berbew | e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
Size

128KB
MD5

f1f9d5de4a7b72ac7d14e4fbbce1ded8
SHA1

6087aef1bee8784e94554c92f870fe3522f7a388
SHA256

e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73
SHA512

237f5fea66f32f654fae8be57f57425975e8533a609d753dece6824df5b933fc9bd1f0d281b6159bd467a00a9f2ec37171cd452199b370e568bc82c438f075b6
SSDEEP

3072:kk+lcHUnENB5WMn4okMEveFKPD375lHzpa1P2FU6UK7q4+5DbGTO7:tDHqEb5NxkMEveYr75lHzpaF2e6UK+4w

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eibbqmhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fadmenpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbeimf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dclgbgbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eibbqmhd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emdgjpkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emdgjpkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbeimf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gohjnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcnchg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efaiobkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejhhcdjm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dclgbgbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fadmenpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaamobdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnchg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goemhfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efaiobkc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdefgimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gohjnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmdkkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejhhcdjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdefgimi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaamobdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goemhfco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmdkkm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 14 IoCs

pid	Process
2060	Dclgbgbh.exe
3020	Dmdkkm32.exe
2188	Dcnchg32.exe
2920	Efaiobkc.exe
2676	Eibbqmhd.exe
2756	Emdgjpkd.exe
2668	Ejhhcdjm.exe
2716	Fadmenpg.exe
2956	Fbeimf32.exe
2656	Fdefgimi.exe
1760	Gaamobdf.exe
2084	Goemhfco.exe
984	Gohjnf32.exe
2100	Gmmgobfd.exe

Loads dropped DLL 32 IoCs

pid	Process
3024	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
3024	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
2060	Dclgbgbh.exe
2060	Dclgbgbh.exe
3020	Dmdkkm32.exe
3020	Dmdkkm32.exe
2188	Dcnchg32.exe
2188	Dcnchg32.exe
2920	Efaiobkc.exe
2920	Efaiobkc.exe
2676	Eibbqmhd.exe
2676	Eibbqmhd.exe
2756	Emdgjpkd.exe
2756	Emdgjpkd.exe
2668	Ejhhcdjm.exe
2668	Ejhhcdjm.exe
2716	Fadmenpg.exe
2716	Fadmenpg.exe
2956	Fbeimf32.exe
2956	Fbeimf32.exe
2656	Fdefgimi.exe
2656	Fdefgimi.exe
1760	Gaamobdf.exe
1760	Gaamobdf.exe
2084	Goemhfco.exe
2084	Goemhfco.exe
984	Gohjnf32.exe
984	Gohjnf32.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fjaocifl.dll	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
File created	C:\Windows\SysWOW64\Ejhhcdjm.exe	Emdgjpkd.exe
File created	C:\Windows\SysWOW64\Jckflh32.dll	Ejhhcdjm.exe
File created	C:\Windows\SysWOW64\Fbeimf32.exe	Fadmenpg.exe
File created	C:\Windows\SysWOW64\Aeannooi.dll	Gaamobdf.exe
File opened for modification	C:\Windows\SysWOW64\Ejhhcdjm.exe	Emdgjpkd.exe
File created	C:\Windows\SysWOW64\Fadmenpg.exe	Ejhhcdjm.exe
File opened for modification	C:\Windows\SysWOW64\Goemhfco.exe	Gaamobdf.exe
File created	C:\Windows\SysWOW64\Idlfno32.dll	Gohjnf32.exe
File created	C:\Windows\SysWOW64\Lfakne32.dll	Fadmenpg.exe
File created	C:\Windows\SysWOW64\Gaamobdf.exe	Fdefgimi.exe
File opened for modification	C:\Windows\SysWOW64\Gohjnf32.exe	Goemhfco.exe
File created	C:\Windows\SysWOW64\Lehqli32.dll	Dclgbgbh.exe
File created	C:\Windows\SysWOW64\Dcnchg32.exe	Dmdkkm32.exe
File created	C:\Windows\SysWOW64\Cfnefp32.dll	Dcnchg32.exe
File created	C:\Windows\SysWOW64\Eibbqmhd.exe	Efaiobkc.exe
File opened for modification	C:\Windows\SysWOW64\Eibbqmhd.exe	Efaiobkc.exe
File opened for modification	C:\Windows\SysWOW64\Dcnchg32.exe	Dmdkkm32.exe
File opened for modification	C:\Windows\SysWOW64\Fbeimf32.exe	Fadmenpg.exe
File created	C:\Windows\SysWOW64\Pefone32.dll	Fbeimf32.exe
File created	C:\Windows\SysWOW64\Odjoeplp.dll	Fdefgimi.exe
File created	C:\Windows\SysWOW64\Gmmgobfd.exe	Gohjnf32.exe
File opened for modification	C:\Windows\SysWOW64\Dclgbgbh.exe	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
File opened for modification	C:\Windows\SysWOW64\Fadmenpg.exe	Ejhhcdjm.exe
File opened for modification	C:\Windows\SysWOW64\Fdefgimi.exe	Fbeimf32.exe
File created	C:\Windows\SysWOW64\Goemhfco.exe	Gaamobdf.exe
File created	C:\Windows\SysWOW64\Dclgbgbh.exe	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
File created	C:\Windows\SysWOW64\Jngdfa32.dll	Efaiobkc.exe
File created	C:\Windows\SysWOW64\Emdgjpkd.exe	Eibbqmhd.exe
File opened for modification	C:\Windows\SysWOW64\Emdgjpkd.exe	Eibbqmhd.exe
File created	C:\Windows\SysWOW64\Gfgfed32.dll	Eibbqmhd.exe
File opened for modification	C:\Windows\SysWOW64\Gmmgobfd.exe	Gohjnf32.exe
File created	C:\Windows\SysWOW64\Dmdkkm32.exe	Dclgbgbh.exe
File opened for modification	C:\Windows\SysWOW64\Efaiobkc.exe	Dcnchg32.exe
File created	C:\Windows\SysWOW64\Fdefgimi.exe	Fbeimf32.exe
File created	C:\Windows\SysWOW64\Gohjnf32.exe	Goemhfco.exe
File created	C:\Windows\SysWOW64\Bnipcbbg.dll	Goemhfco.exe
File opened for modification	C:\Windows\SysWOW64\Dmdkkm32.exe	Dclgbgbh.exe
File created	C:\Windows\SysWOW64\Nnpopj32.dll	Dmdkkm32.exe
File created	C:\Windows\SysWOW64\Efaiobkc.exe	Dcnchg32.exe
File created	C:\Windows\SysWOW64\Logaao32.dll	Emdgjpkd.exe
File opened for modification	C:\Windows\SysWOW64\Gaamobdf.exe	Fdefgimi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3060	2100	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejhhcdjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fadmenpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdefgimi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Goemhfco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gohjnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmdkkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efaiobkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eibbqmhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbeimf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmmgobfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaamobdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dclgbgbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnchg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emdgjpkd.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lehqli32.dll"	Dclgbgbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efaiobkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eibbqmhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejhhcdjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gohjnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fadmenpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Goemhfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gohjnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjaocifl.dll"	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dclgbgbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmdkkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnefp32.dll"	Dcnchg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfakne32.dll"	Fadmenpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbeimf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbeimf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnpopj32.dll"	Dmdkkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckflh32.dll"	Ejhhcdjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fadmenpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efaiobkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logaao32.dll"	Emdgjpkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emdgjpkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejhhcdjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmdkkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngdfa32.dll"	Efaiobkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eibbqmhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emdgjpkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefone32.dll"	Fbeimf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdefgimi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaamobdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnipcbbg.dll"	Goemhfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgfed32.dll"	Eibbqmhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjoeplp.dll"	Fdefgimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdefgimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaamobdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlfno32.dll"	Gohjnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dclgbgbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcnchg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcnchg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeannooi.dll"	Gaamobdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Goemhfco.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2060	3024	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe	29
PID 3024 wrote to memory of 2060	3024	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe	29
PID 3024 wrote to memory of 2060	3024	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe	29
PID 3024 wrote to memory of 2060	3024	e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe	29
PID 2060 wrote to memory of 3020	2060	Dclgbgbh.exe	30
PID 2060 wrote to memory of 3020	2060	Dclgbgbh.exe	30
PID 2060 wrote to memory of 3020	2060	Dclgbgbh.exe	30
PID 2060 wrote to memory of 3020	2060	Dclgbgbh.exe	30
PID 3020 wrote to memory of 2188	3020	Dmdkkm32.exe	31
PID 3020 wrote to memory of 2188	3020	Dmdkkm32.exe	31
PID 3020 wrote to memory of 2188	3020	Dmdkkm32.exe	31
PID 3020 wrote to memory of 2188	3020	Dmdkkm32.exe	31
PID 2188 wrote to memory of 2920	2188	Dcnchg32.exe	32
PID 2188 wrote to memory of 2920	2188	Dcnchg32.exe	32
PID 2188 wrote to memory of 2920	2188	Dcnchg32.exe	32
PID 2188 wrote to memory of 2920	2188	Dcnchg32.exe	32
PID 2920 wrote to memory of 2676	2920	Efaiobkc.exe	33
PID 2920 wrote to memory of 2676	2920	Efaiobkc.exe	33
PID 2920 wrote to memory of 2676	2920	Efaiobkc.exe	33
PID 2920 wrote to memory of 2676	2920	Efaiobkc.exe	33
PID 2676 wrote to memory of 2756	2676	Eibbqmhd.exe	34
PID 2676 wrote to memory of 2756	2676	Eibbqmhd.exe	34
PID 2676 wrote to memory of 2756	2676	Eibbqmhd.exe	34
PID 2676 wrote to memory of 2756	2676	Eibbqmhd.exe	34
PID 2756 wrote to memory of 2668	2756	Emdgjpkd.exe	35
PID 2756 wrote to memory of 2668	2756	Emdgjpkd.exe	35
PID 2756 wrote to memory of 2668	2756	Emdgjpkd.exe	35
PID 2756 wrote to memory of 2668	2756	Emdgjpkd.exe	35
PID 2668 wrote to memory of 2716	2668	Ejhhcdjm.exe	36
PID 2668 wrote to memory of 2716	2668	Ejhhcdjm.exe	36
PID 2668 wrote to memory of 2716	2668	Ejhhcdjm.exe	36
PID 2668 wrote to memory of 2716	2668	Ejhhcdjm.exe	36
PID 2716 wrote to memory of 2956	2716	Fadmenpg.exe	37
PID 2716 wrote to memory of 2956	2716	Fadmenpg.exe	37
PID 2716 wrote to memory of 2956	2716	Fadmenpg.exe	37
PID 2716 wrote to memory of 2956	2716	Fadmenpg.exe	37
PID 2956 wrote to memory of 2656	2956	Fbeimf32.exe	38
PID 2956 wrote to memory of 2656	2956	Fbeimf32.exe	38
PID 2956 wrote to memory of 2656	2956	Fbeimf32.exe	38
PID 2956 wrote to memory of 2656	2956	Fbeimf32.exe	38
PID 2656 wrote to memory of 1760	2656	Fdefgimi.exe	39
PID 2656 wrote to memory of 1760	2656	Fdefgimi.exe	39
PID 2656 wrote to memory of 1760	2656	Fdefgimi.exe	39
PID 2656 wrote to memory of 1760	2656	Fdefgimi.exe	39
PID 1760 wrote to memory of 2084	1760	Gaamobdf.exe	40
PID 1760 wrote to memory of 2084	1760	Gaamobdf.exe	40
PID 1760 wrote to memory of 2084	1760	Gaamobdf.exe	40
PID 1760 wrote to memory of 2084	1760	Gaamobdf.exe	40
PID 2084 wrote to memory of 984	2084	Goemhfco.exe	41
PID 2084 wrote to memory of 984	2084	Goemhfco.exe	41
PID 2084 wrote to memory of 984	2084	Goemhfco.exe	41
PID 2084 wrote to memory of 984	2084	Goemhfco.exe	41
PID 984 wrote to memory of 2100	984	Gohjnf32.exe	42
PID 984 wrote to memory of 2100	984	Gohjnf32.exe	42
PID 984 wrote to memory of 2100	984	Gohjnf32.exe	42
PID 984 wrote to memory of 2100	984	Gohjnf32.exe	42
PID 2100 wrote to memory of 3060	2100	Gmmgobfd.exe	43
PID 2100 wrote to memory of 3060	2100	Gmmgobfd.exe	43
PID 2100 wrote to memory of 3060	2100	Gmmgobfd.exe	43
PID 2100 wrote to memory of 3060	2100	Gmmgobfd.exe	43

C:\Users\Admin\AppData\Local\Temp\e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe
"C:\Users\Admin\AppData\Local\Temp\e14d8aed017a41ad0b6ad86ea6d3751ad68d13b3817c319d07691e16457afe73.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\Dclgbgbh.exe
  C:\Windows\system32\Dclgbgbh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\Dmdkkm32.exe
    C:\Windows\system32\Dmdkkm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\Dcnchg32.exe
      C:\Windows\system32\Dcnchg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\SysWOW64\Efaiobkc.exe
        
        C:\Windows\system32\Efaiobkc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\SysWOW64\Eibbqmhd.exe
        
        C:\Windows\system32\Eibbqmhd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Emdgjpkd.exe
        
        C:\Windows\system32\Emdgjpkd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Ejhhcdjm.exe
        
        C:\Windows\system32\Ejhhcdjm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Fadmenpg.exe
        
        C:\Windows\system32\Fadmenpg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Fbeimf32.exe
        
        C:\Windows\system32\Fbeimf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Fdefgimi.exe
        
        C:\Windows\system32\Fdefgimi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Gaamobdf.exe
        
        C:\Windows\system32\Gaamobdf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Goemhfco.exe
        
        C:\Windows\system32\Goemhfco.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Gohjnf32.exe
        
        C:\Windows\system32\Gohjnf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Gmmgobfd.exe
        
        C:\Windows\system32\Gmmgobfd.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 140
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcnchg32.exe

Filesize
128KB

MD5
ccf990b96654d0740ba5c223649c2f54

SHA1
6001535e7a3483aafc43196bf0903e8ad4b686a9

SHA256
36e0816379431c1bc77991449b95c4727f0a7e1eb62a6b2d53e4387720ef16a2

SHA512
a0f95faa83cfba7d8d7278d3a3002db9228a86636537f2f3b0087d81c86f937e3cf6022bbd2e1e656b44792eb624a93294e2b69df2348b73c2a3039f9fc6ff1b

Download Submit
C:\Windows\SysWOW64\Dmdkkm32.exe

Filesize
128KB

MD5
fec0c7bdbc44cefcc984da1e73d58b9d

SHA1
66facda1392e69dcbf94e982074a2776757cf735

SHA256
80f5e6f31b3b955903250d52eaa398488f79962ba2df709289cd0f2b38b2e957

SHA512
fa2756cca99b9bb881b07aab17945f2e4baf5c066203a5899fca6d6c4381683a72c209c0d10bd7f65568ac6fff04217a2c95d94ad5b33ebcfccdae7810c0ea6c

Download Submit
C:\Windows\SysWOW64\Fbeimf32.exe

Filesize
128KB

MD5
64f11dd9703a954a38ac954a03251b51

SHA1
5f4ae4515fb93a15faf0de4b1d590c1a81f3652f

SHA256
ad7c8f5d0b93acb208c8ae67e22089e44713a8aec635b133c528a1d3d32c2e2e

SHA512
e6513a4bbc1d39ae5832e61cbb1cc17fe3789ad6a33e2f25d8725f7f83e48d3da709491868fd78fcf48e6a09554a40f2b6c269c573a15457780504fb25bf617b

Download Submit
C:\Windows\SysWOW64\Gohjnf32.exe

Filesize
128KB

MD5
6fdcb4839d6f1b33e1150d372e6eacb1

SHA1
baeeb22cc942335862c1de6eb51bf6f98ab0d763

SHA256
c41d4e74f69100e6c32be59ad938ff4ec2ed0745da9131d287aaf6bcfc0945a9

SHA512
4ab45db5102eafe5942aabc6aea9c4b8c8abf1cad9b147a4c7cd39a77ab1a712d36b79e52b9bb0098dda2436105c9776a97d834ee8416f78a27a4bcf36a818e1

Download Submit
C:\Windows\SysWOW64\Jngdfa32.dll

Filesize
7KB

MD5
42ce9e315fb54ac12ac6a5f5a5ad05ba

SHA1
5984368a6f4db1f726534e270d1a6bbc187e9b1f

SHA256
5fb1cfd0ab3288dfdc147b7a5ca812343a0714b3ced16c2a514d878484e25777

SHA512
9da3c4ebb63958838f69a3e6fb3c7d1aa552406386a20fb94f994073ff3fddbb0c6869ffdf6816d46a2351aeeeb676d79c4bfaeca20d1cd9bd321c29c449d42d

Download Submit
\Windows\SysWOW64\Dclgbgbh.exe

Filesize
128KB

MD5
225d316067c4ad65680ff72fb42bc1fa

SHA1
e1ace8a574d191ee6683ab6d1c219af1be6c9341

SHA256
ef9a95237315094945b0a480ca28e32a62b08498af95d879127354aabd0b8aa4

SHA512
f3e8bea7ee3120c02d7030280e38764178d7c5b0e9d442a1768c64cace540bb550f1a15714ec9af2850d766fabb958774c78efc7f9159a0a2c11325c2dd8876d

Download Submit
\Windows\SysWOW64\Efaiobkc.exe

Filesize
128KB

MD5
64d176b27bbac3b54a39c17fa1986406

SHA1
a9f977dbcc89fc597fceb66c1a8784c0170a1e8f

SHA256
e5e954710fd113f3ea6597f5f06afc19e22dfda47d29b008b97bb1d04344fafa

SHA512
077cb40982a7131f7059f7ec5f8f32fde3ad01c6f96e39d63823b098bee9acc7ef0d99c91f7548ab8f7d427d1da81bf78262f5cc6233d866366ea03287df4cdb

Download Submit
\Windows\SysWOW64\Eibbqmhd.exe

Filesize
128KB

MD5
a0e1e39efd51563119e4d5b97231f321

SHA1
caea9d7df660e7b8f55ad188134c57889776cb46

SHA256
6efe827e66bf011a20f77a26cd4130021fbf3cd0be39d2ca1949680bb39df282

SHA512
422173fc33f0f3edfd63368c87ca726bdcb40a3e4c262f7d545f7b3802b41b62eb705cf9c8bfc5cd65ee618107db94717f79232dbd6b8e5758ab6511515dd8cf

Download Submit
\Windows\SysWOW64\Ejhhcdjm.exe

Filesize
128KB

MD5
7b1eb90900586f652eb87ce5c704bf10

SHA1
82a3d6d9713267d1b0268e67c97901457801f06b

SHA256
eb19a3cba22fd5816af5b0dc6f4ee20575678b7eb741cbf57eabe021ffcc80f6

SHA512
8f9a90d37045b4b384e3e5436acf9d68460da697d6310ab41d72bed5cbfdbbe95205afb12fc5a0be1f4fcfb36e234976dfdfeeec39972b274e84a07302eb9118

Download Submit
\Windows\SysWOW64\Emdgjpkd.exe

Filesize
128KB

MD5
1ad70157ec786c81b9636b6f5013af64

SHA1
1c8843aac83b01b41dc113343139218559c98125

SHA256
d5091a5432edc1e00e60b672d87eb5ecf0056cd8b117bf9afc918d74c6c509ec

SHA512
14c2d9cb468a6712d2991f50081031d9717ff205243775dc8c54dc8f8457c31ee5a638362575f2ed9dd1d3cc47e4eed4ce123003e39efb22447d4286e54db169

Download Submit
\Windows\SysWOW64\Fadmenpg.exe

Filesize
128KB

MD5
df8a4329640a430c5c11b62161489836

SHA1
90991971918307cb3bf8c2bf5c24bf131bfbcab1

SHA256
563122985548546d4947d3983888d0bdce52d79eb3eb46eb1f4fb7ef39dcb99e

SHA512
9112dbf84f2f1521ec14ba4344f8ad09a8b57ad823e3ee50acc448da4012ec7e3753665dd593217452adc9b2d93eb4998c05162c1ccb202993f600e7df499b8f

Download Submit
\Windows\SysWOW64\Fdefgimi.exe

Filesize
128KB

MD5
7d5c712f126242d6601b9b11c096ecd5

SHA1
25ff36420098d124005729e8fbe6d55c1005fbb7

SHA256
f6ada092ca409159bef466ec8566e13849270ebe013518a70f7361c0d0d102c7

SHA512
fcfbf6b17a24d3ca7987d5e8e7b002ff8a7639a97edbf17e70f84f7d83689892875c5937f0a369efd10a1bd5487ac75d250a1827f06e40a6a16a5f6f33672b11

Download Submit
\Windows\SysWOW64\Gaamobdf.exe

Filesize
128KB

MD5
5693d51ddcad27b66f33d5d34de03663

SHA1
cbce50ec9d2ea2050b4827b33fee7ddc6aa37444

SHA256
9f3cd7e020a460910027cbd73a54e3568c813308239abe3a2fca678c3fd12ef8

SHA512
8b241cb6d99b5946d2b325d2c55d041c612a9dfc5ccea36efa483cec4b25710cd4e4d1cfd22a688cbadd95b958d4eab34c3b2c8c0ca791d004126bbbc1177461

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
128KB

MD5
6c1c149e8f41f748dcb1d1fe8733d969

SHA1
ff950005e3757327647ae7f8a82ae1eb9925e13f

SHA256
ce31456b01f94b8959c7bc1b0a7750de358242c16eb19ea59ec748a2d8c9eb38

SHA512
9845894504308c78d1dfa07fdd87082dd3ae23c0654b0dead9855bc82cb478674b0b572118675fa27e9119783459f76dd6d6e6aa6cbf7168c83676855ab9eb7f

Download Submit
\Windows\SysWOW64\Goemhfco.exe

Filesize
128KB

MD5
95690167b7bc3517bfb5f7f08197e987

SHA1
2a0bbcf12d9a62e5067490af746001fb2e64346e

SHA256
615e666a43e126310a11336aa3d0fc98d6154519234ecf2c6d8e6105ac9ef89a

SHA512
2efed9dc3ba16b714e187e31faf93b55806021a21563da08fff9f573693ea1b9f464997d1370b1bd0c8a8427e3c6be8dbfae2f5ca2b679d1fb65a077649282cc

Download Submit
memory/984-182-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/984-185-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/1760-158-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1760-203-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1760-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-204-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2188-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2188-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2656-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2656-144-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2656-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-106-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2668-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-107-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2668-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-198-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-67-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2716-196-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2716-108-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2920-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2920-61-0x0000000001BF0000-0x0000000001C33000-memory.dmp

Filesize
268KB

Download
memory/2920-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2956-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2956-122-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2956-134-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2956-133-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/3020-38-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-11-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/3024-12-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/3024-202-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads