berbew | f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Size

163KB
MD5

eb56e501de3516a6e3a2a649ce88b8f0
SHA1

39b42c2be4911f59268c27a6e29fb7bbc91c3473
SHA256

f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817
SHA512

5a28320ccb49eaf0c188bbdaebfcd611ca881f12b3c90a1a14bfbb990e4e6cbd4b44dd8af67db37c1172a04b17ea66b3a919ac2f02329479df212da2ed87263c
SSDEEP

1536:P5JWsetVI4O5xUxcLMFZF05cKGxeAWWKlProNVU4qNVUrk/9QbfBr+7GwKrPAsqE:BJWsePI4OUxcEZNKltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmladm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckdkhq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 15 IoCs

pid	Process
3448	Bmladm32.exe
2200	Bdeiqgkj.exe
340	Bbhildae.exe
632	Cibain32.exe
1152	Cgfbbb32.exe
3504	Calfpk32.exe
3744	Ckdkhq32.exe
4656	Cdmoafdb.exe
4272	Cgklmacf.exe
4948	Cdolgfbp.exe
752	Cildom32.exe
4376	Cpfmlghd.exe
1768	Dkkaiphj.exe
4848	Dphiaffa.exe
812	Diqnjl32.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nepmal32.dll	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Cdolgfbp.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Cpfmlghd.exe
File opened for modification	C:\Windows\SysWOW64\Bmladm32.exe	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
File created	C:\Windows\SysWOW64\Bcominjm.dll	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Daqfhf32.dll	Ckdkhq32.exe
File opened for modification	C:\Windows\SysWOW64\Cgklmacf.exe	Cdmoafdb.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Amoppdld.dll	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	Bbhildae.exe
File opened for modification	C:\Windows\SysWOW64\Cibain32.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Cdolgfbp.exe	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Lljoca32.dll	Cildom32.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Anbgamkp.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Cgklmacf.exe	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Bcidlo32.dll	Cibain32.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Calfpk32.exe
File created	C:\Windows\SysWOW64\Dooaccfg.dll	Calfpk32.exe
File created	C:\Windows\SysWOW64\Icpjna32.dll	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bmladm32.exe
File created	C:\Windows\SysWOW64\Bbhildae.exe	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Calfpk32.exe	Cgfbbb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdmoafdb.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Cpfmlghd.exe
File opened for modification	C:\Windows\SysWOW64\Cgfbbb32.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Cdmoafdb.exe	Ckdkhq32.exe
File opened for modification	C:\Windows\SysWOW64\Cdolgfbp.exe	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Cpfmlghd.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Bmladm32.exe	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
File opened for modification	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmlghd.exe	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Ckdkhq32.exe	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Cildom32.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dphiaffa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2800	812	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhildae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmoafdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgklmacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdolgfbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bmladm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll"	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll"	Cibain32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmladm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cibain32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 3448	3668	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe	89
PID 3668 wrote to memory of 3448	3668	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe	89
PID 3668 wrote to memory of 3448	3668	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe	89
PID 3448 wrote to memory of 2200	3448	Bmladm32.exe	90
PID 3448 wrote to memory of 2200	3448	Bmladm32.exe	90
PID 3448 wrote to memory of 2200	3448	Bmladm32.exe	90
PID 2200 wrote to memory of 340	2200	Bdeiqgkj.exe	91
PID 2200 wrote to memory of 340	2200	Bdeiqgkj.exe	91
PID 2200 wrote to memory of 340	2200	Bdeiqgkj.exe	91
PID 340 wrote to memory of 632	340	Bbhildae.exe	92
PID 340 wrote to memory of 632	340	Bbhildae.exe	92
PID 340 wrote to memory of 632	340	Bbhildae.exe	92
PID 632 wrote to memory of 1152	632	Cibain32.exe	93
PID 632 wrote to memory of 1152	632	Cibain32.exe	93
PID 632 wrote to memory of 1152	632	Cibain32.exe	93
PID 1152 wrote to memory of 3504	1152	Cgfbbb32.exe	94
PID 1152 wrote to memory of 3504	1152	Cgfbbb32.exe	94
PID 1152 wrote to memory of 3504	1152	Cgfbbb32.exe	94
PID 3504 wrote to memory of 3744	3504	Calfpk32.exe	95
PID 3504 wrote to memory of 3744	3504	Calfpk32.exe	95
PID 3504 wrote to memory of 3744	3504	Calfpk32.exe	95
PID 3744 wrote to memory of 4656	3744	Ckdkhq32.exe	96
PID 3744 wrote to memory of 4656	3744	Ckdkhq32.exe	96
PID 3744 wrote to memory of 4656	3744	Ckdkhq32.exe	96
PID 4656 wrote to memory of 4272	4656	Cdmoafdb.exe	97
PID 4656 wrote to memory of 4272	4656	Cdmoafdb.exe	97
PID 4656 wrote to memory of 4272	4656	Cdmoafdb.exe	97
PID 4272 wrote to memory of 4948	4272	Cgklmacf.exe	98
PID 4272 wrote to memory of 4948	4272	Cgklmacf.exe	98
PID 4272 wrote to memory of 4948	4272	Cgklmacf.exe	98
PID 4948 wrote to memory of 752	4948	Cdolgfbp.exe	99
PID 4948 wrote to memory of 752	4948	Cdolgfbp.exe	99
PID 4948 wrote to memory of 752	4948	Cdolgfbp.exe	99
PID 752 wrote to memory of 4376	752	Cildom32.exe	100
PID 752 wrote to memory of 4376	752	Cildom32.exe	100
PID 752 wrote to memory of 4376	752	Cildom32.exe	100
PID 4376 wrote to memory of 1768	4376	Cpfmlghd.exe	101
PID 4376 wrote to memory of 1768	4376	Cpfmlghd.exe	101
PID 4376 wrote to memory of 1768	4376	Cpfmlghd.exe	101
PID 1768 wrote to memory of 4848	1768	Dkkaiphj.exe	102
PID 1768 wrote to memory of 4848	1768	Dkkaiphj.exe	102
PID 1768 wrote to memory of 4848	1768	Dkkaiphj.exe	102
PID 4848 wrote to memory of 812	4848	Dphiaffa.exe	103
PID 4848 wrote to memory of 812	4848	Dphiaffa.exe	103
PID 4848 wrote to memory of 812	4848	Dphiaffa.exe	103

C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
"C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\SysWOW64\Bmladm32.exe
  C:\Windows\system32\Bmladm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\SysWOW64\Bdeiqgkj.exe
    C:\Windows\system32\Bdeiqgkj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\Bbhildae.exe
      C:\Windows\system32\Bbhildae.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 400
        17⤵
        Program crash
        
        PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 812 -ip 812
1⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1436,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:8
1⤵
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbhildae.exe

Filesize
163KB

MD5
411c7d174ad32c807f80a6e720603f10

SHA1
3da9fe4d02e390d4ec88943dc66ff3ecb1d77bc1

SHA256
48ba92cd2a58d8da2cdd8ddbd13539ae5f6fb9946114c7af1fce762615c9ba77

SHA512
368020c2b4b499f5bce359f04d9d867d62c1424e2f468cab9439536a2f23ebc3e331276839ccdf95c62ea673cc590a89dc3b0c81772ed6d4eaaac6beb6dd89e6

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
163KB

MD5
c75f19d15a3740eb8a4a788245d42c0e

SHA1
bd4d18bf65ab6717b8614dc8c4cc029ab0bfb3cc

SHA256
c6b500456298fd6e136b345c39079c816a5498c2191155183fcef0b62259e347

SHA512
59360c5c711e8a6dac28bbc8f49c771d107f7f8a48abfe619097f2a6655d6fb26f23b73b57dd188eddbac6f2a7bc709a3242f175aa7b4e0f9e67acfdd1291ac8

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
163KB

MD5
ff48e282c566195f3db6c73110c35038

SHA1
c72ef0414248c92be02c72e6ac04c1a24799ee3f

SHA256
42287f0163f46fd6c68f0891ecb2d651475364a4c61e87c0b7c4e062eb76971d

SHA512
9eb16d9dfed64847619f6cc8121a3bb057f2d9d83ac9d5c2f1aa36731150659bfa4acbdf46be381eb82a41f888f61595bf090c73dc159bd4d412102f721a2f5c

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
163KB

MD5
118d706c9e8c1857a5f105c34aa5ef9a

SHA1
483700699b576777743e32ba92bff2a16120e057

SHA256
b7aa0a76d0b2a561f4ba3601a35581945f8e877727d357762eb75fb99407d49b

SHA512
3da1805e61aaf2b602eb60b058b5ec0c24d18b849e65c4255eb52337eac84568a72b4e29404a0b2c31e5057eee906c933a438f9a9d27ad1fe0395a8bdb2a4894

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
163KB

MD5
dfae94ea89bacb309bd9e7e93ecdcbd3

SHA1
dfa14d0708c0c5ce51e5019ecf8004c6ce1ae932

SHA256
052f2038158f786c0864adaeaa68edd2050bfdab473f56d30700cf68698755f5

SHA512
076417f777b82f9b1ac5b50f19d1b83f6b59aeb55bc6001c7ceb112d785604638f158ce16b1a44a072714d9fdb43df87e87f4ece04612c7b5fd0ddea9d0d66ab

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
163KB

MD5
8cb4c92a6c2b92f18b6d8e5b79120887

SHA1
beefd0670ffe5357336964320e0ea734e967869c

SHA256
9d9e214611b0c8a514bb73d21020233ea2261526112d016b6a23d333f5534cf0

SHA512
0df9159c593767b4a5a2b75c0d60b87d67af0aed936f5b5c5eb648f5ffeee0f1d96b38ce8ff7710fdf68550190dca8396b1b0e6e6441e4e3928af7a7b4456cec

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
163KB

MD5
5dfc7f134b91b1cd054b92cf67c752c8

SHA1
9608b520fd0cc617c9f17a7f00276ef9396fe3b0

SHA256
7fa1c8359ea1baf0d7091a3544d5f1c54a38cb7408889751645eb29c530eb8dc

SHA512
90ac2d48a7f785597f4e690e2e2daf75c10807d09070ae3a8c1b72311a2825a7940f55f76e2e40903dc373e8eeecf96b4b27047674ea4a68e622ca219287dc03

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
163KB

MD5
0d209215b522a41b385e778146241e1d

SHA1
7292dd736f8caa8e7b90d3cb1502851c830df57a

SHA256
63b5e4569b079fbc0f6a14594118c14b1784448bbee8b5c76136139e9dae1024

SHA512
789b2e2ad81ceae0db855bfddb6d32dc9d0c4dfb3661d5e5313ad14f3dcb530b97fccd4a14b62bd95ddeef5cc6e81ca62ce3dce38430d85601706918d38c00b8

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
163KB

MD5
d155553922a8e58e161c567588140971

SHA1
43c12390480bbd5bce3e548b0ffad9670032a56a

SHA256
6a9923a561160a61f1fc26cbd2c6e98bc47654e8e04a83e5f49c3a6cd26c689a

SHA512
d6af6550c6747bab3ce34e98a00a1b351cd0ec3667ef5331ee2f64070f93bff3f7617af290e924313cb00ce8e58b674334f4b0c6fa50db7602b879d7f32f53be

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
163KB

MD5
211ea342329d72e9f26a6285da007d65

SHA1
3765f2cfa56d9fca79645d3c60891f4ffa000550

SHA256
7e9d32f34110cc91f02af73ad25b0319c52ffa818d8ffa9aee276684dcb48e06

SHA512
5a4e2827e587ce9049f35f548fccef8553121ad4f32d3435e5eacb171b393020fc2df557ca5f8773fa21fa8594e001cfbf2bda500c3f7a3f23af9cc9cbc35634

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
163KB

MD5
af834898890e797f1ff4b7c7ef9228c4

SHA1
85f7025250da04c18960fc9d09a9147bfcd99d4b

SHA256
46b5896689fe727abbe2a1345b8d6d78fde73e23bb61f5ad1d7a76402c60bf9b

SHA512
7b1042516905408f5d9e546db26fd245576b4e8f3927a828fd5ad1d29a3fa74e752798fce10e6e1f3726bc78a084f37e28a5674862fc0f18baa4ff19f6882830

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
163KB

MD5
17794684ac10c0cbcae0c5e63da944db

SHA1
e065efcb643105f84e5d7eebe5668cdf9d609414

SHA256
8d5757e5d541bd3bba4d1e5d6fcc1a111c369cc0abadc58855c6ca550b3c2baa

SHA512
2b4a4225a6c046bebc25259912b273191fc6a24f22b842039b0e0c4adf8e6ced485b931b9130c18572d5de3915cc4937f345690c057e817faa52aa35a223e675

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
163KB

MD5
b35bb56989d6db5d83c96aba11bb72f9

SHA1
4ed5d19ab48e4be0182967887348726e2e5252ea

SHA256
124ca1a04309df6fb0c1960e57a4b242d1782c44385d51e7cfe192e0850e6853

SHA512
d6e7a8419b6a6c8d1438ad270845ae09901db5424064f3bfeee953f1b924277a0b7715adf227fbdc4482423fd2dd14a01c05b27bb74fdafd77f1965b83729b86

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
163KB

MD5
6621689022f678701fa6963f54857ecd

SHA1
0068b010ed4ac0216ee9a7b61aa069aa53ea9898

SHA256
0d6551c17a41a7a297101ce2566b670d4f979f7220309f56d8597449fe252360

SHA512
fa7331b29948659eb053968514d0d7ad209f4cfe040840bb72a2b72ad52c4683d1bccc7d2e38ea326d36f6b915dc99eab072e52fd5446202bd65f798489546aa

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
163KB

MD5
be3ffe7671f481046dadd6be59c9c41e

SHA1
51f0e852bce5c8b56a67e24fd6a9519aeb0a0520

SHA256
393748a3b897f1c14d76f1b96274bfc64d8d7451ab36e85a49e0859a9b28c2a6

SHA512
8769bff5d13531d02ffb02618af5ebbeada5ca4a0bfb2fde09915f55627df21df6ca60c2da90a6e8c237cf242ce851c29b420f5ab33181143cfdf540e41df0d3

Download Submit
memory/340-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/340-147-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/632-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/632-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/752-130-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/752-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-124-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1152-143-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1152-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1768-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1768-127-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-149-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3448-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3448-151-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3504-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3504-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3668-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3668-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3668-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3744-139-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3744-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4272-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4272-135-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4376-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4376-131-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4656-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4656-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4848-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4848-125-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4948-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4948-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads