berbew | 2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415a

Analysis

max time kernel
73s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
Size

87KB
MD5

86aa70a0273670251460a5615ea5c860
SHA1

714f286fa2c226109ecbc4625c582f3a21648286
SHA256

2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415a
SHA512

ce151da473097a0ec3427614a4a46dc13424da0cd1c9bda98a84c4779376c24c5d4a5e3b021bf0eebbda141ebff127a9f663fc818ef2b6e3a545ee68a549f363
SSDEEP

1536:U4FHzSeE2J3hHnUBy3lR3fl9fmtekGQ3OL8JjPMWi/HuaGxkRQ4ZRSRBDNrR0RVb:RFHlE031nUkTP+tekGGPMW2HuaGxkeA/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kimlqfeq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbqgolpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimlqfeq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mioeeifi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjdcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfjfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnlaomae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjdcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfceom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndiomdde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnlaomae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laogfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mioeeifi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncgollm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfceom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laogfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndiomdde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbqgolpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lncgollm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 14 IoCs

pid	Process
1228	Kfjfik32.exe
2172	Kbqgolpf.exe
2096	Kimlqfeq.exe
2940	Lnlaomae.exe
2764	Llpaha32.exe
2368	Laogfg32.exe
2328	Lncgollm.exe
264	Mioeeifi.exe
1624	Mfceom32.exe
2864	Nkjdcp32.exe
2508	Npiiafpa.exe
1076	Ncjbba32.exe
1424	Ndiomdde.exe
2608	Opblgehg.exe

Loads dropped DLL 32 IoCs

pid	Process
2132	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
2132	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
1228	Kfjfik32.exe
1228	Kfjfik32.exe
2172	Kbqgolpf.exe
2172	Kbqgolpf.exe
2096	Kimlqfeq.exe
2096	Kimlqfeq.exe
2940	Lnlaomae.exe
2940	Lnlaomae.exe
2764	Llpaha32.exe
2764	Llpaha32.exe
2368	Laogfg32.exe
2368	Laogfg32.exe
2328	Lncgollm.exe
2328	Lncgollm.exe
264	Mioeeifi.exe
264	Mioeeifi.exe
1624	Mfceom32.exe
1624	Mfceom32.exe
2864	Nkjdcp32.exe
2864	Nkjdcp32.exe
2508	Npiiafpa.exe
2508	Npiiafpa.exe
1076	Ncjbba32.exe
1076	Ncjbba32.exe
1424	Ndiomdde.exe
1424	Ndiomdde.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Llpaha32.exe	Lnlaomae.exe
File created	C:\Windows\SysWOW64\Ieaikf32.dll	Mioeeifi.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ndiomdde.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Ndiomdde.exe
File created	C:\Windows\SysWOW64\Kbqgolpf.exe	Kfjfik32.exe
File created	C:\Windows\SysWOW64\Jjamcall.dll	Kfjfik32.exe
File created	C:\Windows\SysWOW64\Kpqfpd32.dll	Lncgollm.exe
File created	C:\Windows\SysWOW64\Koqdolib.dll	Mfceom32.exe
File opened for modification	C:\Windows\SysWOW64\Npiiafpa.exe	Nkjdcp32.exe
File created	C:\Windows\SysWOW64\Qlcbff32.dll	Nkjdcp32.exe
File created	C:\Windows\SysWOW64\Lnlaomae.exe	Kimlqfeq.exe
File created	C:\Windows\SysWOW64\Lncgollm.exe	Laogfg32.exe
File created	C:\Windows\SysWOW64\Mioeeifi.exe	Lncgollm.exe
File created	C:\Windows\SysWOW64\Mfceom32.exe	Mioeeifi.exe
File opened for modification	C:\Windows\SysWOW64\Ndiomdde.exe	Ncjbba32.exe
File opened for modification	C:\Windows\SysWOW64\Kfjfik32.exe	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
File opened for modification	C:\Windows\SysWOW64\Lnlaomae.exe	Kimlqfeq.exe
File created	C:\Windows\SysWOW64\Dlmfob32.dll	Lnlaomae.exe
File created	C:\Windows\SysWOW64\Kemqig32.dll	Laogfg32.exe
File created	C:\Windows\SysWOW64\Nkjdcp32.exe	Mfceom32.exe
File opened for modification	C:\Windows\SysWOW64\Kbqgolpf.exe	Kfjfik32.exe
File opened for modification	C:\Windows\SysWOW64\Kimlqfeq.exe	Kbqgolpf.exe
File created	C:\Windows\SysWOW64\Ijcbdhqk.dll	Kbqgolpf.exe
File created	C:\Windows\SysWOW64\Lmieogma.dll	Kimlqfeq.exe
File created	C:\Windows\SysWOW64\Npiiafpa.exe	Nkjdcp32.exe
File created	C:\Windows\SysWOW64\Kfjfik32.exe	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
File created	C:\Windows\SysWOW64\Njlacdcc.dll	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
File opened for modification	C:\Windows\SysWOW64\Laogfg32.exe	Llpaha32.exe
File created	C:\Windows\SysWOW64\Kjaglbok.dll	Llpaha32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjdcp32.exe	Mfceom32.exe
File created	C:\Windows\SysWOW64\Kimlqfeq.exe	Kbqgolpf.exe
File opened for modification	C:\Windows\SysWOW64\Lncgollm.exe	Laogfg32.exe
File created	C:\Windows\SysWOW64\Ihggkhle.dll	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Ndiomdde.exe	Ncjbba32.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ndiomdde.exe
File created	C:\Windows\SysWOW64\Hqnpad32.dll	Ncjbba32.exe
File created	C:\Windows\SysWOW64\Llpaha32.exe	Lnlaomae.exe
File created	C:\Windows\SysWOW64\Laogfg32.exe	Llpaha32.exe
File opened for modification	C:\Windows\SysWOW64\Mioeeifi.exe	Lncgollm.exe
File opened for modification	C:\Windows\SysWOW64\Mfceom32.exe	Mioeeifi.exe
File created	C:\Windows\SysWOW64\Ncjbba32.exe	Npiiafpa.exe
File opened for modification	C:\Windows\SysWOW64\Ncjbba32.exe	Npiiafpa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
900	2608	WerFault.exe	43

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjdcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfjfik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lncgollm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbqgolpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfceom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjbba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnlaomae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laogfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mioeeifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npiiafpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndiomdde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimlqfeq.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmieogma.dll"	Kimlqfeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfob32.dll"	Lnlaomae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mioeeifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koqdolib.dll"	Mfceom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjdcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfjfik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kimlqfeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihggkhle.dll"	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqnpad32.dll"	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbqgolpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbqgolpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnlaomae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mfceom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laogfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laogfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lncgollm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqfpd32.dll"	Lncgollm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndiomdde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlacdcc.dll"	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Ndiomdde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcbdhqk.dll"	Kbqgolpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnlaomae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lncgollm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndiomdde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kimlqfeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemqig32.dll"	Laogfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaikf32.dll"	Mioeeifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mioeeifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlcbff32.dll"	Nkjdcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfjfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjamcall.dll"	Kfjfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjaglbok.dll"	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mfceom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjdcp32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1228	2132	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe	30
PID 2132 wrote to memory of 1228	2132	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe	30
PID 2132 wrote to memory of 1228	2132	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe	30
PID 2132 wrote to memory of 1228	2132	2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe	30
PID 1228 wrote to memory of 2172	1228	Kfjfik32.exe	31
PID 1228 wrote to memory of 2172	1228	Kfjfik32.exe	31
PID 1228 wrote to memory of 2172	1228	Kfjfik32.exe	31
PID 1228 wrote to memory of 2172	1228	Kfjfik32.exe	31
PID 2172 wrote to memory of 2096	2172	Kbqgolpf.exe	32
PID 2172 wrote to memory of 2096	2172	Kbqgolpf.exe	32
PID 2172 wrote to memory of 2096	2172	Kbqgolpf.exe	32
PID 2172 wrote to memory of 2096	2172	Kbqgolpf.exe	32
PID 2096 wrote to memory of 2940	2096	Kimlqfeq.exe	33
PID 2096 wrote to memory of 2940	2096	Kimlqfeq.exe	33
PID 2096 wrote to memory of 2940	2096	Kimlqfeq.exe	33
PID 2096 wrote to memory of 2940	2096	Kimlqfeq.exe	33
PID 2940 wrote to memory of 2764	2940	Lnlaomae.exe	34
PID 2940 wrote to memory of 2764	2940	Lnlaomae.exe	34
PID 2940 wrote to memory of 2764	2940	Lnlaomae.exe	34
PID 2940 wrote to memory of 2764	2940	Lnlaomae.exe	34
PID 2764 wrote to memory of 2368	2764	Llpaha32.exe	35
PID 2764 wrote to memory of 2368	2764	Llpaha32.exe	35
PID 2764 wrote to memory of 2368	2764	Llpaha32.exe	35
PID 2764 wrote to memory of 2368	2764	Llpaha32.exe	35
PID 2368 wrote to memory of 2328	2368	Laogfg32.exe	36
PID 2368 wrote to memory of 2328	2368	Laogfg32.exe	36
PID 2368 wrote to memory of 2328	2368	Laogfg32.exe	36
PID 2368 wrote to memory of 2328	2368	Laogfg32.exe	36
PID 2328 wrote to memory of 264	2328	Lncgollm.exe	37
PID 2328 wrote to memory of 264	2328	Lncgollm.exe	37
PID 2328 wrote to memory of 264	2328	Lncgollm.exe	37
PID 2328 wrote to memory of 264	2328	Lncgollm.exe	37
PID 264 wrote to memory of 1624	264	Mioeeifi.exe	38
PID 264 wrote to memory of 1624	264	Mioeeifi.exe	38
PID 264 wrote to memory of 1624	264	Mioeeifi.exe	38
PID 264 wrote to memory of 1624	264	Mioeeifi.exe	38
PID 1624 wrote to memory of 2864	1624	Mfceom32.exe	39
PID 1624 wrote to memory of 2864	1624	Mfceom32.exe	39
PID 1624 wrote to memory of 2864	1624	Mfceom32.exe	39
PID 1624 wrote to memory of 2864	1624	Mfceom32.exe	39
PID 2864 wrote to memory of 2508	2864	Nkjdcp32.exe	40
PID 2864 wrote to memory of 2508	2864	Nkjdcp32.exe	40
PID 2864 wrote to memory of 2508	2864	Nkjdcp32.exe	40
PID 2864 wrote to memory of 2508	2864	Nkjdcp32.exe	40
PID 2508 wrote to memory of 1076	2508	Npiiafpa.exe	41
PID 2508 wrote to memory of 1076	2508	Npiiafpa.exe	41
PID 2508 wrote to memory of 1076	2508	Npiiafpa.exe	41
PID 2508 wrote to memory of 1076	2508	Npiiafpa.exe	41
PID 1076 wrote to memory of 1424	1076	Ncjbba32.exe	42
PID 1076 wrote to memory of 1424	1076	Ncjbba32.exe	42
PID 1076 wrote to memory of 1424	1076	Ncjbba32.exe	42
PID 1076 wrote to memory of 1424	1076	Ncjbba32.exe	42
PID 1424 wrote to memory of 2608	1424	Ndiomdde.exe	43
PID 1424 wrote to memory of 2608	1424	Ndiomdde.exe	43
PID 1424 wrote to memory of 2608	1424	Ndiomdde.exe	43
PID 1424 wrote to memory of 2608	1424	Ndiomdde.exe	43
PID 2608 wrote to memory of 900	2608	Opblgehg.exe	44
PID 2608 wrote to memory of 900	2608	Opblgehg.exe	44
PID 2608 wrote to memory of 900	2608	Opblgehg.exe	44
PID 2608 wrote to memory of 900	2608	Opblgehg.exe	44

C:\Users\Admin\AppData\Local\Temp\2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe
"C:\Users\Admin\AppData\Local\Temp\2e5f50394ff2c00522866acc3a5663a2b0e1978b8f2c40745b954e5b3653415aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\Kfjfik32.exe
  C:\Windows\system32\Kfjfik32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\Kbqgolpf.exe
    C:\Windows\system32\Kbqgolpf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\Kimlqfeq.exe
      C:\Windows\system32\Kimlqfeq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\Lnlaomae.exe
        
        C:\Windows\system32\Lnlaomae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\Llpaha32.exe
        
        C:\Windows\system32\Llpaha32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Laogfg32.exe
        
        C:\Windows\system32\Laogfg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Lncgollm.exe
        
        C:\Windows\system32\Lncgollm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Mioeeifi.exe
        
        C:\Windows\system32\Mioeeifi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Mfceom32.exe
        
        C:\Windows\system32\Mfceom32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Nkjdcp32.exe
        
        C:\Windows\system32\Nkjdcp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Npiiafpa.exe
        
        C:\Windows\system32\Npiiafpa.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Ncjbba32.exe
        
        C:\Windows\system32\Ncjbba32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Ndiomdde.exe
        
        C:\Windows\system32\Ndiomdde.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 140
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dlmfob32.dll

Filesize
7KB

MD5
0f7266c25b7ee1da1e8dbba36d66e500

SHA1
e29a88d9a8667dfab0714a02178914361ea66d1c

SHA256
c73ef0b32ebb2dfe599c0b679943ccc45e48e04cb03437834b3063f8b384a71b

SHA512
ba0af023e81b6b3f17ca89b2fc589ac2b1b736cdc32471d552a68b52b2d89f4016389f0ac2a5d556f2c7ae4cb7b8416a3b26a87e1e44ef8d8b2931553040c0fb

Download Submit
C:\Windows\SysWOW64\Kbqgolpf.exe

Filesize
87KB

MD5
c13a5b8bb70634ec57fe3a772630b284

SHA1
7f605619a36e8fc1a870d20b27b1b2b74394ba4d

SHA256
0e0e87877c6767087c041519deaa3ed305fe8297fa61a963a59ace6121e47c2a

SHA512
bdf33618b6235bb624c326ea4d1374f2b8bbcd48b69ffb98764355d7c9cbbc8eec43b4d7a9990fcc6e116a121f11cfbf4635ee4396d6c8f77370133886e0616c

Download Submit
C:\Windows\SysWOW64\Lncgollm.exe

Filesize
87KB

MD5
356f8bd52cd21e748502f272a32dff81

SHA1
1db818eb855e78f3e9fdfdd80aa012199b7329e2

SHA256
798e5f8436bf6b07492e2c339da46111d7488232c4b67ee5c50b02f4464f24e6

SHA512
422e27ef7db1ac439afc9f6562d47831dd0bf63b5e6b342b8fbe0c86d0699784a3a1d32688269b46ead4ad9ab00bad108a257e91c18ef15c9a292cc3e879c14e

Download Submit
C:\Windows\SysWOW64\Ndiomdde.exe

Filesize
87KB

MD5
d397c9b5c179ab17efcfc85631894aa9

SHA1
bd46a9404a3d6f004e0c6717a71708db92f534de

SHA256
f74be7a928f939474b0de4ca5558bfd1e7aecf27744306903e686e9a7044d5af

SHA512
9f255dd3b3b4e5522a4785b8d66838cfd6930e449b8bc6cf493fb40575eda58edafe378ee5398833b7716f523f22a6c180bf47e3d0479b773f23be13c6cd87dc

Download Submit
\Windows\SysWOW64\Kfjfik32.exe

Filesize
87KB

MD5
095b7ada1ab317df7cfbb8ac90814d17

SHA1
bced41c5e2fcd0b5c359ce153d4a8de57708e333

SHA256
0ca4fe8e4a66533278b05a85c88cd79aa06ce568e4e828bd55e26647f1140eec

SHA512
d868cd44c23b3ff10b90995a934763f99bee844d08e4f0aa0401e3af9443a3e7b6b5fdcfbb16637b65f4fff1bf8b4e4f14e330ea2f6379037e05c8ebc04d6cbd

Download Submit
\Windows\SysWOW64\Kimlqfeq.exe

Filesize
87KB

MD5
1f13f6d2b7f025f3e3596a75c4333057

SHA1
41eb0a190205ec083c1c3389e5a193602abe5282

SHA256
0356c0c18e54d2064af335417a1b3cf6bab04f5a19ea791c45c5f81fd9b7b29e

SHA512
252d54557e1219e25187bedab6b3896b81462f81097f9ee2224dc196e79815aec76a1741c676f98019343c9c614ba47661b91b74318db06c31df6e97a353208f

Download Submit
\Windows\SysWOW64\Laogfg32.exe

Filesize
87KB

MD5
f046791f110db97e9bf5df51fcb7cdef

SHA1
23cfbe85e7c1251f0ee0855e38bed9359da1c4b0

SHA256
2919abde30c8c564f465b0d31c3c402794dbf805a90ab1d5abd0df8ccf0deba3

SHA512
02bb511bab2c2877d1ac30a41598f907e14fc9dbbf3b4d671ceab452f0a00960c2ff653a703313f396af669725e4fcb404a3f747a5ff5f23392800fb07fa7f08

Download Submit
\Windows\SysWOW64\Llpaha32.exe

Filesize
87KB

MD5
08893fef6c548b9b13df4c331d78e2e9

SHA1
c363d426c746a6b206ba60eeed8e98d7ce8a057f

SHA256
3f4dbe395dc5a3dce771bcfb9690fbce4d9869197c3f20c0a8c562bc99e05db9

SHA512
57efc84fd82561e4df643cfbc577dd538ca53c5a94fee96d3e465df6e3d05bfec493402a39ad7baeec0fed08a6092be3096597e9968a5cad6b80be38583f00ff

Download Submit
\Windows\SysWOW64\Lnlaomae.exe

Filesize
87KB

MD5
07ea5b0803b921595c32b77f08f04102

SHA1
2637d426931ee0f243bf4b7f85b26a2e12a894fc

SHA256
68898597eae0257126280cb2f1fd4b5416d704844b0e04ab064fe4a573d8677b

SHA512
2664e8a7d83ce5e99504e8696c53dcc6bb0608f67259c9d6530764bc6176a429e460bbef668204d3234d6840bf8b2e2649dbc744aef4362e7130cab77aabaf89

Download Submit
\Windows\SysWOW64\Mfceom32.exe

Filesize
87KB

MD5
5944053f374dd12118330101fa7958d9

SHA1
dc3fd6b81025e1534d7ebd7026cdc7f1881b657d

SHA256
faa4ad04cb4eb3db0dd4703783f5d883e4d63a8ad388bdd83e3a8d8e77ca6d0f

SHA512
c22c3867f8775f19ec3e9306dbc7ddc237d874099f43943dbb8c93d6611a40428a9f6de62157634158c4b1534ca761ac8fa83e01c8916ef3eaad63f49ee2c0d2

Download Submit
\Windows\SysWOW64\Mioeeifi.exe

Filesize
87KB

MD5
d1fec6ba006f86f994724b9536a3d274

SHA1
f4ab44237b2b28f4c8b8a4fdb01548822b3866b9

SHA256
96242f4289246cf23f31b6287de560169e3304abab8a6eb994bcadfd63b121a2

SHA512
4105c12b1930f2c6e7b970183c76a6965c04e897ecb21e94b0696d9a8295cf795d90884ddfdf93d29f235f9251027ded55167332e32c32a35e8c1cb68e381b68

Download Submit
\Windows\SysWOW64\Ncjbba32.exe

Filesize
87KB

MD5
6d70d552c5f919b1a0552955e488c5af

SHA1
2880723eb891687d071a0ac35aa545b134fdbed4

SHA256
1bc33ec1e1481abf4b32c168ab2c597e411770004c39d7c148f897f47849b802

SHA512
508f23f6d31b3375b088e7505864069f72f6a7c1c258605304a0e22dffc8c4d53cb576cef10ca2bd1bd16b8f74b0807bd1928246311195430c76b345c8b73af4

Download Submit
\Windows\SysWOW64\Nkjdcp32.exe

Filesize
87KB

MD5
432308c50d766464eb220d48ea3927c9

SHA1
b92c255951b0b45b379697786a40280096eae415

SHA256
0c63088f4ac255202e353008d2c853b124095f41b687f12f18aef7c919e42a87

SHA512
d72c0136c24a60488e86046cc9a3594154a60f2d6d15d1015bdd2cd2cd15ead173924cc4bd342a4e42b5ba8248187b45b624b18173fa0850d3b81a273c9129a1

Download Submit
\Windows\SysWOW64\Npiiafpa.exe

Filesize
87KB

MD5
7626f11dd1a894677bc4f0f844e50f38

SHA1
527332ea7cf8ce297182ec328518a726ee0c595e

SHA256
d45337927aa2206c484d704545518bcebba63073ddbff8c629a15af05dfc938e

SHA512
567a95285615aa4b1d7450a3c2799528c8afa3eddc69c761a07b87ddc4b124fac1708574669f06c9197f1f539ea07e5e952982089245788d15c643d1bb01900d

Download Submit
\Windows\SysWOW64\Opblgehg.exe

Filesize
87KB

MD5
9acd1982116914eb011326f59e46031d

SHA1
da0f3ccf1561c8b15756ceeed3c4809af4303160

SHA256
a409dc844876e17b2923ae23acbdc94755afd032e5946d596929ccdc399bcf8a

SHA512
960e573d03d465966b445fc6b6174a38235b922d1b2dfb9170d1198f38f49b6a2cf3ab64fbeab2dbddeae7041aa2ad4e30d04c7181d860e9504cbfd2be2bdac3

Download Submit
memory/264-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/264-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-190-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1076-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-189-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1228-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1424-207-0x00000000001C0000-0x0000000000200000-memory.dmp

Filesize
256KB

Download
memory/1424-201-0x00000000001C0000-0x0000000000200000-memory.dmp

Filesize
256KB

Download
memory/1424-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1424-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-199-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/1624-192-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/1624-141-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/1624-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-48-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2096-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-12-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2132-62-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2132-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-84-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2172-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-39-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2172-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-166-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2328-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-114-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2328-106-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2328-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2368-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2368-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-167-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2508-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-82-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2864-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-153-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2864-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2940-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads