berbew | f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-02-2025 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
Size

163KB
MD5

a44dbbe7ef0aed3d2cf2dd62f847435b
SHA1

5fd363843a16151cc71ca96fdf8df0cdaf89f5c9
SHA256

f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1
SHA512

67e949fa9e2fe2d77fef7cbdd7a3addd74e407803f87452bee431b8d5968f12100d6d5ebf9b2826779a08ea3a9b55e13e372c8a5d95448f0027d5c3f964118d5
SSDEEP

3072:4+TTgRi5Ef1EevsNr+I3ltOrWKDBr+yJbQ:4GgRSevIZ3LOfQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 14 IoCs

pid	Process
2316	Bhjlli32.exe
980	Bkhhhd32.exe
2460	Bnfddp32.exe
2908	Bdcifi32.exe
2752	Bgcbhd32.exe
2260	Boogmgkl.exe
2644	Cfkloq32.exe
2684	Cocphf32.exe
1808	Cgoelh32.exe
1688	Cbdiia32.exe
2692	Cjonncab.exe
2012	Clojhf32.exe
2820	Djdgic32.exe
2112	Dpapaj32.exe

Loads dropped DLL 31 IoCs

pid	Process
2084	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
2084	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
2316	Bhjlli32.exe
2316	Bhjlli32.exe
980	Bkhhhd32.exe
980	Bkhhhd32.exe
2460	Bnfddp32.exe
2460	Bnfddp32.exe
2908	Bdcifi32.exe
2908	Bdcifi32.exe
2752	Bgcbhd32.exe
2752	Bgcbhd32.exe
2260	Boogmgkl.exe
2260	Boogmgkl.exe
2644	Cfkloq32.exe
2644	Cfkloq32.exe
2684	Cocphf32.exe
2684	Cocphf32.exe
1808	Cgoelh32.exe
1808	Cgoelh32.exe
1688	Cbdiia32.exe
1688	Cbdiia32.exe
2692	Cjonncab.exe
2692	Cjonncab.exe
2012	Clojhf32.exe
2012	Clojhf32.exe
2820	Djdgic32.exe
2820	Djdgic32.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Bhjlli32.exe	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cbdiia32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	2112	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2316	2084	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe	31
PID 2084 wrote to memory of 2316	2084	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe	31
PID 2084 wrote to memory of 2316	2084	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe	31
PID 2084 wrote to memory of 2316	2084	f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe	31
PID 2316 wrote to memory of 980	2316	Bhjlli32.exe	32
PID 2316 wrote to memory of 980	2316	Bhjlli32.exe	32
PID 2316 wrote to memory of 980	2316	Bhjlli32.exe	32
PID 2316 wrote to memory of 980	2316	Bhjlli32.exe	32
PID 980 wrote to memory of 2460	980	Bkhhhd32.exe	33
PID 980 wrote to memory of 2460	980	Bkhhhd32.exe	33
PID 980 wrote to memory of 2460	980	Bkhhhd32.exe	33
PID 980 wrote to memory of 2460	980	Bkhhhd32.exe	33
PID 2460 wrote to memory of 2908	2460	Bnfddp32.exe	34
PID 2460 wrote to memory of 2908	2460	Bnfddp32.exe	34
PID 2460 wrote to memory of 2908	2460	Bnfddp32.exe	34
PID 2460 wrote to memory of 2908	2460	Bnfddp32.exe	34
PID 2908 wrote to memory of 2752	2908	Bdcifi32.exe	35
PID 2908 wrote to memory of 2752	2908	Bdcifi32.exe	35
PID 2908 wrote to memory of 2752	2908	Bdcifi32.exe	35
PID 2908 wrote to memory of 2752	2908	Bdcifi32.exe	35
PID 2752 wrote to memory of 2260	2752	Bgcbhd32.exe	36
PID 2752 wrote to memory of 2260	2752	Bgcbhd32.exe	36
PID 2752 wrote to memory of 2260	2752	Bgcbhd32.exe	36
PID 2752 wrote to memory of 2260	2752	Bgcbhd32.exe	36
PID 2260 wrote to memory of 2644	2260	Boogmgkl.exe	37
PID 2260 wrote to memory of 2644	2260	Boogmgkl.exe	37
PID 2260 wrote to memory of 2644	2260	Boogmgkl.exe	37
PID 2260 wrote to memory of 2644	2260	Boogmgkl.exe	37
PID 2644 wrote to memory of 2684	2644	Cfkloq32.exe	38
PID 2644 wrote to memory of 2684	2644	Cfkloq32.exe	38
PID 2644 wrote to memory of 2684	2644	Cfkloq32.exe	38
PID 2644 wrote to memory of 2684	2644	Cfkloq32.exe	38
PID 2684 wrote to memory of 1808	2684	Cocphf32.exe	39
PID 2684 wrote to memory of 1808	2684	Cocphf32.exe	39
PID 2684 wrote to memory of 1808	2684	Cocphf32.exe	39
PID 2684 wrote to memory of 1808	2684	Cocphf32.exe	39
PID 1808 wrote to memory of 1688	1808	Cgoelh32.exe	40
PID 1808 wrote to memory of 1688	1808	Cgoelh32.exe	40
PID 1808 wrote to memory of 1688	1808	Cgoelh32.exe	40
PID 1808 wrote to memory of 1688	1808	Cgoelh32.exe	40
PID 1688 wrote to memory of 2692	1688	Cbdiia32.exe	41
PID 1688 wrote to memory of 2692	1688	Cbdiia32.exe	41
PID 1688 wrote to memory of 2692	1688	Cbdiia32.exe	41
PID 1688 wrote to memory of 2692	1688	Cbdiia32.exe	41
PID 2692 wrote to memory of 2012	2692	Cjonncab.exe	42
PID 2692 wrote to memory of 2012	2692	Cjonncab.exe	42
PID 2692 wrote to memory of 2012	2692	Cjonncab.exe	42
PID 2692 wrote to memory of 2012	2692	Cjonncab.exe	42
PID 2012 wrote to memory of 2820	2012	Clojhf32.exe	43
PID 2012 wrote to memory of 2820	2012	Clojhf32.exe	43
PID 2012 wrote to memory of 2820	2012	Clojhf32.exe	43
PID 2012 wrote to memory of 2820	2012	Clojhf32.exe	43
PID 2820 wrote to memory of 2112	2820	Djdgic32.exe	44
PID 2820 wrote to memory of 2112	2820	Djdgic32.exe	44
PID 2820 wrote to memory of 2112	2820	Djdgic32.exe	44
PID 2820 wrote to memory of 2112	2820	Djdgic32.exe	44
PID 2112 wrote to memory of 2148	2112	Dpapaj32.exe	45
PID 2112 wrote to memory of 2148	2112	Dpapaj32.exe	45
PID 2112 wrote to memory of 2148	2112	Dpapaj32.exe	45
PID 2112 wrote to memory of 2148	2112	Dpapaj32.exe	45

C:\Users\Admin\AppData\Local\Temp\f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe
"C:\Users\Admin\AppData\Local\Temp\f819ed4ef7921535a3e71973de419a9362231293bc2c23650b3308bfb61d29f1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\Bhjlli32.exe
  C:\Windows\system32\Bhjlli32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\Bkhhhd32.exe
    C:\Windows\system32\Bkhhhd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\SysWOW64\Bnfddp32.exe
      C:\Windows\system32\Bnfddp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 144
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
163KB

MD5
574f64e815537e6afcb78e0239f033d8

SHA1
7af78a55b25e976a8f91c227b0addcb3c8bcfde5

SHA256
a7a5e316e071bc391286f7608f5c2c90eea3af2b30aba57eb714cb832b9c45b7

SHA512
59dc832b01216d492e7c5488f6e963be8164953320eeecb7366dcabd3a0fd71a01d0f24dff5873a8cd895129efac947fc42c04a7a8fc805a802de1dc46baf035

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
163KB

MD5
b3bdfb23987f9573404988a67f3e287e

SHA1
54bceec512e402d3983d4a0c8e4f6fad0e2f2374

SHA256
805e17065adc93f1305967ec74e2c5871e61791f2bddeeec262ffb4554241edd

SHA512
1c4609577c2fff7f123d7c5d8211b6000f0769127e451b6813763806319a6b0bcbeba7598ac96f359c8988839471d1479528e3a1ad63cc0cb522a08e7d303fb4

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
163KB

MD5
d77a226d380a11fbe8435b0e4937bdde

SHA1
09f5f5dd593c41476d180ec933aa6e9f0df241e7

SHA256
34a4f69e08e2a6c648fe5b963cccdde9aac5fb6360a1b5448edd420c5d8896a0

SHA512
fce732767518b3e84cc3fd5bbcc33d71900e9e0326b6543ff76b52fd4358bc55fa6ece45d871393c4f27016035b47f2365b7f3e9eb41740dcc4943d907420c6c

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
163KB

MD5
99c8423a590a157458487392a7c1b754

SHA1
a443636d159942a01eb2ba3a73ee405c6bbcc80d

SHA256
2087adbcaeec3c839a3aa301ef24a8c852fc346049bf74f9425f51aa9ee6df8e

SHA512
ab78c65148352e90fd71aa30ed2b05691e00e3bf95219964cb8d24f0538c98f0ea1817f390a93267ea3ef5fb7bf4a7e0983a36ee1a3b8cb37cc023dbe0b63c94

Download Submit
\Windows\SysWOW64\Bgcbhd32.exe

Filesize
163KB

MD5
8992eab0bb5243c5c180099def92dd76

SHA1
7b3e992031e82e140c80f43bf7d1e8da2a7a02e6

SHA256
8d4b23c25bb74c33075b05ee30143c5f4eb59dfdbcf61d696366e19942ed2eb8

SHA512
d57c12ec97131966efbc636bdb6293e040b486e7bfe07e7fb468f039603183f41714b37d8d90f3763fbabf5d1d1a931b0ab5415be196ab7885d7ac5bc5c6e2cd

Download Submit
\Windows\SysWOW64\Bkhhhd32.exe

Filesize
163KB

MD5
f01a006eac9cc8591eeb3e562f2ee80d

SHA1
bebebafce271b4fb9f27f0ab947842358b492c84

SHA256
9f80d2724a9cd8c15996216a81bb862768e5d40e355ef45cc7280666f95db6bc

SHA512
1f558e77f3866ded7259a1cb194bd5b4508e1f31ba214592b96ebd460d967354d4bf3e6824e8fd816093399832fc9ed78792405da91ab5a65e693a3942551524

Download Submit
\Windows\SysWOW64\Bnfddp32.exe

Filesize
163KB

MD5
00772200a79d2706890290b5e977e2ce

SHA1
90829aaef4d1edd23d0a76af39441f8ea9445225

SHA256
445e1cf9e844d8b716b83a6708105ae552239eb858037df766c5dedc2659a605

SHA512
cd6e570b33b38e80eefc4f056aa2bee840001c9a084470212d1cfbdb955d0f66b0f26a47edd86378d731d5cb20fb5a1477cf90dd39a83eeaf00932d691a3d5f1

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
163KB

MD5
b5730629d40f385edb00e0a9b489a1d0

SHA1
8987751f3fe5d89ab60a1a8ff33c0dd8364a6840

SHA256
6b398d0927e421bfb41b9126f77e32380a1bd4b3f1cd4f69a995524e62564cf4

SHA512
a200ea6aeb46a5d8edde790785a6244ae33a32d8db25db715febac853b5353d438c98d8e1aa147465cc364d3a629883352ada1528ff07d3024359261410993ea

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
163KB

MD5
01c107ac2bbb093b883c803e85adc3d1

SHA1
ea225d52ad4f24a619bed176de17eaf34ea94e8d

SHA256
3715d0c37c1c2437007257a80ced8d1e5cdf69b3985da3685758ffa99b23e72a

SHA512
332f03ea1f698177825e2cbdfebfbf9eb7ca849a444e652a4d04dfadcf600831e8c7cbe082276fd2e802337ff235f2ed7223d0d81056aa0d9c6af0a130269f97

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
163KB

MD5
041832a18353c87b394b0a878c056f9d

SHA1
f945da006c0e902ea0b8a148b895c1be58998742

SHA256
11102c7995a4399257687900ff03299980409f52f58fcdf35b93e881c9b04db5

SHA512
51dc8f756cf2ff66d256cdac3f6b07219a640962e601814e40a26e0395310b4137e0d0e44b4c688a627dcd31b1a540a1f65c97a95068106f9e76eb1ce9ed494b

Download Submit
\Windows\SysWOW64\Cjonncab.exe

Filesize
163KB

MD5
fa4a4940c663be4cfd63511b6d8689a8

SHA1
c4c9697763fc4b67d31b8a3198ee2a5df049951a

SHA256
73f392b342fefe3def326c56efd843e47aa9b36238cb8ed6462887894552755a

SHA512
b042beea10f9b5f6ff40ed63b4bc9e6f032fcc482e00ab1cd2d3460c524dde8aa26a49d10ac8fe7330c72a55ec004f0d1bb4f3af62ac1ba5c19615ad697cbeb6

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
163KB

MD5
f6b06c465a3f2595c6cc1a5b3e367856

SHA1
08beed3f469e660f7f9bd113e2796f4b3335452f

SHA256
bfbc3ea6e7edf605d27db122754bb2e2478b06b76a9b14c4222dc1ae55cb21fa

SHA512
8d13e38edfe5abfd8b341103582155ebf9bdf5cb1d0697b32e634b7b9b0c32e80be4fb1766e0d3caae6f7eb2785ffe706a19de90086ce55a28833403b9d2a80e

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
163KB

MD5
63cb4801164231c8cce64d251f4ba4da

SHA1
80a3029c6386a470878bb3622f4c843c16f20c2e

SHA256
786c0b39414ce83f0d3a02e3faf3ff2ff5e86fffba2c349326eda88146930c17

SHA512
1449a0e8db560265ef3c3f392b4d67d17b0b4d5c42f37f1fd92b3da66e2a75e2abb5550fad2b50f009f0515851cbc35ac50479036d812c8d0fa4c5aff4553ac4

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
163KB

MD5
9bd345da2fce97a991f3ed9f63af7110

SHA1
1152c5f9cac700068b80d5c95773b5633b85a75f

SHA256
de640329ad0720dbc03b02c7eb1290c0180881440a9ffba86205976bb80136f4

SHA512
96ef33ba2de9e0ce16e7a5af238ff69e462ad984e2d8784da8ed666c8d4c4f6af7041e379edd3b8c6d67988f8dd467d44145083ee3a58bad8108efb94105ced6

Download Submit
memory/980-26-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/980-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/980-38-0x00000000002B0000-0x0000000000303000-memory.dmp

Filesize
332KB

Download
memory/1688-141-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/1688-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1688-146-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/1688-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1808-203-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1808-125-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2012-169-0x0000000001F70000-0x0000000001FC3000-memory.dmp

Filesize
332KB

Download
memory/2012-196-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2012-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-220-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-218-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-23-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/2112-221-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2112-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2112-187-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2260-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2260-212-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2260-88-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2316-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-219-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-210-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2644-101-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/2644-215-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2684-205-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2684-113-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2692-222-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2692-149-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2752-67-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2752-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2752-78-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2820-197-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2908-211-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2908-60-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2908-52-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads