berbew | a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
Size

80KB
MD5

514fded9c5c781f7792837809c376a48
SHA1

81ec387efe1f4be842dc95637d781a878600c5bb
SHA256

a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b
SHA512

7c4ffc83c42578c02ad26c469df9c625961e324a40996b61f83c232a0ce3ae0f5eda613839cd395d296e8ea77a82b96e3daa50f5ac9310d32b2c0d16ed6084c4
SSDEEP

768:8AmayoHun9MGBJmGqY8LYIJNLWPSCtcZw7EAJHKoUgoc72p/1H5BXdnhgYZZTump:d5IYpvbJUPSocSRJfUe2LtCYrum8SPGC

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 13 IoCs

pid	Process
2320	Abmgjo32.exe
2036	Bhjlli32.exe
2324	Bnfddp32.exe
2880	Bjmeiq32.exe
2468	Bfdenafn.exe
3024	Bgcbhd32.exe
2628	Bfioia32.exe
2124	Ccmpce32.exe
672	Cocphf32.exe
1908	Cgoelh32.exe
1884	Cnkjnb32.exe
2992	Cmpgpond.exe
2212	Dpapaj32.exe

Loads dropped DLL 29 IoCs

pid	Process
3032	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
3032	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
2320	Abmgjo32.exe
2320	Abmgjo32.exe
2036	Bhjlli32.exe
2036	Bhjlli32.exe
2324	Bnfddp32.exe
2324	Bnfddp32.exe
2880	Bjmeiq32.exe
2880	Bjmeiq32.exe
2468	Bfdenafn.exe
2468	Bfdenafn.exe
3024	Bgcbhd32.exe
3024	Bgcbhd32.exe
2628	Bfioia32.exe
2628	Bfioia32.exe
2124	Ccmpce32.exe
2124	Ccmpce32.exe
672	Cocphf32.exe
672	Cocphf32.exe
1908	Cgoelh32.exe
1908	Cgoelh32.exe
1884	Cnkjnb32.exe
1884	Cnkjnb32.exe
2992	Cmpgpond.exe
2992	Cmpgpond.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe

Drops file in System32 directory 41 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
File opened for modification	C:\Windows\SysWOW64\Bhjlli32.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bhjlli32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bfioia32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2296	2212	WerFault.exe	43

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abmgjo32.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2320	3032	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe	30
PID 3032 wrote to memory of 2320	3032	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe	30
PID 3032 wrote to memory of 2320	3032	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe	30
PID 3032 wrote to memory of 2320	3032	a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe	30
PID 2320 wrote to memory of 2036	2320	Abmgjo32.exe	31
PID 2320 wrote to memory of 2036	2320	Abmgjo32.exe	31
PID 2320 wrote to memory of 2036	2320	Abmgjo32.exe	31
PID 2320 wrote to memory of 2036	2320	Abmgjo32.exe	31
PID 2036 wrote to memory of 2324	2036	Bhjlli32.exe	32
PID 2036 wrote to memory of 2324	2036	Bhjlli32.exe	32
PID 2036 wrote to memory of 2324	2036	Bhjlli32.exe	32
PID 2036 wrote to memory of 2324	2036	Bhjlli32.exe	32
PID 2324 wrote to memory of 2880	2324	Bnfddp32.exe	34
PID 2324 wrote to memory of 2880	2324	Bnfddp32.exe	34
PID 2324 wrote to memory of 2880	2324	Bnfddp32.exe	34
PID 2324 wrote to memory of 2880	2324	Bnfddp32.exe	34
PID 2880 wrote to memory of 2468	2880	Bjmeiq32.exe	35
PID 2880 wrote to memory of 2468	2880	Bjmeiq32.exe	35
PID 2880 wrote to memory of 2468	2880	Bjmeiq32.exe	35
PID 2880 wrote to memory of 2468	2880	Bjmeiq32.exe	35
PID 2468 wrote to memory of 3024	2468	Bfdenafn.exe	36
PID 2468 wrote to memory of 3024	2468	Bfdenafn.exe	36
PID 2468 wrote to memory of 3024	2468	Bfdenafn.exe	36
PID 2468 wrote to memory of 3024	2468	Bfdenafn.exe	36
PID 3024 wrote to memory of 2628	3024	Bgcbhd32.exe	37
PID 3024 wrote to memory of 2628	3024	Bgcbhd32.exe	37
PID 3024 wrote to memory of 2628	3024	Bgcbhd32.exe	37
PID 3024 wrote to memory of 2628	3024	Bgcbhd32.exe	37
PID 2628 wrote to memory of 2124	2628	Bfioia32.exe	38
PID 2628 wrote to memory of 2124	2628	Bfioia32.exe	38
PID 2628 wrote to memory of 2124	2628	Bfioia32.exe	38
PID 2628 wrote to memory of 2124	2628	Bfioia32.exe	38
PID 2124 wrote to memory of 672	2124	Ccmpce32.exe	39
PID 2124 wrote to memory of 672	2124	Ccmpce32.exe	39
PID 2124 wrote to memory of 672	2124	Ccmpce32.exe	39
PID 2124 wrote to memory of 672	2124	Ccmpce32.exe	39
PID 672 wrote to memory of 1908	672	Cocphf32.exe	40
PID 672 wrote to memory of 1908	672	Cocphf32.exe	40
PID 672 wrote to memory of 1908	672	Cocphf32.exe	40
PID 672 wrote to memory of 1908	672	Cocphf32.exe	40
PID 1908 wrote to memory of 1884	1908	Cgoelh32.exe	41
PID 1908 wrote to memory of 1884	1908	Cgoelh32.exe	41
PID 1908 wrote to memory of 1884	1908	Cgoelh32.exe	41
PID 1908 wrote to memory of 1884	1908	Cgoelh32.exe	41
PID 1884 wrote to memory of 2992	1884	Cnkjnb32.exe	42
PID 1884 wrote to memory of 2992	1884	Cnkjnb32.exe	42
PID 1884 wrote to memory of 2992	1884	Cnkjnb32.exe	42
PID 1884 wrote to memory of 2992	1884	Cnkjnb32.exe	42
PID 2992 wrote to memory of 2212	2992	Cmpgpond.exe	43
PID 2992 wrote to memory of 2212	2992	Cmpgpond.exe	43
PID 2992 wrote to memory of 2212	2992	Cmpgpond.exe	43
PID 2992 wrote to memory of 2212	2992	Cmpgpond.exe	43
PID 2212 wrote to memory of 2296	2212	Dpapaj32.exe	44
PID 2212 wrote to memory of 2296	2212	Dpapaj32.exe	44
PID 2212 wrote to memory of 2296	2212	Dpapaj32.exe	44
PID 2212 wrote to memory of 2296	2212	Dpapaj32.exe	44

C:\Users\Admin\AppData\Local\Temp\a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe
"C:\Users\Admin\AppData\Local\Temp\a18c0b333838cb8d55b02ebee2d88068ce22afcf7d06340fd0e6b55f58c1dc5b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\Abmgjo32.exe
  C:\Windows\system32\Abmgjo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\Bhjlli32.exe
    C:\Windows\system32\Bhjlli32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\Bnfddp32.exe
      C:\Windows\system32\Bnfddp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 144
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Abmgjo32.exe

Filesize
80KB

MD5
0900b513ef4f6eb875a41ab0dde44465

SHA1
52e6dbd04171e960142bf1ea7fb56e10a7c79678

SHA256
abc56e80a985628b89ef7ec4a2af18a3d417ae4c690f03916863a1b057987029

SHA512
2497d5a2ed1fc0aafbd3d9b1aa7e2a5110bad0d70ddbe4eed5080a511d5e4fc9145ee40e81eecac3054c9e1167e50f8c9bc9f8d5bad353586d4261d423459f00

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
80KB

MD5
324fe7796d78cc47df18703cce181c9f

SHA1
b53ca289d12add4c6bbd118be39fd0f80b6ad77a

SHA256
e75c39c8aebd4aaf1a985b0de197712ad6c0587ad0a18bc79cf837a6daac3421

SHA512
ca1f1dd41cf35fb30a3f0cba40338c4c29b9c8b9eb95cbab37bb678d84639ffc4390c4d7a187fe3a4901b39bdf2899feedd9bbb80fde6b561a7ffd3ab987a1bd

Download Submit
\Windows\SysWOW64\Bfioia32.exe

Filesize
80KB

MD5
803babd90c2bfde6945c46b8b37df442

SHA1
7c305a3cea502b8068382db4652418964bbb8755

SHA256
b469aec016c09198d32458fa85f3781f9fbbf640abcb731c9d23c2f0cb419dfa

SHA512
33a4b2dcea6cb8b918b5e8353a53b26e95ad8f19f5e7fdddd765ba8bdd6eb60e5e4d3b064a4effd79b878a17764ffa63ad80773740a4c1707187ba44bb3d6220

Download Submit
\Windows\SysWOW64\Bgcbhd32.exe

Filesize
80KB

MD5
55aa47bed581231d2c86183cb85afe60

SHA1
4b839f70b456deaa12e90c39fd05ba249d28e44a

SHA256
db75fd5495f1088cc823153d4510066b2efa7c55552dfcc22e03c02a50492b49

SHA512
9310a20d323508fe852c9b031d1671b59abb4facf74729d05ea5921469b116cd4c5d05fdba48dcc4f4671a85e47cd22437aee1f6f6cf6f20529d2eb23203c18b

Download Submit
\Windows\SysWOW64\Bhjlli32.exe

Filesize
80KB

MD5
1298d9e332ea997617266d7251ae3fa4

SHA1
f97cfd3164926e89c9c1676504b1c6e5ff48bee6

SHA256
4c3f69142ed9a50c68e6569bb5cd143a4ac15db06073f1b1d8a5afc45e556920

SHA512
9a4cb63bca03a22dcedd6483dd616bbb69058cb199c890aba0b4df2e5521ec5044207de666e5c58f621fff3bd0379951769cc95863bfafe8d25ba8f61ede2bb8

Download Submit
\Windows\SysWOW64\Bjmeiq32.exe

Filesize
80KB

MD5
5d21d470e40c793f6717d7a58fc4b385

SHA1
9760f1d19b36ca85d5def0568f474b6c7f4adcff

SHA256
4d383ca8a1f3d38b27eadd435b1f853a05b41ec8f549cd35584f0725b3574b93

SHA512
a4f78a73eb77522c3cd60ea2b0fff08aec38d3e40a4cfa5dd33880a8315a5efbc45a30bf890c3bb301445b5d937c18e6a60f3c9590236170f14a8840844c2c4e

Download Submit
\Windows\SysWOW64\Bnfddp32.exe

Filesize
80KB

MD5
745f1a3739756ffddbf91e8f7740b885

SHA1
cb5c7f04c184c243827006507188b64e0b067c32

SHA256
4c1b03ed63e2258785520b1bddade1a0bcba7f9379a04c81cba849d0880f4d76

SHA512
ee4e406494037ed374178808950237395e9caacb3eb5bb470536961b56037b0f89ee145736e238b120fd833618b6bc84df7dc840c672ae4698d53051afedbd5e

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
80KB

MD5
bdb1648c42c981e6d651da0e2879fbc1

SHA1
84d31cc3918c5e16acd754c8a42d7e50c52eb5d1

SHA256
f388369600bf2ce048d0caa1560436523aafbeceb9ff384bf15904b34714abca

SHA512
8eaa02e32a8d6496b5023de967293e3397dfcbf0f47d6a000f995a76902e8b9058bb8dc6da6909979016ca4a7998861d5a2caddca61aabec656438686d8d9a59

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
80KB

MD5
85eaa191182fb449ec2b33263867e2b7

SHA1
1e2dbf29c540febd37af65d644942ce3b600dd0f

SHA256
9ff4049bac8373eb73312ff02d3623e2b23cabea69ff447dd8d3fb60ecf8cc52

SHA512
0d1f63c11bbae26db5af570291a7d5e9e66eb58d9b7980a3579d301112289f204899edaa6ad1c0dc602e26647d4942a0e95d00db69bc02bd168d237215cdf46e

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
80KB

MD5
77623d62a4dd0c43bfd38c9caf7a7a81

SHA1
20bc63c0ac30aa5bf48a268bc163cee0a0ecbf2f

SHA256
18fda52d49efb5ad1d89ed1cd1a2fac53b3ab38df87c1b97d48aabcc1c45d089

SHA512
829f75ed4da99ca8e2829a3f38ac3efdd80f4dbe41499538967709c9d11765c7a6916abbfd51e0feb1c267d0fb8c51f2e9570bcbdae66819c388675c5e8440da

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
80KB

MD5
f1395a209ee1f69a813a966ea1c72c32

SHA1
c268cc1f16ef7683c6eaa970722fd9fb650855c5

SHA256
d81eead325e029566c0c37333827e79631bd9ad19bf9aca061d0f44cc1010368

SHA512
b8cb02e4393dfc3f831b4874da0959c16e67ebbf095589b288aae679d7e48bb2c72588ed3d62a367201867ebe1c2905c4dbc5768f8420abd87a8177cbf7f3070

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
80KB

MD5
bf5387df2a9c55359a768977a2a78060

SHA1
ea8847a1352c727616da4fca763a4fac01f46bcd

SHA256
319021e4424301c3a3a7745a54bae265027c0da840e85192560c7cd76b5e4c91

SHA512
a40e913729528ae88855d770fb8711031a7eda72fc5a745ee9ec6cf69710d855793f7fd2e50e37c0661c37371ec1f4f284d941907b2436c52d424deb6868fe24

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
80KB

MD5
aad822115e9f497192f89ca4b0468185

SHA1
d200a2925fca96519d3a7314f157796dd1746e05

SHA256
d6eb4e7d9d0031bf4a0d521a5407efb9baca6d7a0e82038eb51b03f60f86bf7c

SHA512
5bd53b1e710a00c5d8ec0319bba110eff25807633a1a70fede36036e267bc425fb2858ee7faff7f5e2700e0f894b6607bc8f546cb7a94092ab2637c32fbacd6c

Download Submit
memory/672-126-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/672-132-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/672-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-155-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/1908-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-141-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/1908-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-26-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2320-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-48-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2324-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-79-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2468-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-100-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2628-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-11-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3032-12-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads