berbew | c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
Size

79KB
MD5

c43e2b2e13df006c309fa9e6ae17cebd
SHA1

22b9e7ca096ca269b6d75253de97d4c08b46b1e9
SHA256

c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d
SHA512

d757a2d3528c3dfa4c3c11256907491ae25c396347938bb7b6e43d89cb2048e314633c542482d750a3d33f1a4bcc1ef30c965439056ee6f04501f0fbb36273eb
SSDEEP

768:WnKV5dMsnJq1mxs/W/DFedARXhsLfYFdzxpGZhAuvdNa2V/1H5UYXdnhgdwQU3ba:yKiAm22UxYgdKldI2vpZrI1jHJZrR

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 15 IoCs

pid	Process
4880	Cjbpaf32.exe
2968	Calhnpgn.exe
4112	Cegdnopg.exe
2804	Dopigd32.exe
232	Dhhnpjmh.exe
4952	Djgjlelk.exe
4048	Daqbip32.exe
2624	Dhkjej32.exe
2520	Dodbbdbb.exe
1692	Deokon32.exe
3424	Dfpgffpm.exe
4960	Dmjocp32.exe
2180	Deagdn32.exe
4564	Dknpmdfc.exe
4196	Dmllipeg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3824	4196	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4880	4676	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe	83
PID 4676 wrote to memory of 4880	4676	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe	83
PID 4676 wrote to memory of 4880	4676	c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe	83
PID 4880 wrote to memory of 2968	4880	Cjbpaf32.exe	84
PID 4880 wrote to memory of 2968	4880	Cjbpaf32.exe	84
PID 4880 wrote to memory of 2968	4880	Cjbpaf32.exe	84
PID 2968 wrote to memory of 4112	2968	Calhnpgn.exe	85
PID 2968 wrote to memory of 4112	2968	Calhnpgn.exe	85
PID 2968 wrote to memory of 4112	2968	Calhnpgn.exe	85
PID 4112 wrote to memory of 2804	4112	Cegdnopg.exe	86
PID 4112 wrote to memory of 2804	4112	Cegdnopg.exe	86
PID 4112 wrote to memory of 2804	4112	Cegdnopg.exe	86
PID 2804 wrote to memory of 232	2804	Dopigd32.exe	87
PID 2804 wrote to memory of 232	2804	Dopigd32.exe	87
PID 2804 wrote to memory of 232	2804	Dopigd32.exe	87
PID 232 wrote to memory of 4952	232	Dhhnpjmh.exe	88
PID 232 wrote to memory of 4952	232	Dhhnpjmh.exe	88
PID 232 wrote to memory of 4952	232	Dhhnpjmh.exe	88
PID 4952 wrote to memory of 4048	4952	Djgjlelk.exe	89
PID 4952 wrote to memory of 4048	4952	Djgjlelk.exe	89
PID 4952 wrote to memory of 4048	4952	Djgjlelk.exe	89
PID 4048 wrote to memory of 2624	4048	Daqbip32.exe	90
PID 4048 wrote to memory of 2624	4048	Daqbip32.exe	90
PID 4048 wrote to memory of 2624	4048	Daqbip32.exe	90
PID 2624 wrote to memory of 2520	2624	Dhkjej32.exe	91
PID 2624 wrote to memory of 2520	2624	Dhkjej32.exe	91
PID 2624 wrote to memory of 2520	2624	Dhkjej32.exe	91
PID 2520 wrote to memory of 1692	2520	Dodbbdbb.exe	92
PID 2520 wrote to memory of 1692	2520	Dodbbdbb.exe	92
PID 2520 wrote to memory of 1692	2520	Dodbbdbb.exe	92
PID 1692 wrote to memory of 3424	1692	Deokon32.exe	93
PID 1692 wrote to memory of 3424	1692	Deokon32.exe	93
PID 1692 wrote to memory of 3424	1692	Deokon32.exe	93
PID 3424 wrote to memory of 4960	3424	Dfpgffpm.exe	94
PID 3424 wrote to memory of 4960	3424	Dfpgffpm.exe	94
PID 3424 wrote to memory of 4960	3424	Dfpgffpm.exe	94
PID 4960 wrote to memory of 2180	4960	Dmjocp32.exe	95
PID 4960 wrote to memory of 2180	4960	Dmjocp32.exe	95
PID 4960 wrote to memory of 2180	4960	Dmjocp32.exe	95
PID 2180 wrote to memory of 4564	2180	Deagdn32.exe	96
PID 2180 wrote to memory of 4564	2180	Deagdn32.exe	96
PID 2180 wrote to memory of 4564	2180	Deagdn32.exe	96
PID 4564 wrote to memory of 4196	4564	Dknpmdfc.exe	97
PID 4564 wrote to memory of 4196	4564	Dknpmdfc.exe	97
PID 4564 wrote to memory of 4196	4564	Dknpmdfc.exe	97

C:\Users\Admin\AppData\Local\Temp\c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe
"C:\Users\Admin\AppData\Local\Temp\c287c4e84df87bb3344f0c6485ae9c94e26facce5e0b07d024ee4d4bafcde03d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\Cjbpaf32.exe
  C:\Windows\system32\Cjbpaf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\Calhnpgn.exe
    C:\Windows\system32\Calhnpgn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\Cegdnopg.exe
      C:\Windows\system32\Cegdnopg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 396
        17⤵
        Program crash
        
        PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4196 -ip 4196
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
79KB

MD5
2c0dc8f4fa70093d74b8bcbcc8befdb5

SHA1
e7b0e969b70bc559a9416d190d69aa324828c044

SHA256
af3888e61e3b98f7fa14757f954d263eadc3fdcc8d64f43eedc74679dbc5b6bf

SHA512
c49cbcda274b3ec9e46d7fc4871c0fa564d70d55a75f08e5a1e5b6ebd3b944f11c9c27f61d311b440a7803343626cef50582ad0758b91ad618757c66718fff84

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
79KB

MD5
61c16b5c2c998165156c34a8d95911ee

SHA1
cad80f136e4eacf23db048178476511fdb651c21

SHA256
0101ee36a4670d21d894f00b6065b0648cf12fb7bd6cc1789622c5f613241926

SHA512
6a469b6f0cf09aac49290867c10cae4c07828dc3a8f18a81438711223bf9cc2bd45bf0e57d47047ad4647902487d92b412eaf9d64a887ead298c82a356b07378

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
79KB

MD5
c54823894540e5e8d8927f8fe89755ac

SHA1
8e7ce0434f34cbef4fb613b8c9d9ddb43ff3b477

SHA256
43d11bc873a02d970b926743127d5549be484a2248e352a44cbddfb4c5c79ce9

SHA512
4a1c613e7db8db7d740be00c103f7a80962928463b12949c4b8cbdbe17b7809e666076e9190a31ed6732e858092da32285ca3df312db560c23688a0a940b9d53

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
79KB

MD5
9773c63317a9ff8ff28d89d71fefb606

SHA1
e2bce915088ee0ab428f5c4df8fd06de1464aab5

SHA256
b59820cf689495bf71318a6438b4880cd44f7530abad7a05bcae3371950a1fff

SHA512
c2e4ddbe245a4945f41e37fa952d9a98a4df353eb2d6fb9b1bba02f11fbc29eb8c8d6df9d7a96f8d56e904448af2a80c213c6c2d9af4c70817e4279bd8acba80

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
79KB

MD5
8083a8a2e5d8a92afbdf01b9bac8d861

SHA1
267e030cbf34c9e5fc544cda0441b36f02e53f38

SHA256
cf90df1e12f9d916061de39eecf7c3b433ea7c18fb37f15945cc665b18ada0d9

SHA512
a13f785bbb45d36dcf92004ed64af78f6cc59ac0b1683dc9e667c9a00ca7c6837569cd047dc1e2ce494f6cf6562bc6957223d7333290717f7308093458269647

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
79KB

MD5
d795521a752d54e88f982191e4b3cfc7

SHA1
f14c94bfb11f642606db95dd0d93c90bd336db7e

SHA256
dbeb71e729f0e398bc910fe49718ddaab689b34f87feaa1af02dd128e10e8111

SHA512
6ca9c4705e545b1f37f8f02886d8f059ab1fb0bd2e7a5dd7af970e60ed4de7fb947746b07b6d5073deb442d206fefffa75906b929ee95607c7f017b18c385c7c

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
79KB

MD5
1bd791b4b922e91f05914e5d7b0ee133

SHA1
8760042ddc630cd674f4dcb66dbb2e4960dfc5c4

SHA256
080005585f1ad649955759334f89455226e7d1bb9435cfb00625d251c3c088c0

SHA512
47d05315b11e02980bc5f003e775fc27337acb37f0667341130f888b160371c3c930184d25eba6d769b8fc778d742c71964c5fe0e0090e0776d79685a16d70af

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
79KB

MD5
c65625d05702ae5f239962af65e149ab

SHA1
f9e640283fa7a3372a6e4839aea0524034649b3c

SHA256
447bceff1aeb422e964a6424a6db0f2e9efb0be44a4e4f538aad6bd923408717

SHA512
0670b890d1b3ba46d6c83bf58d4a83826767c7b9e699224da8706bcb8b832e8b9204458a343f238b0efcdbb7feb30be542b64c0ce8c4871cffcc991326a2bc27

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
79KB

MD5
ea76eeaf7908f84399bef6f9f593d62d

SHA1
b1441b0b61346b3a31017b0b9807ecbf0d7366f3

SHA256
019fe6093a7c76d5a561ca8579b4da1e4661feda5855c11e033dcb002d2089b4

SHA512
56d674d0cecc68c47cab1e6e2d653317be147d6288b71ccfb0061daff600b1d587b6b31fbe2f68b67e0d466d5754b50a7a9252da2bf5b6e5057fb7910e5676f1

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
79KB

MD5
22cb96f57ca36c040f3d6e22f6a1d7da

SHA1
c6b0eeb9bec7070251a2f0e655332862c18bcd69

SHA256
f65f01f38a61bc7816c27d4ecf6c566711fee199919ad36ebc5fc5592071d07f

SHA512
e74a5f2b016201de3c264d3244900ce1ad6ab3b22dece4e1b16610035143adaa002981ec3ffd90e2f4c87ed78ba1071aa2226c658dfacfc71b334ba990f898c5

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
79KB

MD5
c671c7601c5b27a99a8cbd7dc0023b95

SHA1
df505cb528b18b60b975e260b1da43659a07e894

SHA256
b8237c15ead5e5fd2f7fc92d8318c9cc4236cd4b80e3fc868d5686f301a4df56

SHA512
c6e84f4a8e858b4bd30ba2bca1089a7e1c8205d3da00df0f2b03dc5106045e8ef44a1cc95a762f21abc4cbeb3b097292ab415517839c335e10f246a54e5e659b

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
79KB

MD5
4c9db11c0df7782e4eae533638f99592

SHA1
be0034495691cd47c0eb301c80ae8d616da3e35b

SHA256
af63a1cd42384033169c37001b617f7c1fd481018dc15b4aa676578e199e7d21

SHA512
7e63b6aeb2041428110166fb049b86eb05ff7936290bdb87078d762092325c8a4fc5726418ca61da772a04278b41c444b00ecba64773183a5061d62cf65f9285

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
79KB

MD5
7bc67fdaa2778f116d1fe3713e82af4b

SHA1
c943bf2ec64fa002f940a3d2c89326ad3aa0956f

SHA256
1cfc5bfe2cd028ad415ecbfad0c3e75fd0e6e7545a0594589f4b79eec389f9b3

SHA512
c75899c55599fa8ed3e5726b5ed92de2b1049fdf7e442578a82688f5af673438eed5628de26e5d319ac5bf0e2dde81e5d0a533cea12c3ef37f196c7230f7de48

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
79KB

MD5
23f043cab9a15642d0682f4ea5b3dd3c

SHA1
1325d3757a3c5f40d819f681cc15ea855c7b4941

SHA256
90e20e62f4137778acf54a8ea293c3ff4c1353358e311b3f1497802c9db824ca

SHA512
87b88e732f93bdc6e0b8b3dbefce0b2a5b0549f7cead6afc5a20d892286fac75eae9f918eb0df6c353f35a2b4e6ca86d2d59ad7594582c76c00a3ba7ad82f85c

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
79KB

MD5
81581514bd1b7a0ba1899456a34a2fa2

SHA1
c2b00f64af5940a0947541e1915add75fff91db9

SHA256
adbd7bd1525add9e4e2613bc82d6b3486924d2d0d84ae9db8f57a5864860b771

SHA512
895c93e6b35c5208da92e7235f3378cb3151b9d9506f997a00552152599fff614ded91a0f7c1dbbdcc0e63132a734db7e4adbb9567fc522a69ad75b3d623f215

Download Submit
memory/232-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3424-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3424-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4048-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4048-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-123-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4676-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-131-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads