berbew | 04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 05:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
Size

80KB
MD5

4779cbc7e455950301520284da498c40
SHA1

0c35bdd333ef52d23370866b7336f64ffb72482c
SHA256

04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522
SHA512

8eb70aa060126ef924ecfa0cafb7c9c55b4ef942450c8d982c1bb79ffd461bfe77daf6cc062a78a8272ae2d28261f921b35c9ce8d46c77fc36f5a20d4302c0b6
SSDEEP

1536:GMmqMOW4RPFz5gBqgv0+tud30vJvfdt+o/hzDfWqdMVrlEFtyb7IYOOqw4Tv:FmqMOW4RP3gv06udkvJf+o/hzTWqAhED

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 15 IoCs

pid	Process
2400	Cnkplejl.exe
1204	Cajlhqjp.exe
2404	Chcddk32.exe
2544	Cmqmma32.exe
1852	Cegdnopg.exe
3876	Dfiafg32.exe
5060	Dmcibama.exe
1972	Dhhnpjmh.exe
4648	Dobfld32.exe
2808	Delnin32.exe
800	Dkifae32.exe
736	Dmgbnq32.exe
2392	Dogogcpo.exe
4888	Dhocqigp.exe
3836	Dmllipeg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4732	3836	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 2400	3612	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe	82
PID 3612 wrote to memory of 2400	3612	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe	82
PID 3612 wrote to memory of 2400	3612	04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe	82
PID 2400 wrote to memory of 1204	2400	Cnkplejl.exe	83
PID 2400 wrote to memory of 1204	2400	Cnkplejl.exe	83
PID 2400 wrote to memory of 1204	2400	Cnkplejl.exe	83
PID 1204 wrote to memory of 2404	1204	Cajlhqjp.exe	84
PID 1204 wrote to memory of 2404	1204	Cajlhqjp.exe	84
PID 1204 wrote to memory of 2404	1204	Cajlhqjp.exe	84
PID 2404 wrote to memory of 2544	2404	Chcddk32.exe	85
PID 2404 wrote to memory of 2544	2404	Chcddk32.exe	85
PID 2404 wrote to memory of 2544	2404	Chcddk32.exe	85
PID 2544 wrote to memory of 1852	2544	Cmqmma32.exe	86
PID 2544 wrote to memory of 1852	2544	Cmqmma32.exe	86
PID 2544 wrote to memory of 1852	2544	Cmqmma32.exe	86
PID 1852 wrote to memory of 3876	1852	Cegdnopg.exe	87
PID 1852 wrote to memory of 3876	1852	Cegdnopg.exe	87
PID 1852 wrote to memory of 3876	1852	Cegdnopg.exe	87
PID 3876 wrote to memory of 5060	3876	Dfiafg32.exe	88
PID 3876 wrote to memory of 5060	3876	Dfiafg32.exe	88
PID 3876 wrote to memory of 5060	3876	Dfiafg32.exe	88
PID 5060 wrote to memory of 1972	5060	Dmcibama.exe	89
PID 5060 wrote to memory of 1972	5060	Dmcibama.exe	89
PID 5060 wrote to memory of 1972	5060	Dmcibama.exe	89
PID 1972 wrote to memory of 4648	1972	Dhhnpjmh.exe	90
PID 1972 wrote to memory of 4648	1972	Dhhnpjmh.exe	90
PID 1972 wrote to memory of 4648	1972	Dhhnpjmh.exe	90
PID 4648 wrote to memory of 2808	4648	Dobfld32.exe	91
PID 4648 wrote to memory of 2808	4648	Dobfld32.exe	91
PID 4648 wrote to memory of 2808	4648	Dobfld32.exe	91
PID 2808 wrote to memory of 800	2808	Delnin32.exe	92
PID 2808 wrote to memory of 800	2808	Delnin32.exe	92
PID 2808 wrote to memory of 800	2808	Delnin32.exe	92
PID 800 wrote to memory of 736	800	Dkifae32.exe	93
PID 800 wrote to memory of 736	800	Dkifae32.exe	93
PID 800 wrote to memory of 736	800	Dkifae32.exe	93
PID 736 wrote to memory of 2392	736	Dmgbnq32.exe	94
PID 736 wrote to memory of 2392	736	Dmgbnq32.exe	94
PID 736 wrote to memory of 2392	736	Dmgbnq32.exe	94
PID 2392 wrote to memory of 4888	2392	Dogogcpo.exe	95
PID 2392 wrote to memory of 4888	2392	Dogogcpo.exe	95
PID 2392 wrote to memory of 4888	2392	Dogogcpo.exe	95
PID 4888 wrote to memory of 3836	4888	Dhocqigp.exe	96
PID 4888 wrote to memory of 3836	4888	Dhocqigp.exe	96
PID 4888 wrote to memory of 3836	4888	Dhocqigp.exe	96

C:\Users\Admin\AppData\Local\Temp\04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe
"C:\Users\Admin\AppData\Local\Temp\04abef5a344f336704e9120792d01fe4c1cdd598afc8312e7156c67a34528522N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\SysWOW64\Cnkplejl.exe
  C:\Windows\system32\Cnkplejl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\Cajlhqjp.exe
    C:\Windows\system32\Cajlhqjp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\SysWOW64\Chcddk32.exe
      C:\Windows\system32\Chcddk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 396
        17⤵
        Program crash
        
        PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3836 -ip 3836
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
80KB

MD5
97c76c43174476dd1122538597b13729

SHA1
2decb6b1c81582c9bc3e6a46798498fbfeee1ef5

SHA256
aa1fa16c65f523cd5c61da5f5644ef3d44763ef3ebb679adbef2e9cabe17e184

SHA512
508af1a255b02ef14851a35d83be4230a78ba74b97d87d8a6ff8bc49b018fbe1c226ea0cced840b964090506617bc23793ace01e5f258e3fafd096749f33b0d7

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
80KB

MD5
b328864f56eb35d441edc7caf73d6a0f

SHA1
df9b92e8e5c2a4e30f316095475b9969ccbc7d3c

SHA256
c08d9afbe046091ea7f4bd5b11458508967a203c59e7b1f0f5c319d0dc0acbe8

SHA512
ffea506ebe3aebabb81d0db8ba3652da3bf5c27fc0757d9481641f2e8474fe0055891dfa3148e9cec8bb28d52e88affe226d1ecaa2b5f203049973fc5b4c1dbc

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
80KB

MD5
ba2b414e4fac5d19c4a1a72a7f7ac862

SHA1
19b50628dfe896a7bfc023eb32ee729937113d96

SHA256
51683820b52ce6121de6e0f68ba9007dc4c9acbabde76010ec2e66296b29d008

SHA512
34d840a2490a62bc2e44fafd34425c48ad128d945a9862f2961062965d53be5b73cc6a371e5d1c3c20032c95cee88ad45202035205e9ca64a6bc8d42c039a93b

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
80KB

MD5
8d4295c960da35c8f45f617e70814ec9

SHA1
cb30f0b84d7a5ee2e2d9c4b8a0e1a0b4ed002c21

SHA256
75ddda06fd21348d602e526a4b93dbbf49347096e729944055a7bf430421240b

SHA512
78c81aab2953fee022ee8c84861cc4c83696c9a572be400c1fe0ff10c37d90b66465e1c95ce78e735cc25232c8a1dca6a9a2560c7d9aa4272d30b005b4e27e61

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
80KB

MD5
1f10fa2293d5257398a0cd83df8ef979

SHA1
5af11ac17559a5d57a05ccb5952458d33e607de2

SHA256
fadfce1dcdc6661d04b13227551f014711c9d414527d81a6bf3121b2a7575190

SHA512
6c4b49066285cc7822f16b97d6f7d8a63645a4046e06218ae2adea9be8f7f8babb4fca8e4421c523443d518b8e05d215f578b9a513a8571519d14161e6566238

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
80KB

MD5
c892359ea51149d1c2d91b76f51e347a

SHA1
d8d819a4317f58e5452a9ffd4ce578631e59ec1b

SHA256
5c354ff260f60d44b3b7f72052f05a75553e4ac4cbd5b81bec28dc115f83029f

SHA512
6b78cba0a4ddad88f55bea200c184efd09e6821076e71bc59ccef7854ce6956b55c969bc3659b0ff7a1f59ff1aac8f615429e9f285f7badaeff1c09e0a89f119

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
80KB

MD5
860bf3be3024456bfef8d6dd00d631a7

SHA1
45e7381f58f21446f9717c54daf9027a628ae1f8

SHA256
776b278aad205321c6fc10f7ed390db534c38642b07a9a2ef2d941fd4d87a450

SHA512
51eb36aea9dc85224ecbd1ffad8468ada6be0ab508429dc6af370fc201707cb7cc0279350c6965f432d803a49ff05e2c45c292bf5a01f53d424a1675dbf954aa

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
80KB

MD5
b0dd8d62f4158fa0a6b96388b2496fd7

SHA1
e15657f360273a9a319cb3bddc6b10d8a4e1e435

SHA256
c4abf401cf837b2b760b0122606a29b98fb31e7bece0a3232742c77fd8fd4533

SHA512
7e1f6038cab711891710109bee17dc712483caa9c3a00e4075a02fe7e449016f347a2143ab20016797ebc9f0fbaaf015146a07885474ebd018ddffad96b8d01f

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
80KB

MD5
68122d06779728b27cee5e3bff55af12

SHA1
0b5f5c597d193be542206b73af9110b0fdbbd887

SHA256
34d94db7f9766baeeee36740fd6c7ccde2e95d8fd07feff1412de1e075f47183

SHA512
1e7020ef65798fea06a8e6a4575e7200077c467480f0375c7d34315bb347b63284bff5651ff80c8be87368a4d8f7f6516a59386b188e490d5c6eaded533b7585

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
80KB

MD5
654c4d197e72db2a8ebf750ded1c6d41

SHA1
76588fac5e41f9315a19f6a36a263ea4ef1f8265

SHA256
4ab6e7c21051535b65620fca026989c354f9309b174696da6675e0559a914001

SHA512
48aa3803e1ddf1037a293ca79abc785996d821cb49973f83b2c644503b2cb3b75aff1001f60a27996fec6007e956a158b133e333431834aee2484377e0a492e5

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
80KB

MD5
b519bedaac2266a20211750026a87211

SHA1
db1c6348747cff10108997b1f593bb739bf7ef5a

SHA256
7bf3cb75176cec5dd731f0f04aacd0cea1c4159d2e1705888e545ac71c7520b1

SHA512
1c3faaac70bfe818b444c334a634cce3435a88515711d7af2c7701710309d2d3c1c477aa91302625ce45dd7b6adda0b8b56618072ea63756a144d0f4bdfab14d

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
80KB

MD5
d4425e7c4849ec4acedb3b519714b662

SHA1
1426ac26a62dd3db0b9a8fb0626ec975061881c1

SHA256
9ae861fe8e417f5f48e61b7a8583e4f3d7443fdf2bea996e785b3ebd24509a20

SHA512
571a35d4cc87ad9878582a3957298373fd78dc944bf4352233b9cf2a20ee89cee442907038994535f0afe7adf25b5e6324c8d76a5e77fbbec557868426005947

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
d882545753b45235c3eeaba3ed6fd2c6

SHA1
299e8052e2c4d9f6a12c373ad82f7ba5b96feaac

SHA256
2248e7934570f1bb20c6395384b851683e479fa6a93654a722d7f3c7f2feade5

SHA512
ac1296d2edf138ebb6771d170fb56479c38961d87a06aa96717bc61a9b1ea7ec6ab670055974eb02b0d3492d4dd4d9b3016e624c0ea538931cdf096b02b3a4ee

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
80KB

MD5
8444280134cd71a65a79eed9d465ca3a

SHA1
2d05b313f79d1f2c97afb9b134a3b8fcbc7b1251

SHA256
2a733b1825deac89b85da2e413f8bcb597802b3101f4a1db56489abfba01cca9

SHA512
fa81d286a0eda9a5da2e7160782700c571506c28912af505ae32da830055c5f8f0cd7f771df7cfa19b8cebd1acf9750949e39ff6ab04faae37d8d641c4066c42

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
80KB

MD5
27e34415afc49538bf76475812f48988

SHA1
5807e6f5562b8ac3cdbe4f728086b0275ed0e5c2

SHA256
e7992a9a83427b2abf5378b2c353ff80840e18cfc96b781d9f7f83b160dc5e3b

SHA512
18e729591398fbca2b9f8e6ad9be77e41398a83330ef5507da1f54a256cd24bf95932b90730c32bc7dff8f6ad3acbe3c33387e67ae367598519a49c3ae78f117

Download Submit
memory/736-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/800-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/800-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-131-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3836-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3836-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3876-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3876-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4648-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4648-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5060-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5060-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads