berbew | 2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
Size

89KB
MD5

4b731ff8cc66909655676222524c76b0
SHA1

305587b7be0c5f84864578520246a89da476a6dc
SHA256

2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672
SHA512

057b21f6e76829b88107808de161a28a73fb889fa0ac321b3df9f655c40e295aceb867a3166295de4a4e52ca623402068a27de55cc5fdb4360cdf143a8c8b4b9
SSDEEP

1536:sEQFeLqUAOJR5CuvJDq02tYY1XfTRQ8UD68a+VMKKTRVGFtUhQfR1WRaROR8R:sEQFeLLAMLCuBm0eV1PTe2r4MKy3G7Ug

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciiaogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpfd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 14 IoCs

pid	Process
2436	Cdlhgpag.exe
1868	Cfjeckpj.exe
3780	Ciiaogon.exe
2776	Cbaehl32.exe
652	Cmgjee32.exe
3140	Dbcbnlcl.exe
2964	Dfonnk32.exe
4564	Dinjjf32.exe
3172	Dpgbgpbe.exe
4896	Dfakcj32.exe
2204	Dmkcpdao.exe
1732	Dbhlikpf.exe
4500	Dmnpfd32.exe
1384	Dbkhnk32.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dfonnk32.exe	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Dbhlikpf.exe	Dmkcpdao.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dmnpfd32.exe
File opened for modification	C:\Windows\SysWOW64\Dbcbnlcl.exe	Cmgjee32.exe
File created	C:\Windows\SysWOW64\Pfdnkk32.dll	Cfjeckpj.exe
File opened for modification	C:\Windows\SysWOW64\Cbaehl32.exe	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Dbcbnlcl.exe	Cmgjee32.exe
File created	C:\Windows\SysWOW64\Dkakfgoq.dll	Cmgjee32.exe
File created	C:\Windows\SysWOW64\Dpgbgpbe.exe	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Oihlnd32.dll	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Dfakcj32.exe	Dpgbgpbe.exe
File opened for modification	C:\Windows\SysWOW64\Cdlhgpag.exe	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
File opened for modification	C:\Windows\SysWOW64\Dbhlikpf.exe	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Dpkgac32.dll	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Nfmcle32.dll	Dpgbgpbe.exe
File opened for modification	C:\Windows\SysWOW64\Dmkcpdao.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Cdlhgpag.exe	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
File opened for modification	C:\Windows\SysWOW64\Dinjjf32.exe	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Dihmeahp.dll	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Dmnpfd32.exe	Dbhlikpf.exe
File opened for modification	C:\Windows\SysWOW64\Ciiaogon.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Qecnjaee.dll	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Qfeckiie.dll	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Adlafb32.dll	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Dinjjf32.exe	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Ladlqj32.dll	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
File created	C:\Windows\SysWOW64\Dfonnk32.exe	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Ciiaogon.exe	Cfjeckpj.exe
File opened for modification	C:\Windows\SysWOW64\Cfjeckpj.exe	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Jaepkejo.dll	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Cmgjee32.exe	Cbaehl32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjee32.exe	Cbaehl32.exe
File opened for modification	C:\Windows\SysWOW64\Dpgbgpbe.exe	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Dmkcpdao.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Ioeiam32.dll	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Cfjeckpj.exe	Cdlhgpag.exe
File opened for modification	C:\Windows\SysWOW64\Dmnpfd32.exe	Dbhlikpf.exe
File opened for modification	C:\Windows\SysWOW64\Dfakcj32.exe	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Idbgcb32.dll	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Cbaehl32.exe	Ciiaogon.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	1384	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciiaogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhgpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpgbgpbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfonnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjee32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaepkejo.dll"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfeckiie.dll"	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihlnd32.dll"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdnkk32.dll"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfjeckpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idbgcb32.dll"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecnjaee.dll"	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkakfgoq.dll"	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcle32.dll"	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihmeahp.dll"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlafb32.dll"	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladlqj32.dll"	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpkgac32.dll"	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbcbnlcl.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 2436	3508	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe	89
PID 3508 wrote to memory of 2436	3508	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe	89
PID 3508 wrote to memory of 2436	3508	2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe	89
PID 2436 wrote to memory of 1868	2436	Cdlhgpag.exe	90
PID 2436 wrote to memory of 1868	2436	Cdlhgpag.exe	90
PID 2436 wrote to memory of 1868	2436	Cdlhgpag.exe	90
PID 1868 wrote to memory of 3780	1868	Cfjeckpj.exe	91
PID 1868 wrote to memory of 3780	1868	Cfjeckpj.exe	91
PID 1868 wrote to memory of 3780	1868	Cfjeckpj.exe	91
PID 3780 wrote to memory of 2776	3780	Ciiaogon.exe	92
PID 3780 wrote to memory of 2776	3780	Ciiaogon.exe	92
PID 3780 wrote to memory of 2776	3780	Ciiaogon.exe	92
PID 2776 wrote to memory of 652	2776	Cbaehl32.exe	93
PID 2776 wrote to memory of 652	2776	Cbaehl32.exe	93
PID 2776 wrote to memory of 652	2776	Cbaehl32.exe	93
PID 652 wrote to memory of 3140	652	Cmgjee32.exe	94
PID 652 wrote to memory of 3140	652	Cmgjee32.exe	94
PID 652 wrote to memory of 3140	652	Cmgjee32.exe	94
PID 3140 wrote to memory of 2964	3140	Dbcbnlcl.exe	95
PID 3140 wrote to memory of 2964	3140	Dbcbnlcl.exe	95
PID 3140 wrote to memory of 2964	3140	Dbcbnlcl.exe	95
PID 2964 wrote to memory of 4564	2964	Dfonnk32.exe	96
PID 2964 wrote to memory of 4564	2964	Dfonnk32.exe	96
PID 2964 wrote to memory of 4564	2964	Dfonnk32.exe	96
PID 4564 wrote to memory of 3172	4564	Dinjjf32.exe	97
PID 4564 wrote to memory of 3172	4564	Dinjjf32.exe	97
PID 4564 wrote to memory of 3172	4564	Dinjjf32.exe	97
PID 3172 wrote to memory of 4896	3172	Dpgbgpbe.exe	98
PID 3172 wrote to memory of 4896	3172	Dpgbgpbe.exe	98
PID 3172 wrote to memory of 4896	3172	Dpgbgpbe.exe	98
PID 4896 wrote to memory of 2204	4896	Dfakcj32.exe	99
PID 4896 wrote to memory of 2204	4896	Dfakcj32.exe	99
PID 4896 wrote to memory of 2204	4896	Dfakcj32.exe	99
PID 2204 wrote to memory of 1732	2204	Dmkcpdao.exe	100
PID 2204 wrote to memory of 1732	2204	Dmkcpdao.exe	100
PID 2204 wrote to memory of 1732	2204	Dmkcpdao.exe	100
PID 1732 wrote to memory of 4500	1732	Dbhlikpf.exe	101
PID 1732 wrote to memory of 4500	1732	Dbhlikpf.exe	101
PID 1732 wrote to memory of 4500	1732	Dbhlikpf.exe	101
PID 4500 wrote to memory of 1384	4500	Dmnpfd32.exe	102
PID 4500 wrote to memory of 1384	4500	Dmnpfd32.exe	102
PID 4500 wrote to memory of 1384	4500	Dmnpfd32.exe	102

C:\Users\Admin\AppData\Local\Temp\2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe
"C:\Users\Admin\AppData\Local\Temp\2aea2ca91168eb59524ecfa9bb3afb87a9bf4829b79bb03662f7ecd18d439672N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\Cdlhgpag.exe
  C:\Windows\system32\Cdlhgpag.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\Cfjeckpj.exe
    C:\Windows\system32\Cfjeckpj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\SysWOW64\Ciiaogon.exe
      C:\Windows\system32\Ciiaogon.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3780
    - - C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 420
        16⤵
        Program crash
        
        PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1384 -ip 1384
1⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4616,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=1008 /prefetch:8
1⤵
PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cbaehl32.exe

Filesize
89KB

MD5
51d1eef35704aea8bad11b004e8ecf15

SHA1
803893a9b40d03dc550e3ae53c74e3ab110950ad

SHA256
087a88cd89c71e65a012a0d9576cb0466ce83f365e9557b531d9e84b1f614100

SHA512
9185d994285cbae04968cbd3841199ea64e6308c30cb8658c5003ff0f0d56cd2389a09decc8860aaddaf2573db5ecbd8936f6eb87f63aaa11a688d2e487b8a7a

Download Submit
C:\Windows\SysWOW64\Cdlhgpag.exe

Filesize
89KB

MD5
49e353d4c8da826ad272cf57a5c71cc6

SHA1
e0aaca19837bf06f5499c3a5329d50cf6508426b

SHA256
3b2cff99d9cc72e759c7903a0e5ed409ff60def33b2a032951ac148c412f2d74

SHA512
b7d887e06f4cb83b4941c1e1636962af28337eb828f66c5075882999ad0eb80d45212a5a311acc46ffd36d31d8058993010335d04b43e5b85e8c35a9c06ee9ef

Download Submit
C:\Windows\SysWOW64\Cfjeckpj.exe

Filesize
89KB

MD5
58bde51d0996b6a7eb37da3f93b7d129

SHA1
a3b51bcdd950a067d13cdb44183429eb15a5a9b8

SHA256
955f747eae92374c7cbfe9c0254153b865107c67ca507d5e43b67ee65af37f98

SHA512
111852314067e01a0db410aa25698c16e77e8605a5c21af1c4a303be3ba882815d74743a552cbd04980681ecb6566412955764256020956f2e2dc4f4eb7755a4

Download Submit
C:\Windows\SysWOW64\Ciiaogon.exe

Filesize
89KB

MD5
0239bc5c25b373769397230e226a64f3

SHA1
7e10acc321f2df7f114707e56cf543e15ed7713e

SHA256
411289bb3bb2b2497cd18e90a286bfe2e711b34c8a940112e007574a1ce00a97

SHA512
91f91ce481cca0b1ec0f4a356640699dd5e84eef650ba41f214f1b0c6a6aec0accf2f98b8e62d4f6448210670abb7dbcc0b958e71a6bb559ccc4e2bf4c74759f

Download Submit
C:\Windows\SysWOW64\Cmgjee32.exe

Filesize
89KB

MD5
62c28dfc568abb7445d9be4b02952191

SHA1
b19a9a9133ba406dff48c1001eaf4e80c2c2b6d9

SHA256
dc7f6cb945d919878ce012942464c1a9ce7e24c3109bcb09bd91819d289c4dc4

SHA512
e530f0bb9f00d9e827c5f557ecadf19db1ea856c7a8100765f99be28d5e21c19316357125d89ea4a930eb8edceacbd11cbed20bc68b8c2fbf835391a4ccd0b86

Download Submit
C:\Windows\SysWOW64\Dbcbnlcl.exe

Filesize
89KB

MD5
15d672877c5f2e0c6efdc15706527b3a

SHA1
4abe8eaed5cac329ad705cf228ff061874f6dbc8

SHA256
3104d5dafbc5ca28d7f28f3abcdcf98023aab3d61adee9ad02015f6127679de9

SHA512
92bc9712f176cd67a42f3439a1d0f6e83c285884bfb0d92b6a4173e339360afaea30610d69fd42fbbd21f3943db3f47eef2e7e6605baf3279fe21fc21e28eeef

Download Submit
C:\Windows\SysWOW64\Dbhlikpf.exe

Filesize
89KB

MD5
eb06c384977866ee59785ba1958f77c5

SHA1
6b971ea67daed9c1cb2eac80184fbaffd1fa1635

SHA256
0712fcbccb1f9076c2d5f0e7d4e53e1a9b175361d47ae4bc7a0e7b5800777d97

SHA512
dadd71a182dc95df725a078ee50c35d9315a18538e41786521ff0afb3c156f16ac8293ccdef27882ab9d91f1ac91412d18433d42f27d919d6975784e8ecc10d1

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
89KB

MD5
373718c1e66ff10a56fdcccc3daa89cc

SHA1
4aca6fb437e52792b94ceedcb680148cbcdbb2ae

SHA256
b3028cc7e8bc731c0cd1817327e939b705782fdb44a00c2dfb6d914fd4b71ad9

SHA512
f8e1d117954421cae155de15c81d1dec16cab3a5560f40cf69261e1a03520428f31b1f077520eab990f9180dd4cf52c993cdd92a2c57b9e1ff8dc065a10b0de4

Download Submit
C:\Windows\SysWOW64\Dfakcj32.exe

Filesize
89KB

MD5
bc3ca808adeb537d0df676aea4f508d3

SHA1
61bc51b843aaf55b34a529f5d8291eb7c462acb6

SHA256
7d7d607bc39b56e7ff9d6df2092f81a1ea4f87ca4d554ce18b0f3d2ac0155db9

SHA512
1527cba158b370274b888eff6ffa37a2b7e9eccdca1757f9fbaa6e25a4e742d7d89fd3a937a35358dd440637dce423bf130bb414d92c68ef8430ba85edcdb2ce

Download Submit
C:\Windows\SysWOW64\Dfonnk32.exe

Filesize
89KB

MD5
bc6fdb4cabb3155315a1f50f04971532

SHA1
d1272232f860789e201e126a00ea31b1956750d9

SHA256
dba14ab97e294c2bd93235b8ccb451b5687d29a22da5acaaf5156348b3dc76f5

SHA512
cbc63b0812b2eb7ed7e49d1bd45938d167bfc973bb15758863dfa6e1c94d2cb5d40d4a66b02cabaffa8d5ea2bcc25a89b9d8df760f43e246252ea8c7ea08e84b

Download Submit
C:\Windows\SysWOW64\Dinjjf32.exe

Filesize
89KB

MD5
69f0a37629c33172a95f651fd428b2bb

SHA1
138a05a8967053752b36f336e7f915570d1c22d1

SHA256
4d4b302850554173ee4d43e4164cab3f9fb5bb98c53bb9d9c92aac5721189692

SHA512
38c4de4e4e986fcffcc77a86985ebbd66f6438a17e9f97a264b6c1d38a3b41ab49828f1576f1b6e71e45baa3a2f1e384e931c857a0fbbc673fdc9aa134a74992

Download Submit
C:\Windows\SysWOW64\Dmkcpdao.exe

Filesize
89KB

MD5
537e2fe9af7042e228140b0091c0b7d6

SHA1
8e89c9b6c83c094a237560b46c06095fc2254295

SHA256
f0b8fc88df3638bb9b1d7720fd341e67473eaa54effd23919bc20b9ce60285c4

SHA512
0b7e739522269e110ff1bc521f02b52b6a6d2f6a9694da7846a1c835a93abec5dc9687a350c0ffc15ddfc43b1d9bee988d0a56bc2ad3947ee19e98d8ed4d391b

Download Submit
C:\Windows\SysWOW64\Dmnpfd32.exe

Filesize
89KB

MD5
94fefac83a2e6dd3543fa8202cb9031c

SHA1
4c0dd6b85d6347cadb5836a3f7c21a397b8c6642

SHA256
0b7ac536cf5fff121dfdcc317fea9797e956bfc648e3f133c5b63be40151206b

SHA512
234eb7042720dae6686289d9f19a85fbc7a9b64b6ee55476a02675b0695922f1bd941dc11ad04f1c48be85a8ce7f078503e0a02cae01b025ee775335ce75d31e

Download Submit
C:\Windows\SysWOW64\Dpgbgpbe.exe

Filesize
89KB

MD5
46bbf74f6b3e5cbca00b44838acf9ba7

SHA1
13acfc6f6bad3b5a1a58d2422025e754c5a80eb0

SHA256
737c141a342161352050b0ca160a3e42fc914d0fcc0a6933e797d367a5a45e15

SHA512
0cacb6fc87f67f656341432ec37b96a906bcc2a9d4a1a6d1b1801230974ec6fab0ade844cab56a0a05fc592a9cd10b416de2aaff8b4708bfd06948062ae280e8

Download Submit
C:\Windows\SysWOW64\Qfeckiie.dll

Filesize
7KB

MD5
da256cbde3f46ed1305178a5cd351626

SHA1
1939bffed66007d4cbf64589ae2ca28a7416ece8

SHA256
a0fb0aeb10bfa25ab90b3343c6904fd285cee046489f436364666f6c9ff87477

SHA512
7af6d06c24722b848914caf1d91990edb2445014cc116ef599a1bfc4dc7a41352e5d5633577d32a1f7d2f93244333b3a4fc2e36b415043ce28bc97d7741019cb

Download Submit
memory/652-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/652-126-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1384-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1384-118-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1868-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2204-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2204-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-114-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2964-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2964-123-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3140-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3140-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3172-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3172-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3508-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3508-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3780-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3780-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4500-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4500-117-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-122-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads