berbew | fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4

Analysis

max time kernel
85s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
Size

391KB
MD5

b822a88cffc541e86660d2c55bdb95e0
SHA1

42d622120b834b90ab23bd88965db210fc719828
SHA256

fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4
SHA512

83d98dcf0623f2f011dbabcee91cadf4355388b0f81a6277308abf2755393c4d94cbd5c46852619e345b049c7dc6457ba54c8e46954d29f37b1ad5cb470ad41f
SSDEEP

12288:dxeBhvA5hmsWvkBW5pvmexavWBW5pvzcvTBW5pvU:dxmJuBixNBJBB

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 14 IoCs

pid	Process
1288	Ahgofi32.exe
2880	Bhjlli32.exe
2784	Bgllgedi.exe
2680	Bjkhdacm.exe
2584	Bnfddp32.exe
2668	Boljgg32.exe
2968	Bfioia32.exe
1092	Bmbgfkje.exe
2016	Cnfqccna.exe
2060	Cfmhdpnc.exe
332	Ckmnbg32.exe
2112	Cnkjnb32.exe
2208	Cegoqlof.exe
2192	Dpapaj32.exe

Loads dropped DLL 31 IoCs

pid	Process
1984	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
1984	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
1288	Ahgofi32.exe
1288	Ahgofi32.exe
2880	Bhjlli32.exe
2880	Bhjlli32.exe
2784	Bgllgedi.exe
2784	Bgllgedi.exe
2680	Bjkhdacm.exe
2680	Bjkhdacm.exe
2584	Bnfddp32.exe
2584	Bnfddp32.exe
2668	Boljgg32.exe
2668	Boljgg32.exe
2968	Bfioia32.exe
2968	Bfioia32.exe
1092	Bmbgfkje.exe
1092	Bmbgfkje.exe
2016	Cnfqccna.exe
2016	Cnfqccna.exe
2060	Cfmhdpnc.exe
2060	Cfmhdpnc.exe
332	Ckmnbg32.exe
332	Ckmnbg32.exe
2112	Cnkjnb32.exe
2112	Cnkjnb32.exe
2208	Cegoqlof.exe
2208	Cegoqlof.exe
328	WerFault.exe
328	WerFault.exe
328	WerFault.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	Ahgofi32.exe
File opened for modification	C:\Windows\SysWOW64\Bgllgedi.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Bhjlli32.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Kfcgie32.dll	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Bgllgedi.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Jjmeignj.dll	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Ahgofi32.exe	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
328	2192	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1288	1984	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe	31
PID 1984 wrote to memory of 1288	1984	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe	31
PID 1984 wrote to memory of 1288	1984	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe	31
PID 1984 wrote to memory of 1288	1984	fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe	31
PID 1288 wrote to memory of 2880	1288	Ahgofi32.exe	32
PID 1288 wrote to memory of 2880	1288	Ahgofi32.exe	32
PID 1288 wrote to memory of 2880	1288	Ahgofi32.exe	32
PID 1288 wrote to memory of 2880	1288	Ahgofi32.exe	32
PID 2880 wrote to memory of 2784	2880	Bhjlli32.exe	33
PID 2880 wrote to memory of 2784	2880	Bhjlli32.exe	33
PID 2880 wrote to memory of 2784	2880	Bhjlli32.exe	33
PID 2880 wrote to memory of 2784	2880	Bhjlli32.exe	33
PID 2784 wrote to memory of 2680	2784	Bgllgedi.exe	34
PID 2784 wrote to memory of 2680	2784	Bgllgedi.exe	34
PID 2784 wrote to memory of 2680	2784	Bgllgedi.exe	34
PID 2784 wrote to memory of 2680	2784	Bgllgedi.exe	34
PID 2680 wrote to memory of 2584	2680	Bjkhdacm.exe	35
PID 2680 wrote to memory of 2584	2680	Bjkhdacm.exe	35
PID 2680 wrote to memory of 2584	2680	Bjkhdacm.exe	35
PID 2680 wrote to memory of 2584	2680	Bjkhdacm.exe	35
PID 2584 wrote to memory of 2668	2584	Bnfddp32.exe	36
PID 2584 wrote to memory of 2668	2584	Bnfddp32.exe	36
PID 2584 wrote to memory of 2668	2584	Bnfddp32.exe	36
PID 2584 wrote to memory of 2668	2584	Bnfddp32.exe	36
PID 2668 wrote to memory of 2968	2668	Boljgg32.exe	37
PID 2668 wrote to memory of 2968	2668	Boljgg32.exe	37
PID 2668 wrote to memory of 2968	2668	Boljgg32.exe	37
PID 2668 wrote to memory of 2968	2668	Boljgg32.exe	37
PID 2968 wrote to memory of 1092	2968	Bfioia32.exe	38
PID 2968 wrote to memory of 1092	2968	Bfioia32.exe	38
PID 2968 wrote to memory of 1092	2968	Bfioia32.exe	38
PID 2968 wrote to memory of 1092	2968	Bfioia32.exe	38
PID 1092 wrote to memory of 2016	1092	Bmbgfkje.exe	39
PID 1092 wrote to memory of 2016	1092	Bmbgfkje.exe	39
PID 1092 wrote to memory of 2016	1092	Bmbgfkje.exe	39
PID 1092 wrote to memory of 2016	1092	Bmbgfkje.exe	39
PID 2016 wrote to memory of 2060	2016	Cnfqccna.exe	40
PID 2016 wrote to memory of 2060	2016	Cnfqccna.exe	40
PID 2016 wrote to memory of 2060	2016	Cnfqccna.exe	40
PID 2016 wrote to memory of 2060	2016	Cnfqccna.exe	40
PID 2060 wrote to memory of 332	2060	Cfmhdpnc.exe	41
PID 2060 wrote to memory of 332	2060	Cfmhdpnc.exe	41
PID 2060 wrote to memory of 332	2060	Cfmhdpnc.exe	41
PID 2060 wrote to memory of 332	2060	Cfmhdpnc.exe	41
PID 332 wrote to memory of 2112	332	Ckmnbg32.exe	42
PID 332 wrote to memory of 2112	332	Ckmnbg32.exe	42
PID 332 wrote to memory of 2112	332	Ckmnbg32.exe	42
PID 332 wrote to memory of 2112	332	Ckmnbg32.exe	42
PID 2112 wrote to memory of 2208	2112	Cnkjnb32.exe	43
PID 2112 wrote to memory of 2208	2112	Cnkjnb32.exe	43
PID 2112 wrote to memory of 2208	2112	Cnkjnb32.exe	43
PID 2112 wrote to memory of 2208	2112	Cnkjnb32.exe	43
PID 2208 wrote to memory of 2192	2208	Cegoqlof.exe	44
PID 2208 wrote to memory of 2192	2208	Cegoqlof.exe	44
PID 2208 wrote to memory of 2192	2208	Cegoqlof.exe	44
PID 2208 wrote to memory of 2192	2208	Cegoqlof.exe	44
PID 2192 wrote to memory of 328	2192	Dpapaj32.exe	45
PID 2192 wrote to memory of 328	2192	Dpapaj32.exe	45
PID 2192 wrote to memory of 328	2192	Dpapaj32.exe	45
PID 2192 wrote to memory of 328	2192	Dpapaj32.exe	45

C:\Users\Admin\AppData\Local\Temp\fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe
"C:\Users\Admin\AppData\Local\Temp\fb61db4c865368209170509463aa3e99b823688eacf9ded80c904f3a9bd6c4d4N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\Ahgofi32.exe
  C:\Windows\system32\Ahgofi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\Bhjlli32.exe
    C:\Windows\system32\Bhjlli32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\Bgllgedi.exe
      C:\Windows\system32\Bgllgedi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 144
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
391KB

MD5
0a6203aec6359ffe6d5b30bce8d3d066

SHA1
68491d4caa6274353c800e430509827edb1c058f

SHA256
016abdd5ec1957f2da43fadbdb61b008eb34d33afcd73d56055726ca5d177076

SHA512
392169bd9b947f32fef36a091e3a2c39d04181ca47f4f03c4ed991fc3a4a117b162ecf86e7d7dfc25d36f45764c2f50e8e1fec36549b5a48810db0f6cc5ef612

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
391KB

MD5
ba9b293012abb1b1a239c868afc6a89b

SHA1
640d7bd74959dc7203a5dbd50681473e3d825cde

SHA256
e048b99fff747a66a2985ebae03a4d5ea6f40c79b15007bc9815d834d9c36cc5

SHA512
f3d6af0cfc13bad3c18d6597a0b1959ed62fc6757e391baa4714423687b65f77362d37384076c368a697733f1ef3b230ef46668ec6e87ffec3dc3cd5f2e8c50a

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
391KB

MD5
f521829473576e7dcb71868a79af2c82

SHA1
291100e29589b96f7a225689c681126e97ac2827

SHA256
8e231ee7d6654de270fbaefd7ec2c905473aa4d13d6c170b31fbb9cb367fa5dd

SHA512
17875b288a81dac4750be63870ef4531f2a9dbd3f5aa50772644f31ccaf88c49aad7ec4b580f33622e3bfb3873b909766c5102b89108001b29b71acd7258e4ae

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
391KB

MD5
59d1893cbe0dfc09c7f647159826b744

SHA1
86ced22fcf23bf95cb1228a53428aeac2e31e8c5

SHA256
4e018086f6fac08f1b4d6cdb3785cb96b859f46ba852a62827369f2824d31727

SHA512
76c07d0e6638002438873c4b9fa07a82d822c993d5a349a09afc823827efbeda282e283b2dbd24474e9716d526972cbe747c1a92b94e2bf7773f59f3d86c8a69

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
391KB

MD5
f943391d7502b3cb44ee4a599361ba0d

SHA1
98a9b75bec60663c70d853adf6b9e67b833b5b35

SHA256
33f487c09a94b879d40afecde4e376f1a66e229649477ad86299f54ba85a6769

SHA512
d8b9aefcf4cf8f537ff38e459791d5928d4dced91f99aef714ceb5448104380ce692b61d0523d0045380398757f3638c875e5e90d862f0e8bd40db08f1ad53ee

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
391KB

MD5
0fe20c272e0bb09cf17e0fae3d6b61c9

SHA1
49be88d82408510518f8e3be627e73fe91913ee7

SHA256
fd873c3bca0ea0acf7762237c1f5c5d2bc64b8668099b4d9d62be0b33eee0f56

SHA512
9395f3f130154e70876afe78e481cdabe936b58b5a51acbb490c3bf4d224329f234b197ad357bb223b841ff339d76d56f2eceffc1992271b7401bedd2247330f

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
391KB

MD5
4184544a0ed8119a92ea129f2c3eba22

SHA1
b83c8f5de306658c72f82cd30f379f9d0ab2ce54

SHA256
9a68049f023bf2ac74f642bae39d052838400b769243fed60987a4ec04b88b89

SHA512
003f2a7d95c4e75818249d6cdda51a9081e15c00213e21e49c1b05b700490907e51d1e0eba5599aa03c306bdb81240e4fec561e379b0118339bc4d5775455304

Download Submit
\Windows\SysWOW64\Ahgofi32.exe

Filesize
391KB

MD5
3fdae63d7008a8509c26c02247014929

SHA1
1c3aadaa5893fe00f9c027c6385eeb9d54e609fb

SHA256
fe535ef3d397fdad7db3ca5e026c31aa7fc6693cdca3418f724ba54ecd14f966

SHA512
ddee5661647916cd656f91983ce512477b9677ee08266c018dd58f6a51061447d8e35aa64fe60a8db6bce7e3edbf2af2545723230e9aacf2e4c079303041baa4

Download Submit
\Windows\SysWOW64\Bfioia32.exe

Filesize
391KB

MD5
52ad94a65adca6402d355edce2e8c1a6

SHA1
7091a6965eabb9eebe829375cbcf503cfd1aa23c

SHA256
71d4f71247a9fde05999ab373c4e0de917d90b1975962e42c2175983e54944fe

SHA512
8f171d691ed834f1a9246ea0a9386d71dbc7cf399b4c189a3a44be23b02846a1d8301be28308ece6e3b360bbb39d134ac6464ee037cb36065c349b66e995e09d

Download Submit
\Windows\SysWOW64\Bhjlli32.exe

Filesize
391KB

MD5
258b4ccbdcdc38a20eb9792b5be5fc09

SHA1
98d97c4be25c96d040b39fe01d877d1eb5c61b89

SHA256
b86500bf0d6b137849cfac255e9bb0f6ea558fcd67e3e196265d2a75e778f7b1

SHA512
41f6ae53bf4607005a1763feb0f1827b5363a6747e5195634bacfbb791a1b96bcc6b2735c90575888758fc9d398ce9b25fb680a5b76179495347b6a536e5be9a

Download Submit
\Windows\SysWOW64\Bnfddp32.exe

Filesize
391KB

MD5
73b94319b0bfc1babb0283248a7447d6

SHA1
74aa9700f5049d215668f109e3f93d20f49dd560

SHA256
c4e57020109ac6fb0e35154650ef893aebff4db2ff137b0a17eba8aa46eb8f06

SHA512
1e02a4c162313330ad6a44baac62699706da24a9c16ffc7ae21d437562ef4ce3f3428360aa299c5ffee559f1926e1f2b3094228309b744e56255a9a21a89a695

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
391KB

MD5
24dfe56df2bd7582cecacb1e97457614

SHA1
ddd5c23d5d5fc1d76b15e47b24aa3d62c4a72dee

SHA256
4ae4224522c4fd7cf06a32a5157943686481d0cccc433534433709fb118e79d1

SHA512
a9f49f1e1eb5d788ec599f061050906d5eebd47f8263b293ae76f697e87b016772cce1ffd50209921bd1cdb8adea03d8a82f952684e84d4f0a10d29bae49d520

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
391KB

MD5
8047e3a60c2ee0c67beaba5489b1b39e

SHA1
c853895f00746b9558799af92a0258d74406438b

SHA256
26b8d23522e1d950ffd5381c347c79278bba034b51071ce6c081c9ab25a3c326

SHA512
ec6a44eb38fac7e79a9cb4c5e277e9a3208fffce233229a28ddd8490ece1e07198fe3d90a65d704c8d821035583cdc76ce2feceb4bbc0eab40479bab6aa3293d

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
391KB

MD5
b34fde5f75e36e0f2a2f2cff5cfe16a0

SHA1
ee106e71bd981eb7f74b4855fdacfe2f35ceb8a2

SHA256
36ee8c1d1830b56427d4ef224bc5f9aded6c3b90371a87e7711c5e899d0942af

SHA512
30a413d5b4a8c69f3297786465144badf61313cf2c55f7c77c42bb31191c711c804ed4f4848c303ead87299cb09471581f9fe57ac932966118cd17943fd58310

Download Submit
memory/332-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/332-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-24-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1288-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-6-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/1984-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-170-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2112-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-60-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2784-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-47-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2880-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-34-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2880-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads