cfe3cf5f0ee67275631bb98e1409e5e372cc0dfbb098187a1dc94fe7e8c11288ee58a4e5b04afa84e5d2461471b92716d0de

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
94KB

MD5
832f314afe4947cd81342d3d9a355b22

SHA1
c1eac61907166d58dcb410adb5874bc5ce6c4484

SHA256
8c8c6460ef368e435d2d8ac29b979ce2b5aabc9f2a47a7b1e40d3ed007ce6ef6

SHA512
6b3ca61c529fb19d9fc6939572ab27fcd94383647f964f3f85b8a543cc3b170dac6db8f425cfa8bcd0ec0c5f99ec61ed4a57119e6c00aaed1bef7e9106b53ce7

Download Submit
memory/1656-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-115-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1788-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-34-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1960-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-168-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2344-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-12-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2544-13-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2544-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-52-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2704-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-89-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2712-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-141-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2780-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-61-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2884-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-75-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2964-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads