berbew | 1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1

Analysis

max time kernel
23s
max time network
17s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
Size

96KB
MD5

cc43d64c7d16a5d1b195fb4a20c3a5c0
SHA1

53bd2be4ce291ff0984e58718e2a2ff8d6782a70
SHA256

1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1
SHA512

ed830da1366ac3df61877e7400a05481ea2c84acf60d6155720efce5f00d9c5ffcaf111a3d6d9ea629c724d2bd40a7621b49f16b5a7fc2a71e35c8511d0dffd8
SSDEEP

1536:aCUppyhDhGKqL0U6jPaMtfGjV2LN7RZObZUUWaegPYA:ajpM/qLt6jPPOSNClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfamff.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 13 IoCs

pid	Process
2328	Blaopqpo.exe
2820	Boplllob.exe
2824	Baohhgnf.exe
112	Bmeimhdj.exe
2520	Cdoajb32.exe
1988	Cfnmfn32.exe
2232	Cmgechbh.exe
2100	Cpfaocal.exe
3004	Cgpjlnhh.exe
1752	Cinfhigl.exe
2888	Cphndc32.exe
3016	Cgbfamff.exe
1940	Ceegmj32.exe

Loads dropped DLL 30 IoCs

pid	Process
2932	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
2932	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
2328	Blaopqpo.exe
2328	Blaopqpo.exe
2820	Boplllob.exe
2820	Boplllob.exe
2824	Baohhgnf.exe
2824	Baohhgnf.exe
112	Bmeimhdj.exe
112	Bmeimhdj.exe
2520	Cdoajb32.exe
2520	Cdoajb32.exe
1988	Cfnmfn32.exe
1988	Cfnmfn32.exe
2232	Cmgechbh.exe
2232	Cmgechbh.exe
2100	Cpfaocal.exe
2100	Cpfaocal.exe
3004	Cgpjlnhh.exe
3004	Cgpjlnhh.exe
1752	Cinfhigl.exe
1752	Cinfhigl.exe
2888	Cphndc32.exe
2888	Cphndc32.exe
3016	Cgbfamff.exe
3016	Cgbfamff.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfamff.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cgbfamff.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Dojofhjd.dll	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Cgbfamff.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Lbonaf32.dll	Cphndc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1004	1940	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfamff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbonaf32.dll"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2328	2932	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe	30
PID 2932 wrote to memory of 2328	2932	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe	30
PID 2932 wrote to memory of 2328	2932	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe	30
PID 2932 wrote to memory of 2328	2932	1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe	30
PID 2328 wrote to memory of 2820	2328	Blaopqpo.exe	31
PID 2328 wrote to memory of 2820	2328	Blaopqpo.exe	31
PID 2328 wrote to memory of 2820	2328	Blaopqpo.exe	31
PID 2328 wrote to memory of 2820	2328	Blaopqpo.exe	31
PID 2820 wrote to memory of 2824	2820	Boplllob.exe	32
PID 2820 wrote to memory of 2824	2820	Boplllob.exe	32
PID 2820 wrote to memory of 2824	2820	Boplllob.exe	32
PID 2820 wrote to memory of 2824	2820	Boplllob.exe	32
PID 2824 wrote to memory of 112	2824	Baohhgnf.exe	33
PID 2824 wrote to memory of 112	2824	Baohhgnf.exe	33
PID 2824 wrote to memory of 112	2824	Baohhgnf.exe	33
PID 2824 wrote to memory of 112	2824	Baohhgnf.exe	33
PID 112 wrote to memory of 2520	112	Bmeimhdj.exe	34
PID 112 wrote to memory of 2520	112	Bmeimhdj.exe	34
PID 112 wrote to memory of 2520	112	Bmeimhdj.exe	34
PID 112 wrote to memory of 2520	112	Bmeimhdj.exe	34
PID 2520 wrote to memory of 1988	2520	Cdoajb32.exe	35
PID 2520 wrote to memory of 1988	2520	Cdoajb32.exe	35
PID 2520 wrote to memory of 1988	2520	Cdoajb32.exe	35
PID 2520 wrote to memory of 1988	2520	Cdoajb32.exe	35
PID 1988 wrote to memory of 2232	1988	Cfnmfn32.exe	36
PID 1988 wrote to memory of 2232	1988	Cfnmfn32.exe	36
PID 1988 wrote to memory of 2232	1988	Cfnmfn32.exe	36
PID 1988 wrote to memory of 2232	1988	Cfnmfn32.exe	36
PID 2232 wrote to memory of 2100	2232	Cmgechbh.exe	37
PID 2232 wrote to memory of 2100	2232	Cmgechbh.exe	37
PID 2232 wrote to memory of 2100	2232	Cmgechbh.exe	37
PID 2232 wrote to memory of 2100	2232	Cmgechbh.exe	37
PID 2100 wrote to memory of 3004	2100	Cpfaocal.exe	38
PID 2100 wrote to memory of 3004	2100	Cpfaocal.exe	38
PID 2100 wrote to memory of 3004	2100	Cpfaocal.exe	38
PID 2100 wrote to memory of 3004	2100	Cpfaocal.exe	38
PID 3004 wrote to memory of 1752	3004	Cgpjlnhh.exe	39
PID 3004 wrote to memory of 1752	3004	Cgpjlnhh.exe	39
PID 3004 wrote to memory of 1752	3004	Cgpjlnhh.exe	39
PID 3004 wrote to memory of 1752	3004	Cgpjlnhh.exe	39
PID 1752 wrote to memory of 2888	1752	Cinfhigl.exe	40
PID 1752 wrote to memory of 2888	1752	Cinfhigl.exe	40
PID 1752 wrote to memory of 2888	1752	Cinfhigl.exe	40
PID 1752 wrote to memory of 2888	1752	Cinfhigl.exe	40
PID 2888 wrote to memory of 3016	2888	Cphndc32.exe	41
PID 2888 wrote to memory of 3016	2888	Cphndc32.exe	41
PID 2888 wrote to memory of 3016	2888	Cphndc32.exe	41
PID 2888 wrote to memory of 3016	2888	Cphndc32.exe	41
PID 3016 wrote to memory of 1940	3016	Cgbfamff.exe	42
PID 3016 wrote to memory of 1940	3016	Cgbfamff.exe	42
PID 3016 wrote to memory of 1940	3016	Cgbfamff.exe	42
PID 3016 wrote to memory of 1940	3016	Cgbfamff.exe	42
PID 1940 wrote to memory of 1004	1940	Ceegmj32.exe	43
PID 1940 wrote to memory of 1004	1940	Ceegmj32.exe	43
PID 1940 wrote to memory of 1004	1940	Ceegmj32.exe	43
PID 1940 wrote to memory of 1004	1940	Ceegmj32.exe	43

C:\Users\Admin\AppData\Local\Temp\1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe
"C:\Users\Admin\AppData\Local\Temp\1747c8a0740aad50c1f4e0d64ddc92dfbdb0cf4e84c391e1e7b430f0d01e4dd1N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\Blaopqpo.exe
  C:\Windows\system32\Blaopqpo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\Boplllob.exe
    C:\Windows\system32\Boplllob.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\Baohhgnf.exe
      C:\Windows\system32\Baohhgnf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
      - C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Cgbfamff.exe
        
        C:\Windows\system32\Cgbfamff.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 140
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
96KB

MD5
759c52627c46c74636ccce4b895bea81

SHA1
2d8f6cac6961ff9127c6d71b3b3d752383871fd1

SHA256
6f981aeec05ff2139d64234b2d26a9c14e70928879dec5801ded17f327fefb6c

SHA512
7045769b83dc2a6f263ead4784e912b70d6d54f35e81ff9125e77550805ab5b0077b97d0c76f0c869c69ae716425e4f1e3702baea24cf578aa7afcaa0ae7de3b

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
96KB

MD5
d175e3ccf4fef19c85c935f9550299e4

SHA1
2a93babc29b2005ab75bb65df947a98220f13466

SHA256
eea1f6168179fbb46c4b7a22e210569ca90a64ff4aefba1118c2aff3358549dd

SHA512
73b05c510279940bbcdcad2d2eceec5947c282739df2698e4ea91e1ec076ea5d7ab29a094fa53dcb35f47d98040650c661c4b5c8541015ce150b4ee62f8aa83a

Download Submit
\Windows\SysWOW64\Baohhgnf.exe

Filesize
96KB

MD5
bf22232e5207271e7997e5e5c11e3a03

SHA1
16178ba06d509c201f14cf30bf5e5a4d29819d35

SHA256
ee317edef9c03d65225853dd204579309e1ebb9206f3d71f3550b89625debc64

SHA512
98136bd83ad7ab6cdb56cf02ea709fb2448db64f060ea5bdfa26b327d3e8f2bb02bf82b3a90148989a143b03b3ada97d54b6f93049daa89331a444d128eb9e15

Download Submit
\Windows\SysWOW64\Bmeimhdj.exe

Filesize
96KB

MD5
d2e758c08a012e713dc4de5c7ec9f0b4

SHA1
ba5bf0a80d0949e9d9235e9d041ab5c44eb02e6d

SHA256
1fec827d9365d8c919b4091988cab569652a380530a20d1ce42981441c9c37d1

SHA512
569bc4de06572a3f2ef040ebdc589cf69ce86d7bf003f9cef9d4de6192f5f62f19b6ec9e05f64b0e1affa1bda6cced1eb11a153bd975324d80b9514e7417f9c0

Download Submit
\Windows\SysWOW64\Cdoajb32.exe

Filesize
96KB

MD5
58d2ae9857489605860fc184eeb1e50f

SHA1
06cb55714b52ed4d8088e9524c30a6580ae00599

SHA256
24656cfcdec217002c0f09317c8e73be699cd358dd754ebd7874aa53e6812288

SHA512
8fc79cae786503e91c2fe398e67d27d1547b0c0010c7483d29c211203dc1f3f7f4db0f937fb592885540dfdb99466ea556828db0a12392525acca841a43d5c4f

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
96KB

MD5
e9ed8e116b86ef2638fe885899c0d24b

SHA1
eb70802ce09b81e7773c846b49942726d238ea40

SHA256
9f850a5c096ce50ecc089b231f8cd6e321fd5016fc2c0c7bfd28e977ce0abc23

SHA512
985fe074755b9473d3733d7bafd0ea55e052292ca06d1934b8e1ab5b33700f268829205813cebab66b94ed00f125ea950f419d8dce71ceb256be6ccc4066f43e

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
96KB

MD5
738a09bbe5602d364d983441c9bd1026

SHA1
009aa537c1d0602c501f263d211c81c10f39fa9f

SHA256
c62da18bf8a6593a6498a848d150a320dbc7a35e4f5f271aaf8d9aad3c456b1b

SHA512
9fbb5d132ce7b906b88f7bf63cd5f3b3007695cd5ea58bbd5558887ef28ed5a264550a1f2f2be2c2207dbf830dee8e44f9b6dcf11a70fd12f030c04be019d492

Download Submit
\Windows\SysWOW64\Cgbfamff.exe

Filesize
96KB

MD5
7aff8f1dc225e522da174790c8442148

SHA1
8e596f5bc9ee1169f67af1a28a3cc1b0dac3eaa1

SHA256
1e07236a9877ba07ed317269ebbc41f8bd3ceee66fb822c5399ff11d0c31a928

SHA512
73db0c2fc81d1f3d6bf3143f4adb62769306be2180d4efa0e3f70f402ad756871db5ffb0b292d9032d4bd8b598a5582ae701422f621a2229a67788261a9f369c

Download Submit
\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
96KB

MD5
30d16f7036c18707c58da6b3f15f1701

SHA1
b0a2d40a2a4d3288e7d5a86e246f7b5ed20a0fe0

SHA256
23a0a5014038d4d5f4e792cccf9abe58b41eb83ebcc3d59d4fe98b6cfb2a65e4

SHA512
7fbbecb71602811a8da4f6035ca5861328ea4dbe93fe42e020b339147d1f9d62a7f4706f80ee31517ee6ef0c1c6b26386403f74a57e417cbcbc93a2f4b6f5ee4

Download Submit
\Windows\SysWOW64\Cinfhigl.exe

Filesize
96KB

MD5
54ffb885beaf687b14c944ad2ad4379e

SHA1
f2ce51eb1e78aeed7209b7f27063a7d0286dd0f7

SHA256
09359ac2843ef34bae2fe2ca8037abca473439bd77af0552efa0756aad040821

SHA512
0e20da174ace93c0488348f823a42490a4864719e0e78f51e2d6a89d9cd67592f09c90c499d41e5e517f8404e203db64692b332b434ea0d5a499f269aba859c5

Download Submit
\Windows\SysWOW64\Cmgechbh.exe

Filesize
96KB

MD5
a514e204fc0a6bba480a43b0b5319869

SHA1
c9f23359b9653fca9257c8a8fd36736551243200

SHA256
4cca4953121b98502304432deca0856573d9c2a1a787e1a3bdd56197671184ad

SHA512
fd6eb061faeed3aa3b660867d4f50309d118b2ba3b8ed9f2e6150c7ff1a0bc1fef8854cb9b0a41f0836638406b1b5fb1d668e257678c35e19720f41170ecafa3

Download Submit
\Windows\SysWOW64\Cpfaocal.exe

Filesize
96KB

MD5
c998d2ee18f8bbb7b7fb8ec0e8c71607

SHA1
cc3d1d8c6ba7c7d9e64e83cccead9422fe5e7499

SHA256
687b97005267b2f9f1b37a0e4f0fd8eb00c85758e76c94a161d5497257c7095c

SHA512
9e0a833147416de13a0ec314ac4379786d24b1babd2eee089dcdd4d139608a75cab770c135a5d640a56829a452e91d51a6ea9e09fce7b68d0d094aadb23901d5

Download Submit
\Windows\SysWOW64\Cphndc32.exe

Filesize
96KB

MD5
e3bacd7528d8cbdd8d446c5ef32d5eef

SHA1
41ec05f3a8d454751d9fe2f5512a5a9f59817b18

SHA256
f25ea4c2f027dbd4e72f1c800a4fdde232aefeafcfb99d190c3f3ce294aef230

SHA512
e6efa45ae7084871440fa80b16daaa1cc43ef31d186670d88ccbe733b8f82dc519930fbf60d5809c49fdc6f54bef07088dd4446a271dd897f3be9f5b20887836

Download Submit
memory/112-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-62-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1752-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-141-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/1940-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-88-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1988-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-114-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2100-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-40-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2820-35-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2820-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-49-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2824-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-17-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2932-18-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2932-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-133-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3004-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-166-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads