berbew | 14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
Size

96KB
MD5

0f05b07440c867ccba1515343cb30233
SHA1

cfa829abeae19568290a7381b96e8fbb6d6c4e94
SHA256

14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35
SHA512

ca0095e2ef2686fa430047e0e95dcdbf7095f5701beedbdf57895d885ddd04f53929ddd0a53c7413189fadce1727275e526d5c9f2de9bc8b1f98b4a610e2a92b
SSDEEP

1536:OCWwH9GA6XrQEMDXe2xXYgItBt4fjVcdZ2JVQBKoC/CKniTCvVAva61hLDnePhVe:OHwaXzaVxXYgItBt4rVqZ2fQkbn1vVAT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 14 IoCs

pid	Process
580	Bqlfaj32.exe
2500	Bbmcibjp.exe
2720	Ccmpce32.exe
2884	Cfkloq32.exe
2692	Cnfqccna.exe
2744	Cfmhdpnc.exe
840	Cpfmmf32.exe
2764	Cinafkkd.exe
2036	Cnkjnb32.exe
2928	Ceebklai.exe
2460	Cmpgpond.exe
1932	Ccjoli32.exe
2172	Dnpciaef.exe
2084	Dpapaj32.exe

Loads dropped DLL 31 IoCs

pid	Process
1708	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
1708	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
580	Bqlfaj32.exe
580	Bqlfaj32.exe
2500	Bbmcibjp.exe
2500	Bbmcibjp.exe
2720	Ccmpce32.exe
2720	Ccmpce32.exe
2884	Cfkloq32.exe
2884	Cfkloq32.exe
2692	Cnfqccna.exe
2692	Cnfqccna.exe
2744	Cfmhdpnc.exe
2744	Cfmhdpnc.exe
840	Cpfmmf32.exe
840	Cpfmmf32.exe
2764	Cinafkkd.exe
2764	Cinafkkd.exe
2036	Cnkjnb32.exe
2036	Cnkjnb32.exe
2928	Ceebklai.exe
2928	Ceebklai.exe
2460	Cmpgpond.exe
2460	Cmpgpond.exe
1932	Ccjoli32.exe
1932	Ccjoli32.exe
2172	Dnpciaef.exe
2172	Dnpciaef.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bbmcibjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1540	2084	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 580	1708	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe	31
PID 1708 wrote to memory of 580	1708	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe	31
PID 1708 wrote to memory of 580	1708	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe	31
PID 1708 wrote to memory of 580	1708	14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe	31
PID 580 wrote to memory of 2500	580	Bqlfaj32.exe	32
PID 580 wrote to memory of 2500	580	Bqlfaj32.exe	32
PID 580 wrote to memory of 2500	580	Bqlfaj32.exe	32
PID 580 wrote to memory of 2500	580	Bqlfaj32.exe	32
PID 2500 wrote to memory of 2720	2500	Bbmcibjp.exe	33
PID 2500 wrote to memory of 2720	2500	Bbmcibjp.exe	33
PID 2500 wrote to memory of 2720	2500	Bbmcibjp.exe	33
PID 2500 wrote to memory of 2720	2500	Bbmcibjp.exe	33
PID 2720 wrote to memory of 2884	2720	Ccmpce32.exe	34
PID 2720 wrote to memory of 2884	2720	Ccmpce32.exe	34
PID 2720 wrote to memory of 2884	2720	Ccmpce32.exe	34
PID 2720 wrote to memory of 2884	2720	Ccmpce32.exe	34
PID 2884 wrote to memory of 2692	2884	Cfkloq32.exe	35
PID 2884 wrote to memory of 2692	2884	Cfkloq32.exe	35
PID 2884 wrote to memory of 2692	2884	Cfkloq32.exe	35
PID 2884 wrote to memory of 2692	2884	Cfkloq32.exe	35
PID 2692 wrote to memory of 2744	2692	Cnfqccna.exe	36
PID 2692 wrote to memory of 2744	2692	Cnfqccna.exe	36
PID 2692 wrote to memory of 2744	2692	Cnfqccna.exe	36
PID 2692 wrote to memory of 2744	2692	Cnfqccna.exe	36
PID 2744 wrote to memory of 840	2744	Cfmhdpnc.exe	37
PID 2744 wrote to memory of 840	2744	Cfmhdpnc.exe	37
PID 2744 wrote to memory of 840	2744	Cfmhdpnc.exe	37
PID 2744 wrote to memory of 840	2744	Cfmhdpnc.exe	37
PID 840 wrote to memory of 2764	840	Cpfmmf32.exe	38
PID 840 wrote to memory of 2764	840	Cpfmmf32.exe	38
PID 840 wrote to memory of 2764	840	Cpfmmf32.exe	38
PID 840 wrote to memory of 2764	840	Cpfmmf32.exe	38
PID 2764 wrote to memory of 2036	2764	Cinafkkd.exe	39
PID 2764 wrote to memory of 2036	2764	Cinafkkd.exe	39
PID 2764 wrote to memory of 2036	2764	Cinafkkd.exe	39
PID 2764 wrote to memory of 2036	2764	Cinafkkd.exe	39
PID 2036 wrote to memory of 2928	2036	Cnkjnb32.exe	40
PID 2036 wrote to memory of 2928	2036	Cnkjnb32.exe	40
PID 2036 wrote to memory of 2928	2036	Cnkjnb32.exe	40
PID 2036 wrote to memory of 2928	2036	Cnkjnb32.exe	40
PID 2928 wrote to memory of 2460	2928	Ceebklai.exe	41
PID 2928 wrote to memory of 2460	2928	Ceebklai.exe	41
PID 2928 wrote to memory of 2460	2928	Ceebklai.exe	41
PID 2928 wrote to memory of 2460	2928	Ceebklai.exe	41
PID 2460 wrote to memory of 1932	2460	Cmpgpond.exe	42
PID 2460 wrote to memory of 1932	2460	Cmpgpond.exe	42
PID 2460 wrote to memory of 1932	2460	Cmpgpond.exe	42
PID 2460 wrote to memory of 1932	2460	Cmpgpond.exe	42
PID 1932 wrote to memory of 2172	1932	Ccjoli32.exe	43
PID 1932 wrote to memory of 2172	1932	Ccjoli32.exe	43
PID 1932 wrote to memory of 2172	1932	Ccjoli32.exe	43
PID 1932 wrote to memory of 2172	1932	Ccjoli32.exe	43
PID 2172 wrote to memory of 2084	2172	Dnpciaef.exe	44
PID 2172 wrote to memory of 2084	2172	Dnpciaef.exe	44
PID 2172 wrote to memory of 2084	2172	Dnpciaef.exe	44
PID 2172 wrote to memory of 2084	2172	Dnpciaef.exe	44
PID 2084 wrote to memory of 1540	2084	Dpapaj32.exe	45
PID 2084 wrote to memory of 1540	2084	Dpapaj32.exe	45
PID 2084 wrote to memory of 1540	2084	Dpapaj32.exe	45
PID 2084 wrote to memory of 1540	2084	Dpapaj32.exe	45

C:\Users\Admin\AppData\Local\Temp\14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe
"C:\Users\Admin\AppData\Local\Temp\14c73deb94295e9e8479e3e4fa25a25ce6487faf85bc7973f7a692d3894eea35.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\Bqlfaj32.exe
  C:\Windows\system32\Bqlfaj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\Bbmcibjp.exe
    C:\Windows\system32\Bbmcibjp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\Ccmpce32.exe
      C:\Windows\system32\Ccmpce32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 144
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
96KB

MD5
03571ce40bebea90c93a340dbb38fdcc

SHA1
18a89d841f06565a77b55a4dee23bf19fe622a53

SHA256
68d071236cd1a2df56b7cf1efe86f06f44d787778dfe906ae8a7395204fcdb6f

SHA512
be60852b38d74f849c967f02c8533451d1d1e10dc1b84968d81d7000e017f17db6a7074853625d97526ac8b575b1fafb8092fc5f75eec98890b2476ee7c6d855

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
96KB

MD5
ff239130425afaa907beb8b30a414c33

SHA1
5bbd0bd4feea4327ccfdc96a16d4d08545d9b469

SHA256
e9c20bf9bb07795af0e517fc98255a7552582cd7bd46cbd3c8ba79322bd89206

SHA512
5ec7eaae85d79baebaf5f395f6a8435a99e3dcd0a381618f7caffe23e2090c38abb3490d9674c637ecc6d4dd2b4106a6eebf3f75f842d8f521d6819068c782e3

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
96KB

MD5
4a8c7d5b397f7587d879319b85e268bb

SHA1
577f87911fa3408efba32bcac09bee264d856029

SHA256
1e4ad8f36d7d75dd6602cda23ee0f75f531f05fe5ecefa6235289e823bc12463

SHA512
434406471479f4f01520bf86bcdd9bfd7c8421c1c7c738fa869370cd02ebfc53b4caef9d3e636c9967002b41d79ea9821e3f50fe2ca6d3f2e5b5233e8f8d9b6e

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
96KB

MD5
2e71e8fc48e72470aba1ef25fbcc4adc

SHA1
7ca02edc6d32f057f524148f4d7d204c3bfb32f7

SHA256
1a14b28435e4e74e523a41bd500a73fb2c1061dde19986d77324ac8183d9801b

SHA512
25ef1fe27144399d5be6b1fa9dead2856558b3619921f383a8383a995b1eb6bf309724e532d592f082abf6a0c84ef9d9aa84752f7fda3d5ec24293543506caad

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
5eea27c8e6f2dd400ca9d953221267a3

SHA1
ca730173f6b53f62eb2424954b8659aaf3fef24d

SHA256
53a7c8a79f423ed3a4df1cbb4ffbbf14bcd10d094d24a4376262c9cf366dbf29

SHA512
a4bf43a8ba56580fce3fedb1890ed02d7995f79fab915101ca8dbf02a6d6a00b3d28f5282001d35085008259afaefbc9d5d1a420cb86859cbb36b57238ca6c4f

Download Submit
\Windows\SysWOW64\Bqlfaj32.exe

Filesize
96KB

MD5
7ab8884f9f031464e1ec34b3fa7b03dd

SHA1
6a3d7c45263af24649cb5a1a7e3b08bd23480a34

SHA256
d0695141270c12b9559d60279899b3755fd16357758ba8044d3ca10413ff6d61

SHA512
5e5882a712515b6ff66afb6a167cc5a157b2edbba411400b53a02a86dd4daf982e39c31fe5730583fc8a05c36810a29661566ef5672ee92def5f419b4345b668

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
96KB

MD5
a93a1150a697c415ab83f4a0bf88a089

SHA1
677ebcd58ba7b49fc1aef6ac09746b9f5d5235b8

SHA256
87f6cec5e45a67cca01c4a2fb7a8df83e92572ce8b6954b9114d6339ee2d0836

SHA512
d0f7ffea31a8bcc9dfe0000b51a23ff73aa838a41ab3cfb6d38ac896318d507c4701f802335becfa41707c75d39ae1866d75d99b890b33afbe53e6fa98228f2b

Download Submit
\Windows\SysWOW64\Ceebklai.exe

Filesize
96KB

MD5
f696665a05764ec5ae4720825915f460

SHA1
66c233a83dab57e797290ee62f7e6c817d2f97df

SHA256
a010f5f4e538ee02c2ee4b1e96f80219691afc2890d5e953f82cfa0068c31578

SHA512
1a03c9f1790a8a835933cfd77a67a2a14a54740082708c8e7ffa35a3478ba3f43fe7efc80a41c95bc687da246c90482a566f6e2cec1b8c148ea87fc4c1c06daf

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
96KB

MD5
fe3e570d02647ddd093c9f18e02a39d9

SHA1
2f092ef565c3c5ddf58ab59ada0e5dbb710ac67e

SHA256
d2855564a25adac7cb109a161dd898e00c92d20a9d2b5455ea8b8c71c4c76312

SHA512
8243017d64119561eac4a6ee7bf93a6822dc392383c2b908982a4107304fedf4cb91b30b85aef31ec769aba6d4aa01d73dfb7244844421a3b02d5694f091ac89

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
96KB

MD5
778a47d9053c2f420f14442c93e1fcb6

SHA1
09889bff3610dc6467da6f353f1f57e26b610953

SHA256
60ed39233caedae61b89414185a482f4603f2134b857c4356b5154b4b8998fbb

SHA512
359b54505b7a922db7742d09055377cab1154fd6125232aa9fe7bf03e5755f5ea50f019e77e964cc7b730448d81195005b8f54f51a42b8119bcc978f9dccc26d

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
88cb51d1c00bf6adb3282c5470e58f01

SHA1
469013c1756fe79bc99387cc40d094f81ceaa8e9

SHA256
1aab3c023b1c17b3a74f80648ab7031e7c1491738591c8faa68a3a2c64736d57

SHA512
d0fdd8f6a46af5a983804248a7ff18bbbd423fe5629644a272a03e1eab975b247269c93c2cd6f19f6417cf05a15c5b5bf88b2d1b1328c95376ffd3ec169d24f7

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
96KB

MD5
e468e995eda5af1dd4f9c0a1879d9dd7

SHA1
89908067a2750abafdfa2933f19e8d9ace8d42e5

SHA256
867a89026b103126e62f840619368560384677e989da66762c75b21e4e2c2bc5

SHA512
7e98a493b341dc31f65f60c9d25806729c7f69b7f7dc8e69c0498452c32237cca4eb899ea709a21f891a8c5824f74403a26e9e8bbeb73afc67d6a6b144f06562

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
96KB

MD5
aa37714be1f36d91e8cbb1d1d75992da

SHA1
33fe3a3dcd81c1afcfcb97e21b415eb3bcbb0bb5

SHA256
0f3eb430ae6b39352b1fb63cbd560bfe9ddab68f9b5963ec36d9972d6285607f

SHA512
d779a1021583677ed5128e366ade2fa960cfec1178c2ebc97087e3f56da4cdb98a87d28c1d254674efbf11d3296ac1e46b038788dacd5e2b4c73c788dbdb4ea5

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
96KB

MD5
37a97690f59090e0167ceba67bd04da8

SHA1
d1ad3f6247eb68e2cdbc08cc00c6d2d7ff90da41

SHA256
c44a9ac5a4e750a686e69714f55dbc08312eaa50033bd1fe2b5c896a6c623f4f

SHA512
0718e127340652c0ee3b286ca7c725190a265a34c60ee634773e43b8bdb6387fae3319dbeb907cfba446a767f4094ddd52b9f9bf02f1fc364e18efe926cda95f

Download Submit
memory/580-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/580-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/840-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-55-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1708-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-12-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1708-13-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1932-174-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1932-213-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1932-182-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/1932-190-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2036-131-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2036-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2036-144-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2036-189-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2084-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2084-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-191-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2500-34-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2500-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2500-27-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-123-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-84-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2692-85-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2720-94-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-96-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2764-125-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2764-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2764-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-64-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/2884-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-115-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/2928-146-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2928-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2928-155-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads