berbew | 958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7

Analysis

max time kernel
75s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
Size

64KB
MD5

7d2947d1cf4c14eadf298e1468819ec0
SHA1

9dd7bf2ad7126b22db2fc965128171efa619f279
SHA256

958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7
SHA512

1a85a4547036bc9ed03449a819d4bc4e5b36ab47a751ecf1095683710a4d11f3c4991090c2bbed52075b8c990c26921df243385f7750f4c3d82a0ff2c67b7ee7
SSDEEP

1536:xDjSgY2lxtJkRDelV4AUXruCHcpzt/Idn:x3fvFkZefbpFwn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 14 IoCs

pid	Process
2132	Cfmhdpnc.exe
1760	Cgoelh32.exe
2776	Cnimiblo.exe
3000	Cinafkkd.exe
2564	Cjonncab.exe
2552	Cbffoabe.exe
2592	Cchbgi32.exe
916	Cjakccop.exe
2052	Cmpgpond.exe
640	Cegoqlof.exe
1188	Cgfkmgnj.exe
380	Dnpciaef.exe
2144	Danpemej.exe
1948	Dpapaj32.exe

Loads dropped DLL 31 IoCs

pid	Process
1916	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
1916	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
2132	Cfmhdpnc.exe
2132	Cfmhdpnc.exe
1760	Cgoelh32.exe
1760	Cgoelh32.exe
2776	Cnimiblo.exe
2776	Cnimiblo.exe
3000	Cinafkkd.exe
3000	Cinafkkd.exe
2564	Cjonncab.exe
2564	Cjonncab.exe
2552	Cbffoabe.exe
2552	Cbffoabe.exe
2592	Cchbgi32.exe
2592	Cchbgi32.exe
916	Cjakccop.exe
916	Cjakccop.exe
2052	Cmpgpond.exe
2052	Cmpgpond.exe
640	Cegoqlof.exe
640	Cegoqlof.exe
1188	Cgfkmgnj.exe
1188	Cgfkmgnj.exe
380	Dnpciaef.exe
380	Dnpciaef.exe
2144	Danpemej.exe
2144	Danpemej.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cjonncab.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process
2184	1948	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2132	1916	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe	31
PID 1916 wrote to memory of 2132	1916	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe	31
PID 1916 wrote to memory of 2132	1916	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe	31
PID 1916 wrote to memory of 2132	1916	958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe	31
PID 2132 wrote to memory of 1760	2132	Cfmhdpnc.exe	32
PID 2132 wrote to memory of 1760	2132	Cfmhdpnc.exe	32
PID 2132 wrote to memory of 1760	2132	Cfmhdpnc.exe	32
PID 2132 wrote to memory of 1760	2132	Cfmhdpnc.exe	32
PID 1760 wrote to memory of 2776	1760	Cgoelh32.exe	33
PID 1760 wrote to memory of 2776	1760	Cgoelh32.exe	33
PID 1760 wrote to memory of 2776	1760	Cgoelh32.exe	33
PID 1760 wrote to memory of 2776	1760	Cgoelh32.exe	33
PID 2776 wrote to memory of 3000	2776	Cnimiblo.exe	34
PID 2776 wrote to memory of 3000	2776	Cnimiblo.exe	34
PID 2776 wrote to memory of 3000	2776	Cnimiblo.exe	34
PID 2776 wrote to memory of 3000	2776	Cnimiblo.exe	34
PID 3000 wrote to memory of 2564	3000	Cinafkkd.exe	35
PID 3000 wrote to memory of 2564	3000	Cinafkkd.exe	35
PID 3000 wrote to memory of 2564	3000	Cinafkkd.exe	35
PID 3000 wrote to memory of 2564	3000	Cinafkkd.exe	35
PID 2564 wrote to memory of 2552	2564	Cjonncab.exe	36
PID 2564 wrote to memory of 2552	2564	Cjonncab.exe	36
PID 2564 wrote to memory of 2552	2564	Cjonncab.exe	36
PID 2564 wrote to memory of 2552	2564	Cjonncab.exe	36
PID 2552 wrote to memory of 2592	2552	Cbffoabe.exe	37
PID 2552 wrote to memory of 2592	2552	Cbffoabe.exe	37
PID 2552 wrote to memory of 2592	2552	Cbffoabe.exe	37
PID 2552 wrote to memory of 2592	2552	Cbffoabe.exe	37
PID 2592 wrote to memory of 916	2592	Cchbgi32.exe	38
PID 2592 wrote to memory of 916	2592	Cchbgi32.exe	38
PID 2592 wrote to memory of 916	2592	Cchbgi32.exe	38
PID 2592 wrote to memory of 916	2592	Cchbgi32.exe	38
PID 916 wrote to memory of 2052	916	Cjakccop.exe	39
PID 916 wrote to memory of 2052	916	Cjakccop.exe	39
PID 916 wrote to memory of 2052	916	Cjakccop.exe	39
PID 916 wrote to memory of 2052	916	Cjakccop.exe	39
PID 2052 wrote to memory of 640	2052	Cmpgpond.exe	40
PID 2052 wrote to memory of 640	2052	Cmpgpond.exe	40
PID 2052 wrote to memory of 640	2052	Cmpgpond.exe	40
PID 2052 wrote to memory of 640	2052	Cmpgpond.exe	40
PID 640 wrote to memory of 1188	640	Cegoqlof.exe	41
PID 640 wrote to memory of 1188	640	Cegoqlof.exe	41
PID 640 wrote to memory of 1188	640	Cegoqlof.exe	41
PID 640 wrote to memory of 1188	640	Cegoqlof.exe	41
PID 1188 wrote to memory of 380	1188	Cgfkmgnj.exe	42
PID 1188 wrote to memory of 380	1188	Cgfkmgnj.exe	42
PID 1188 wrote to memory of 380	1188	Cgfkmgnj.exe	42
PID 1188 wrote to memory of 380	1188	Cgfkmgnj.exe	42
PID 380 wrote to memory of 2144	380	Dnpciaef.exe	43
PID 380 wrote to memory of 2144	380	Dnpciaef.exe	43
PID 380 wrote to memory of 2144	380	Dnpciaef.exe	43
PID 380 wrote to memory of 2144	380	Dnpciaef.exe	43
PID 2144 wrote to memory of 1948	2144	Danpemej.exe	44
PID 2144 wrote to memory of 1948	2144	Danpemej.exe	44
PID 2144 wrote to memory of 1948	2144	Danpemej.exe	44
PID 2144 wrote to memory of 1948	2144	Danpemej.exe	44
PID 1948 wrote to memory of 2184	1948	Dpapaj32.exe	45
PID 1948 wrote to memory of 2184	1948	Dpapaj32.exe	45
PID 1948 wrote to memory of 2184	1948	Dpapaj32.exe	45
PID 1948 wrote to memory of 2184	1948	Dpapaj32.exe	45

C:\Users\Admin\AppData\Local\Temp\958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe
"C:\Users\Admin\AppData\Local\Temp\958c4d790fc09b81601af9e14d3c54f9fcdca7a2208a19a9f5fa37437b743ed7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\Cfmhdpnc.exe
  C:\Windows\system32\Cfmhdpnc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\Cgoelh32.exe
    C:\Windows\system32\Cgoelh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\Cnimiblo.exe
      C:\Windows\system32\Cnimiblo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 144
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
64KB

MD5
69c6cad16a6cd557ace8e2252cc8412c

SHA1
5d76cd425e006e491a6d1991ea70a36f5267a85a

SHA256
111f82778f49da5a82e82b332212b02f8370386f3b3c9d74c01903ff57f46ae1

SHA512
0dadeb15d4a0b864408e0bbae033fff8024cb4fcc745af9c0d3ac1ca7714a1a274edb58fe43c0f300b24ff017d9e7334d5060618f44261582b108ad67ef4f44f

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
64KB

MD5
c233e4bd64053c1d388dcb0bcaf35f23

SHA1
b08da7f50137e10af0514d627c72bd802aaee7e7

SHA256
5bc87a4b236e6ae83dc006f03eb9432b956e3f757cfe76b8d5ff19ebe58c554d

SHA512
81353bc3fd6b121bef67830b227fac1bc67e2d246cd37e00c66e7fdfea2e01109664fc2799afe62cda6b4cbc11aff06a4be9b864deb948b40c1c15986c49aef7

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
64KB

MD5
c270ee582b0565a4df6c38df1db37d67

SHA1
fc073b2125de543e4bde64cd84c6bf0d6650a7e5

SHA256
19575eff866e74aa1861e04156687814c8c97aaedd97b74bb373e7703f828459

SHA512
40d623b6dcd46406332390535b2ff5f45cc10a4719531b1c88de6aad9d7a955a099febe9d7475bd3c80fa2f87e138475051357edd1c4501d72a77a17d9c639c2

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
64KB

MD5
8e392badda98adb12891ea8cc4e68813

SHA1
d2771f42a0dbb349457f8067437b23bcb2209603

SHA256
c867d51e267dc7a44fae02275350f574d1a883617d00382e19f7bb178d79a2c7

SHA512
45614f45a5525c9307f83abde97a5d982d86504ecb96566c9b4c49ba1eb0170c66c4bfa81209f9f5ce9a737820af8280e1edae82b6536c3ef1fe2f03d1eaadcb

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
64KB

MD5
95da73b1a3191785d19b1549df6d58f0

SHA1
53299b432dff6ddee9c4fa3d555f1663263e4c0a

SHA256
c170622f71d00d3efe1c959db9b5a3a3d18e9f547c860cd8c01ebed73acdf44b

SHA512
8af9d36c4e01d1d15c0f9d65f76f210ee02d53b8eedcc14ab559a08f71882b9b090a683c118828370af9aa92cf7adc0c4636415fb53eb05c8d4999fc14dd492a

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
64KB

MD5
7624086374472db7908f4c8be91afaa1

SHA1
68caf55a0f99ab3c28359bd5b7dfc301fcbefc5f

SHA256
cb4a52fae669f8c9e7c234fea4f974fd704f5cf3fb346279c78ec8cb6ab61667

SHA512
bf8eb9c90e31f3e73066559017863623d5a11e06dc064358d5c1fe1b6ee12c5f5e5ac5cb44803df702509385eb000cbaee4aca1f13750db8d27a0c8eaae262e1

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
64KB

MD5
8b932768169ccf7ae53512707c4f50a5

SHA1
d79f20649ff227ea202310fa2edf408ec320bbf4

SHA256
cc5b80e3c0c11936ef162d2dffdaff0e922b3887cd54daf2b58a476e695b0c3f

SHA512
c6e3cb2e18a91cd95bde2676da550c71675cfbae648b3f0488138ddce37b2dea09047ae15eeb952a6cef0bf3a9d8e70222fc63b9d01eed77734134605a46d834

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
c9891884671c27bbc65cc31cedb5fb1d

SHA1
983fcccc7db16494476d6d577cf6f6c4eec02c14

SHA256
bd1186400a6977e851d97130093098e1ccb9acb26e221dff114f4b62f4952846

SHA512
30feee943742b1059db6c10805c55219f5efb7c1a8cdb4b1a601668ad7765f760d7d0369d05254ed1cc20a634db95232322f479d9a6fd0bd567daf3b303e1640

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
64KB

MD5
77e3e7fe7a94e9aebfb4c47411798aed

SHA1
432e062d330b03361d0c6a0c993cfd1a55244ce8

SHA256
264139149acc1ba55501d57bc01df20dd7c9f0dc9d205cd8dddbc542b8ad0221

SHA512
5154c7aa544d307381defb3ea1c6613c454c920ca379a6e33ac73031cf0f7d9ec752bb22aa1835705e74240bf5a8b819eb96df90da4a36e519d3e72409199826

Download Submit
\Windows\SysWOW64\Cchbgi32.exe

Filesize
64KB

MD5
55aa94093d23e8a69a2d9a46212143ef

SHA1
5a283b486beba285527314bc413a007da5a3a6a1

SHA256
714fb3f8bb814178a4ca379950edff9fa94ab4593521c136481975d1b52a8bc3

SHA512
96f5df28ade694a36f4490325e83cbad22d50a0af8cb3849018e0f392c9206d2991b957b32d17334ae590228dc2f9d47672bf9f0f7cd3a047a0ead1a3a6355a7

Download Submit
\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
64KB

MD5
087d8d719a55476b6437d48c5cfebc15

SHA1
24173f00671c13f4f31d17dce363c621f3347fa9

SHA256
9f00324c609c8cce53d356c87212f72ebf8f53565f21c799daa86d4427a70970

SHA512
fa46bb252e9c3c8cede0cf06e5378fe430e40160ad123661f65c31438c7df05c073da718463b8461e00ff19f42deed270cf056eb8b239959a3502675f857f4cf

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
64KB

MD5
905fcab8673f9c34d7b3b9224f3cbc47

SHA1
d22d0096b4de96e7fda56a890669def76b0ae650

SHA256
04d5392dd7c5f0e9617ca571ee52fb313fff417481ed7788a088f87d1760abc3

SHA512
3e899d6b84853a89639ff77538dbb1a5ae3414a3300ddf53a93aa836aad85fac5250965cae5251f11d23e3d40922827f0533d9191b90109c3ea54fff69a274e1

Download Submit
\Windows\SysWOW64\Cjakccop.exe

Filesize
64KB

MD5
1e3fb673a04dfdd6092ca8da02166542

SHA1
33966224e83b83ee36b2ef6a33ef54d97b80f549

SHA256
d4f867ed60fc735000d273686689a072bd2371d1442ff67031521af7d7bf1f8a

SHA512
296fa0d514ee16ae2f7f795fec2a64a0c0fd9e4d9207d9cd656ba6261503279b5e45d0ce1eac2d6e2b915e50a161030c000040447fd6cc49e0071ec7b550394d

Download Submit
\Windows\SysWOW64\Danpemej.exe

Filesize
64KB

MD5
cf41c4f11cde43b094650407796bac0d

SHA1
24fc5bbd091aa7499b173120de4c8fd8011f23a8

SHA256
149c730091aa6dc2aca8927bbb32ec3e9c4ecb87d85cbe67c5a692db002663bd

SHA512
bac76450b01cccc236c7bc6e2026990d1ac16ecb33b4457db92d90a9859503896cbfab32ec1e0e703a3489bb09e1309224fec21c4a86845e20856bafdb9a655d

Download Submit
memory/380-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/380-184-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/640-161-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/640-155-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/640-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-124-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1188-170-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1188-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-12-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1916-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-13-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1916-69-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1916-4-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-139-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2132-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-198-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2144-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-99-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2552-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-146-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2564-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-85-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2564-138-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2564-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-79-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2592-115-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2592-108-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2592-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-113-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2776-53-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2776-48-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2776-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads