berbew | 2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04/11/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
Size

96KB
MD5

63364ef8a527e2e7a3e42656ffd799fd
SHA1

0f5f7c24002fc44db8313ec724c96bd08a956e77
SHA256

2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1
SHA512

3297103dbbc2030f190b24d454985c703528d119bd6bd98051bf4ec2c47b890d737365ad0a91a3687612fcbb0a706a0bc3b9b666e0ae5273dd189113d3649c93
SSDEEP

1536:YMUvmP2qWD1/sDu2G3SY0Z0oLC2Lua7RZObZUUWaegPYA:Ylu+qWZ/sRGiYGxLPuaClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdapjglj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhaefepn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbimbpld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chhbpfhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpdpkfga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dalfdjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkekmp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcpoab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmldji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhodpidl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkffc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcpoab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbkffc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalfdjdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkoef32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkekmp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmldji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbimbpld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhaefepn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpdpkfga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhodpidl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdapjglj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbhlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbhlb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 14 IoCs

pid	Process
3000	Bmldji32.exe
2972	Bbimbpld.exe
2936	Chhbpfhi.exe
3068	Chkoef32.exe
2852	Cdapjglj.exe
2588	Cfbhlb32.exe
1184	Dhaefepn.exe
2428	Dbkffc32.exe
2516	Dalfdjdl.exe
2112	Dkekmp32.exe
1744	Dcpoab32.exe
2264	Dpdpkfga.exe
2080	Dhodpidl.exe
1404	Eceimadb.exe

Loads dropped DLL 32 IoCs

pid	Process
576	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
576	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
3000	Bmldji32.exe
3000	Bmldji32.exe
2972	Bbimbpld.exe
2972	Bbimbpld.exe
2936	Chhbpfhi.exe
2936	Chhbpfhi.exe
3068	Chkoef32.exe
3068	Chkoef32.exe
2852	Cdapjglj.exe
2852	Cdapjglj.exe
2588	Cfbhlb32.exe
2588	Cfbhlb32.exe
1184	Dhaefepn.exe
1184	Dhaefepn.exe
2428	Dbkffc32.exe
2428	Dbkffc32.exe
2516	Dalfdjdl.exe
2516	Dalfdjdl.exe
2112	Dkekmp32.exe
2112	Dkekmp32.exe
1744	Dcpoab32.exe
1744	Dcpoab32.exe
2264	Dpdpkfga.exe
2264	Dpdpkfga.exe
2080	Dhodpidl.exe
2080	Dhodpidl.exe
2436	WerFault.exe
2436	WerFault.exe
2436	WerFault.exe
2436	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dalfdjdl.exe	Dbkffc32.exe
File created	C:\Windows\SysWOW64\Kcclakie.dll	Dbkffc32.exe
File opened for modification	C:\Windows\SysWOW64\Dcpoab32.exe	Dkekmp32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkffc32.exe	Dhaefepn.exe
File created	C:\Windows\SysWOW64\Inpiogfm.dll	Dcpoab32.exe
File opened for modification	C:\Windows\SysWOW64\Dhodpidl.exe	Dpdpkfga.exe
File created	C:\Windows\SysWOW64\Eceimadb.exe	Dhodpidl.exe
File opened for modification	C:\Windows\SysWOW64\Eceimadb.exe	Dhodpidl.exe
File created	C:\Windows\SysWOW64\Adfoppcf.dll	Bmldji32.exe
File created	C:\Windows\SysWOW64\Chhbpfhi.exe	Bbimbpld.exe
File created	C:\Windows\SysWOW64\Polcapil.dll	Chkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Dkekmp32.exe	Dalfdjdl.exe
File created	C:\Windows\SysWOW64\Dhodpidl.exe	Dpdpkfga.exe
File created	C:\Windows\SysWOW64\Mpbgcj32.dll	Dpdpkfga.exe
File created	C:\Windows\SysWOW64\Bfkfbm32.dll	Dhodpidl.exe
File opened for modification	C:\Windows\SysWOW64\Bmldji32.exe	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
File opened for modification	C:\Windows\SysWOW64\Bbimbpld.exe	Bmldji32.exe
File created	C:\Windows\SysWOW64\Cfbhlb32.exe	Cdapjglj.exe
File created	C:\Windows\SysWOW64\Obchjdci.dll	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
File created	C:\Windows\SysWOW64\Jjgmammj.dll	Dalfdjdl.exe
File created	C:\Windows\SysWOW64\Dlhlca32.dll	Dkekmp32.exe
File created	C:\Windows\SysWOW64\Klheoobo.dll	Chhbpfhi.exe
File opened for modification	C:\Windows\SysWOW64\Cfbhlb32.exe	Cdapjglj.exe
File created	C:\Windows\SysWOW64\Bmldji32.exe	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
File opened for modification	C:\Windows\SysWOW64\Chhbpfhi.exe	Bbimbpld.exe
File created	C:\Windows\SysWOW64\Chkoef32.exe	Chhbpfhi.exe
File created	C:\Windows\SysWOW64\Dhaefepn.exe	Cfbhlb32.exe
File created	C:\Windows\SysWOW64\Dbkffc32.exe	Dhaefepn.exe
File created	C:\Windows\SysWOW64\Dalfdjdl.exe	Dbkffc32.exe
File created	C:\Windows\SysWOW64\Dcpoab32.exe	Dkekmp32.exe
File created	C:\Windows\SysWOW64\Dpdpkfga.exe	Dcpoab32.exe
File opened for modification	C:\Windows\SysWOW64\Chkoef32.exe	Chhbpfhi.exe
File created	C:\Windows\SysWOW64\Cdapjglj.exe	Chkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Cdapjglj.exe	Chkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Dpdpkfga.exe	Dcpoab32.exe
File created	C:\Windows\SysWOW64\Faeaddaj.dll	Dhaefepn.exe
File created	C:\Windows\SysWOW64\Dkekmp32.exe	Dalfdjdl.exe
File opened for modification	C:\Windows\SysWOW64\Dhaefepn.exe	Cfbhlb32.exe
File created	C:\Windows\SysWOW64\Gobdgmhm.dll	Cfbhlb32.exe
File created	C:\Windows\SysWOW64\Bbimbpld.exe	Bmldji32.exe
File created	C:\Windows\SysWOW64\Hnnacgdn.dll	Bbimbpld.exe
File created	C:\Windows\SysWOW64\Flnjii32.dll	Cdapjglj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2436	1404	WerFault.exe	43

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmldji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkekmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcpoab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpdpkfga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdapjglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalfdjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbimbpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eceimadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhbpfhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbhlb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhaefepn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkffc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhodpidl.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkoef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhodpidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obchjdci.dll"	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkoef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbkffc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcpoab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpdpkfga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbgcj32.dll"	Dpdpkfga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmldji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhaefepn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbkffc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dalfdjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgmammj.dll"	Dalfdjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkekmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbimbpld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdapjglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhaefepn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpiogfm.dll"	Dcpoab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcpoab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnacgdn.dll"	Bbimbpld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klheoobo.dll"	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnjii32.dll"	Cdapjglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbhlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcclakie.dll"	Dbkffc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dalfdjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmldji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbimbpld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkekmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpdpkfga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll"	Dhodpidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhlca32.dll"	Dkekmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhodpidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfoppcf.dll"	Bmldji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polcapil.dll"	Chkoef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdapjglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbhlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobdgmhm.dll"	Cfbhlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeaddaj.dll"	Dhaefepn.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 3000	576	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe	30
PID 576 wrote to memory of 3000	576	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe	30
PID 576 wrote to memory of 3000	576	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe	30
PID 576 wrote to memory of 3000	576	2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe	30
PID 3000 wrote to memory of 2972	3000	Bmldji32.exe	31
PID 3000 wrote to memory of 2972	3000	Bmldji32.exe	31
PID 3000 wrote to memory of 2972	3000	Bmldji32.exe	31
PID 3000 wrote to memory of 2972	3000	Bmldji32.exe	31
PID 2972 wrote to memory of 2936	2972	Bbimbpld.exe	32
PID 2972 wrote to memory of 2936	2972	Bbimbpld.exe	32
PID 2972 wrote to memory of 2936	2972	Bbimbpld.exe	32
PID 2972 wrote to memory of 2936	2972	Bbimbpld.exe	32
PID 2936 wrote to memory of 3068	2936	Chhbpfhi.exe	33
PID 2936 wrote to memory of 3068	2936	Chhbpfhi.exe	33
PID 2936 wrote to memory of 3068	2936	Chhbpfhi.exe	33
PID 2936 wrote to memory of 3068	2936	Chhbpfhi.exe	33
PID 3068 wrote to memory of 2852	3068	Chkoef32.exe	34
PID 3068 wrote to memory of 2852	3068	Chkoef32.exe	34
PID 3068 wrote to memory of 2852	3068	Chkoef32.exe	34
PID 3068 wrote to memory of 2852	3068	Chkoef32.exe	34
PID 2852 wrote to memory of 2588	2852	Cdapjglj.exe	35
PID 2852 wrote to memory of 2588	2852	Cdapjglj.exe	35
PID 2852 wrote to memory of 2588	2852	Cdapjglj.exe	35
PID 2852 wrote to memory of 2588	2852	Cdapjglj.exe	35
PID 2588 wrote to memory of 1184	2588	Cfbhlb32.exe	36
PID 2588 wrote to memory of 1184	2588	Cfbhlb32.exe	36
PID 2588 wrote to memory of 1184	2588	Cfbhlb32.exe	36
PID 2588 wrote to memory of 1184	2588	Cfbhlb32.exe	36
PID 1184 wrote to memory of 2428	1184	Dhaefepn.exe	37
PID 1184 wrote to memory of 2428	1184	Dhaefepn.exe	37
PID 1184 wrote to memory of 2428	1184	Dhaefepn.exe	37
PID 1184 wrote to memory of 2428	1184	Dhaefepn.exe	37
PID 2428 wrote to memory of 2516	2428	Dbkffc32.exe	38
PID 2428 wrote to memory of 2516	2428	Dbkffc32.exe	38
PID 2428 wrote to memory of 2516	2428	Dbkffc32.exe	38
PID 2428 wrote to memory of 2516	2428	Dbkffc32.exe	38
PID 2516 wrote to memory of 2112	2516	Dalfdjdl.exe	39
PID 2516 wrote to memory of 2112	2516	Dalfdjdl.exe	39
PID 2516 wrote to memory of 2112	2516	Dalfdjdl.exe	39
PID 2516 wrote to memory of 2112	2516	Dalfdjdl.exe	39
PID 2112 wrote to memory of 1744	2112	Dkekmp32.exe	40
PID 2112 wrote to memory of 1744	2112	Dkekmp32.exe	40
PID 2112 wrote to memory of 1744	2112	Dkekmp32.exe	40
PID 2112 wrote to memory of 1744	2112	Dkekmp32.exe	40
PID 1744 wrote to memory of 2264	1744	Dcpoab32.exe	41
PID 1744 wrote to memory of 2264	1744	Dcpoab32.exe	41
PID 1744 wrote to memory of 2264	1744	Dcpoab32.exe	41
PID 1744 wrote to memory of 2264	1744	Dcpoab32.exe	41
PID 2264 wrote to memory of 2080	2264	Dpdpkfga.exe	42
PID 2264 wrote to memory of 2080	2264	Dpdpkfga.exe	42
PID 2264 wrote to memory of 2080	2264	Dpdpkfga.exe	42
PID 2264 wrote to memory of 2080	2264	Dpdpkfga.exe	42
PID 2080 wrote to memory of 1404	2080	Dhodpidl.exe	43
PID 2080 wrote to memory of 1404	2080	Dhodpidl.exe	43
PID 2080 wrote to memory of 1404	2080	Dhodpidl.exe	43
PID 2080 wrote to memory of 1404	2080	Dhodpidl.exe	43
PID 1404 wrote to memory of 2436	1404	Eceimadb.exe	44
PID 1404 wrote to memory of 2436	1404	Eceimadb.exe	44
PID 1404 wrote to memory of 2436	1404	Eceimadb.exe	44
PID 1404 wrote to memory of 2436	1404	Eceimadb.exe	44

C:\Users\Admin\AppData\Local\Temp\2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe
"C:\Users\Admin\AppData\Local\Temp\2094a9ce0b869b4594908b92d15c97e48b45cddde5fb61fb9a05805a655921e1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\Bmldji32.exe
  C:\Windows\system32\Bmldji32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\Bbimbpld.exe
    C:\Windows\system32\Bbimbpld.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\Chhbpfhi.exe
      C:\Windows\system32\Chhbpfhi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\Chkoef32.exe
        
        C:\Windows\system32\Chkoef32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\Cdapjglj.exe
        
        C:\Windows\system32\Cdapjglj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Cfbhlb32.exe
        
        C:\Windows\system32\Cfbhlb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Dhaefepn.exe
        
        C:\Windows\system32\Dhaefepn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Dbkffc32.exe
        
        C:\Windows\system32\Dbkffc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Dalfdjdl.exe
        
        C:\Windows\system32\Dalfdjdl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Dkekmp32.exe
        
        C:\Windows\system32\Dkekmp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Dcpoab32.exe
        
        C:\Windows\system32\Dcpoab32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Dpdpkfga.exe
        
        C:\Windows\system32\Dpdpkfga.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Dhodpidl.exe
        
        C:\Windows\system32\Dhodpidl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Eceimadb.exe
        
        C:\Windows\system32\Eceimadb.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 140
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdapjglj.exe

Filesize
96KB

MD5
bca5605790af93106f08690653bcf81a

SHA1
7a264c8bb0c58dc750e100f6897074c36905260f

SHA256
c0aec1770a6e638ddf3bd80cc56381603ca8d8870c5a66e34ab299f977939d96

SHA512
1a62467762f03970d1deae2ee8f20ae449bd4893b30c1e0fe1eb3e7e2818e88e9597cd738f5c5a5671bb26a6cd9b01a30414f794b46b0d4293da9c07bdfb07d8

Download Submit
\Windows\SysWOW64\Bbimbpld.exe

Filesize
96KB

MD5
1ff833302eef2ff00eb99192c8c10e6c

SHA1
cbb52ad8c0d23cd67fa0975a15080deb3d50f623

SHA256
2594f457debfebb3fbb6afbc04996ae3d1ce32cac0928a445e49e18ef8c20f28

SHA512
481d28708b048978192724dc626900ec73c4f5ebcac06de92184db76f4be053b8a84c7008164d06407a6a4ea4dd64bd487fd7ba0462150cb7fff51fbabb79986

Download Submit
\Windows\SysWOW64\Bmldji32.exe

Filesize
96KB

MD5
5b37062805e62c355e291408890d6376

SHA1
57e81292d8b8d5adc1dd55908617943ec6557b72

SHA256
f609f1120671d486652f2f85b6e2c9ea70a1ef3042a358167f594d078f6621e7

SHA512
84961b6422fdd9fe57dd7d7ffd66906e18f56039c8a0e63c2f83bb21ea46846bbbd827e5ca0d100d2af92e911011dfcac31f04abb5b7d50c5b475e0b915d44db

Download Submit
\Windows\SysWOW64\Cfbhlb32.exe

Filesize
96KB

MD5
3b846212cd7d4c5010538d646f9a8561

SHA1
1aa10a212736ed7a0d285319276ed34a8732e37d

SHA256
3fea9ff6b5b9f45a9e3c57936bd9723716f3a2bb0aef52fec91f659f5dbd9de0

SHA512
45e345e40c610fb09763b090b12ba37bc2e5d94d4713af9aa88b9c31534e54f19768c225cf6866749026cde02276075a4321fc86a12eab21a2ad726e85af441e

Download Submit
\Windows\SysWOW64\Chhbpfhi.exe

Filesize
96KB

MD5
68214061f1f008be735fc8700e456ef0

SHA1
d85b4d371c87241618da0a7dd3e874f2cbb36e4d

SHA256
32807cfea014705ec6846c20ce77fcf9ef7ec75f0b82d6ffb9fef6715180d350

SHA512
8864ca079131d9a41cf38d6fc0ea75c8e4c40a7de798128a34762e1c8b7c4aecca9cd3885ef51a234b67657d76e360913020c5d420d35cf36cb1de294385b2ca

Download Submit
\Windows\SysWOW64\Chkoef32.exe

Filesize
96KB

MD5
a740054cb757fb16fce265f83965cec3

SHA1
ca9bd692d5a04179fc8b6e0aaaa7745ef22c8fab

SHA256
4d1f7f841bae35b42c79b4ecd9278d8e4fc31f35878e7dfa8cb08a57411d9230

SHA512
6a2d9312fc561dcb33a57c0970b118fea1cb4988ac9898656fd5d82558a55a3b45783984e84e6ddc7adea9c49eb74d0ae7e5fa607cdbfce36d33d7d969cbb1fb

Download Submit
\Windows\SysWOW64\Dalfdjdl.exe

Filesize
96KB

MD5
63ba14de62b5ef7e330b99a92abf1eac

SHA1
42f9dfbd1b2105893e85fcb170ae62ae8d673eec

SHA256
d14d383982822c41ba9a0f2af5051ec9c1a920ba8600bc5d07748f7325d6c80f

SHA512
1d4bfbc6a9dc532f0d68e40ed774211c709260ce24c737774612f6b5eaf8bb56363d508c3c0ccfb8dcdb970a598eb36adcdf7fd157ea27e450235a97691636b9

Download Submit
\Windows\SysWOW64\Dbkffc32.exe

Filesize
96KB

MD5
8e19c9bb2a14ed4285dfed66fc156dff

SHA1
d243c2bc28b437509c24d8f699247a5ff74690ef

SHA256
2de37f760ce6136c8b824cb6f55a70ffbeef21ee4ba768873649f8caa72f480f

SHA512
563e445a8c78e38aa99ff7921e60850485f2f92ba7358a103ab5bdd20ce946d7a5a764925de4402e867502159d75d03eed05c0cc2b69a271b7d916f9d212799d

Download Submit
\Windows\SysWOW64\Dcpoab32.exe

Filesize
96KB

MD5
e090597799e79c25991badd255bd9fbb

SHA1
33546ced0440a56805575acc079b819fcdd2c50b

SHA256
a752f1286e5f764b1e43873f2b5c84ff9fd1fbfd9bfab7451258aaf11650ab2d

SHA512
14f54d10976f28712364c0e4b683a638dd6a685339a876f9cd1fc943c182d4af4fea55bd7f7dd619cc3f1227d787622823b9f2a6ba8bc97c8d06afd3debb61ae

Download Submit
\Windows\SysWOW64\Dhaefepn.exe

Filesize
96KB

MD5
b8f8197256a57f987b2b93bb3ce5e906

SHA1
0b5fb90593a9fccf69d0c07c0375669c0e244987

SHA256
74dab66644a0030bbd9639dbb000258c12157b5ebc76d6bc5bd4eacaadc977c6

SHA512
9ba82d0a5e62084313eb8e88421561d6c0f7aecf0c969e5cb6a40c5e71b3364eaf4909b47f88caedd1450b1032056fd7770049201a3e8a5e5789c2899c5496e6

Download Submit
\Windows\SysWOW64\Dhodpidl.exe

Filesize
96KB

MD5
6e5468b25c7d2cbff9a9ac06265353f5

SHA1
5781e48e57da15f38601ff5c4bf81369f6c4c4eb

SHA256
42c154616173d96caf9232fcf67733677a7eff86bda5e6791781a1a9e60294c7

SHA512
02569b54e5ff24e0edb2f9810f56bfc3c9373a66bf0904e340dfbcc8e21cff662bcfbff7e9a5757a6848e122e7023ea7354fda49b876cd0d4a52b40788c48577

Download Submit
\Windows\SysWOW64\Dkekmp32.exe

Filesize
96KB

MD5
2384b65b9fb7310eb179b5730e9589e3

SHA1
e9596691b99d923ddd4c4d6c88b04ddf96708cbe

SHA256
2f79102ca98f3367a42606d338435f468bdbeaf63e032d86400dc800aa44a8c1

SHA512
65b01581ce5193dce6ed60e6b9c8964e1bb8f3fe0ee14bb3b1b519b258792cc560e539d3f903a35e901c9ff6fa7a97d5fa86baf99881d033ed253c976b0858b7

Download Submit
\Windows\SysWOW64\Dpdpkfga.exe

Filesize
96KB

MD5
a1572994ffa94dd3694cfdbcea05eb93

SHA1
891b9d6f9997025c3920afa8d8b63178b78d9952

SHA256
6d43f0ef62d89745782990571eadb20fe3280ee57c0f5682f5b838fb1dc4594c

SHA512
53a8245518d52ccc8a0b6df6baafd800c2ff0e80e14e5d2d86c58d12a93f729e9b02ade3037d74229e5087b30e2191c3fc19aad32220e4776254a3c3a926a2ab

Download Submit
\Windows\SysWOW64\Eceimadb.exe

Filesize
96KB

MD5
50c483f1248bad92fd129e781adf092f

SHA1
b33173135895d443c1f01774f6dd66b0cc55141f

SHA256
8b3682ce261ea4eb13f93b3331553543c17a784b0667cdead274b93c6ad4d00e

SHA512
76a2c3e05eaeba68eae5ecd1d229fdcfa534a36fc2344f778221d1cd1c29f7e1e95cb881df053670df3332df42c05b3afa0ecbbdf00a203e7a12b590a3751fe6

Download Submit
memory/576-12-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/576-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-13-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/576-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-102-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1184-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-154-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1744-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-180-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2080-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-172-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2428-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-128-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2516-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-76-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2852-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-53-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2936-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-34-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2972-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads