berbew | 5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078a

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
Size

337KB
MD5

fc42727a965370163c773db47e4e46f0
SHA1

60f156ee8a47063208295b26e7fe9d248040045e
SHA256

5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078a
SHA512

2c109916ec05ce0126902a312d35c84395eaeeb3aee40bcec5fa3e16a677d21363893de12f44d8a73c372d43bc5c68dcaeecd8c715bd2de2367b676930a242c8
SSDEEP

3072:K1RwUBcOiMqp6bOUNWgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:KDWOiMYqNW1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjlap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlqpaafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpqlfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdgijhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhhbngi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlqpaafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhhbngi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 14 IoCs

pid	Process
1656	Cdjlap32.exe
3708	Cpqlfa32.exe
1928	Cmdmpe32.exe
116	Cepadh32.exe
3916	Dpefaq32.exe
5116	Dinjjf32.exe
4128	Dfakcj32.exe
644	Dpjompqc.exe
3024	Ddekmo32.exe
4544	Dgdgijhp.exe
2396	Dmnpfd32.exe
2260	Dlqpaafg.exe
1776	Ddhhbngi.exe
4904	Dbkhnk32.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdjlap32.exe	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
File opened for modification	C:\Windows\SysWOW64\Cdjlap32.exe	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
File opened for modification	C:\Windows\SysWOW64\Cpqlfa32.exe	Cdjlap32.exe
File opened for modification	C:\Windows\SysWOW64\Dinjjf32.exe	Dpefaq32.exe
File created	C:\Windows\SysWOW64\Dihmeahp.dll	Dpefaq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmnpfd32.exe	Dgdgijhp.exe
File created	C:\Windows\SysWOW64\Dlqpaafg.exe	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Ddhhbngi.exe	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Ddhhbngi.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Ddhhbngi.exe
File created	C:\Windows\SysWOW64\Dmnpfd32.exe	Dgdgijhp.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Ddhhbngi.exe
File created	C:\Windows\SysWOW64\Dpefaq32.exe	Cepadh32.exe
File created	C:\Windows\SysWOW64\Eicfep32.dll	Cepadh32.exe
File created	C:\Windows\SysWOW64\Dgdgijhp.exe	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Hiagoigj.dll	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
File created	C:\Windows\SysWOW64\Dinjjf32.exe	Dpefaq32.exe
File opened for modification	C:\Windows\SysWOW64\Dgdgijhp.exe	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Fjgnln32.dll	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Cmonod32.dll	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Mondkfmh.dll	Cpqlfa32.exe
File opened for modification	C:\Windows\SysWOW64\Dpefaq32.exe	Cepadh32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjompqc.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Ddekmo32.exe	Dpjompqc.exe
File opened for modification	C:\Windows\SysWOW64\Ddekmo32.exe	Dpjompqc.exe
File created	C:\Windows\SysWOW64\Cbccbiml.dll	Dpjompqc.exe
File created	C:\Windows\SysWOW64\Dpkgac32.dll	Dgdgijhp.exe
File opened for modification	C:\Windows\SysWOW64\Ddhhbngi.exe	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Dpjompqc.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Mkfbmfbn.dll	Cdjlap32.exe
File created	C:\Windows\SysWOW64\Cmdmpe32.exe	Cpqlfa32.exe
File opened for modification	C:\Windows\SysWOW64\Cepadh32.exe	Cmdmpe32.exe
File opened for modification	C:\Windows\SysWOW64\Dlqpaafg.exe	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Cpqlfa32.exe	Cdjlap32.exe
File opened for modification	C:\Windows\SysWOW64\Cmdmpe32.exe	Cpqlfa32.exe
File created	C:\Windows\SysWOW64\Cepadh32.exe	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Befogbik.dll	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Dfakcj32.exe	Dinjjf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfakcj32.exe	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Nfmcle32.dll	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Fiinbn32.dll	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Fgpoahbe.dll	Ddekmo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	4904	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepadh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlqpaafg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpqlfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhhbngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpefaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdgijhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpfd32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgdgijhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlqpaafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbccbiml.dll"	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpoahbe.dll"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicfep32.dll"	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcle32.dll"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befogbik.dll"	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mondkfmh.dll"	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgnln32.dll"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddhhbngi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfbmfbn.dll"	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Ddhhbngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiinbn32.dll"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpqlfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihmeahp.dll"	Dpefaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdgijhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpkgac32.dll"	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmonod32.dll"	Dlqpaafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddhhbngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiagoigj.dll"	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpqlfa32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1656	2080	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe	89
PID 2080 wrote to memory of 1656	2080	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe	89
PID 2080 wrote to memory of 1656	2080	5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe	89
PID 1656 wrote to memory of 3708	1656	Cdjlap32.exe	90
PID 1656 wrote to memory of 3708	1656	Cdjlap32.exe	90
PID 1656 wrote to memory of 3708	1656	Cdjlap32.exe	90
PID 3708 wrote to memory of 1928	3708	Cpqlfa32.exe	91
PID 3708 wrote to memory of 1928	3708	Cpqlfa32.exe	91
PID 3708 wrote to memory of 1928	3708	Cpqlfa32.exe	91
PID 1928 wrote to memory of 116	1928	Cmdmpe32.exe	92
PID 1928 wrote to memory of 116	1928	Cmdmpe32.exe	92
PID 1928 wrote to memory of 116	1928	Cmdmpe32.exe	92
PID 116 wrote to memory of 3916	116	Cepadh32.exe	93
PID 116 wrote to memory of 3916	116	Cepadh32.exe	93
PID 116 wrote to memory of 3916	116	Cepadh32.exe	93
PID 3916 wrote to memory of 5116	3916	Dpefaq32.exe	94
PID 3916 wrote to memory of 5116	3916	Dpefaq32.exe	94
PID 3916 wrote to memory of 5116	3916	Dpefaq32.exe	94
PID 5116 wrote to memory of 4128	5116	Dinjjf32.exe	95
PID 5116 wrote to memory of 4128	5116	Dinjjf32.exe	95
PID 5116 wrote to memory of 4128	5116	Dinjjf32.exe	95
PID 4128 wrote to memory of 644	4128	Dfakcj32.exe	96
PID 4128 wrote to memory of 644	4128	Dfakcj32.exe	96
PID 4128 wrote to memory of 644	4128	Dfakcj32.exe	96
PID 644 wrote to memory of 3024	644	Dpjompqc.exe	97
PID 644 wrote to memory of 3024	644	Dpjompqc.exe	97
PID 644 wrote to memory of 3024	644	Dpjompqc.exe	97
PID 3024 wrote to memory of 4544	3024	Ddekmo32.exe	98
PID 3024 wrote to memory of 4544	3024	Ddekmo32.exe	98
PID 3024 wrote to memory of 4544	3024	Ddekmo32.exe	98
PID 4544 wrote to memory of 2396	4544	Dgdgijhp.exe	99
PID 4544 wrote to memory of 2396	4544	Dgdgijhp.exe	99
PID 4544 wrote to memory of 2396	4544	Dgdgijhp.exe	99
PID 2396 wrote to memory of 2260	2396	Dmnpfd32.exe	100
PID 2396 wrote to memory of 2260	2396	Dmnpfd32.exe	100
PID 2396 wrote to memory of 2260	2396	Dmnpfd32.exe	100
PID 2260 wrote to memory of 1776	2260	Dlqpaafg.exe	101
PID 2260 wrote to memory of 1776	2260	Dlqpaafg.exe	101
PID 2260 wrote to memory of 1776	2260	Dlqpaafg.exe	101
PID 1776 wrote to memory of 4904	1776	Ddhhbngi.exe	102
PID 1776 wrote to memory of 4904	1776	Ddhhbngi.exe	102
PID 1776 wrote to memory of 4904	1776	Ddhhbngi.exe	102

C:\Users\Admin\AppData\Local\Temp\5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe
"C:\Users\Admin\AppData\Local\Temp\5d502e8b9cfb494da99f259af20e8f334dab8da00281613da59d9b926143078aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\Cdjlap32.exe
  C:\Windows\system32\Cdjlap32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\Cpqlfa32.exe
    C:\Windows\system32\Cpqlfa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\SysWOW64\Cmdmpe32.exe
      C:\Windows\system32\Cmdmpe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\Cepadh32.exe
        
        C:\Windows\system32\Cepadh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
      - C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 400
        16⤵
        Program crash
        
        PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4904 -ip 4904
1⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdjlap32.exe

Filesize
337KB

MD5
26d9fd5ade65b1d6e0c5aaa3cab2aea6

SHA1
a64d206171eff67dc3b0f59cf98c6acbe8173faf

SHA256
ec09f5eae9b2b6e87f6c3ec90f6063e379785f792435b122158bd1e8b110e279

SHA512
ae76d3a7834702f32914f0af7408a416b9165f71028fa9d144d8588aa2856b5d25ad9567c269b6b41c5975390b768e438a5741191a946349b133d9b79ef6f024

Download Submit
C:\Windows\SysWOW64\Cepadh32.exe

Filesize
337KB

MD5
2b8ac3757f22c9f0b3db610762766fce

SHA1
747308fbd10efec62a964c7a33b6860180da08d9

SHA256
c2fc35c3629620e42a7c38e87560de52a5c5d6993ddcd79900c71afd284a3382

SHA512
fe020293c38f55f1ebf3463fff3850f182935dc5064c4c4211fa61a52e5138b29c54062508d8350ae285f713311feaea641a340eea1b6455d7cc4edc484ea01e

Download Submit
C:\Windows\SysWOW64\Cmdmpe32.exe

Filesize
337KB

MD5
66cbf54a8f18335a2e9f8af5f26fd4fc

SHA1
011220e3ab37b2e9720fe5e22ce502940d07bcc2

SHA256
d50316c65744572036b76d96f1fa8bd8fbf614f2f1f81709ae4cc0bf3c5ab824

SHA512
0aecebba08a6c809c9f4eb16f0714378ca6fbc86a2b32b61bf98279903ef2445fd42871b6fd61da868af4298b205ead650f3846c683a94f37455697a4b939599

Download Submit
C:\Windows\SysWOW64\Cpqlfa32.exe

Filesize
337KB

MD5
23ae923885b53f89d8f3ebf5285b8b63

SHA1
4517f249f642caadf7546b36ecc2336b239793a8

SHA256
81e7459292840b891b72d35157dd3ed453f23ac71e4c343a39f4e115c2dd26d1

SHA512
a4b21190fabf1410bb8350e178dc8106d8a0a29c1240a62f212ce94fc2d0d166832a8055368d739d72c99fe13af53d4e0112e1ac26c0dfed9833cfa84568da46

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
337KB

MD5
490996e30d67fe3b3283b669cd0b2835

SHA1
79aa8e8471d05a593f2293620d869e8e9f5bec1f

SHA256
ede5f819ebb3e49d958958916039454aa8971af0a974b53c4ea3cc69a9f4b32d

SHA512
30ccf8ce73d179c164b92690f343016946ea27b0fd5595d8a8edf030fb514ccb31e7e68e6c98d327d0df081c19ff9f28e598bff2c2de868e9b11b8d3c8421d54

Download Submit
C:\Windows\SysWOW64\Ddekmo32.exe

Filesize
337KB

MD5
6411f2b3061a88fe326a44a85a7defdd

SHA1
a2c5028c5f74f30f64148059cafe9405e2457a04

SHA256
15a918ca4feacb8b0b71f8e88e7fe6156c133bbdc334226adc44be3ab33a87bd

SHA512
569acdb0bcce4f4d7cf731fcc03bce7676cb3350d380bed32a0d392e19c9c0a89b17f58276ab2fad77ab3fae0f6cf2599edef0c0b03a7f3bb60bfa1fe569a8b2

Download Submit
C:\Windows\SysWOW64\Ddhhbngi.exe

Filesize
337KB

MD5
0d2c3f28ae5bb7f0e1bd9e74a0ee1c68

SHA1
37b2522af7926b748932a65b068695729ad8304f

SHA256
05bda5df19289dab73ecdea9a4addd9dd34a4e6c2559fb58ce21b54658471042

SHA512
99c3d4b32a4d597eb3d148baa50bbae89fce436baf3df783cf3425b78c3026bef2a9216b76bf187451b3f7d0b6adbaf07a4fda282c20f4dc3bc6d9313da84f7f

Download Submit
C:\Windows\SysWOW64\Dfakcj32.exe

Filesize
337KB

MD5
aa025a90070839e1acf2a1059cadbc04

SHA1
6ffb4c5931b7c6186d651c59be0eb450b82d1acf

SHA256
bb09cc8fdd38f5739af52c253565a20d6ef764cb946aa442350bdd790c7ed550

SHA512
24921d05ddcfb96a847326cd360c3dfa559f2b477277c047fd21611452c284ff3f86619ac6edc0ecda225078339015b0207b4dcc604313ad47e9d04ae35da516

Download Submit
C:\Windows\SysWOW64\Dgdgijhp.exe

Filesize
337KB

MD5
9329985c712f0fb561af1ae198a93415

SHA1
f18318c8f683684a17024bf309e212367df87d7a

SHA256
f207c1562c8e2525b948c83079fb175be706d951d8d4f53f0165c4d0a8807e00

SHA512
6265524f591cd167393b54668557c38e7718a4274687e9339ec7b3752b33931098744c113da4762eeddbca70e34020f6dc28e50b377b8ac309d71b1c0223b705

Download Submit
C:\Windows\SysWOW64\Dinjjf32.exe

Filesize
337KB

MD5
6a7223f89a9c02bfb71361216985398e

SHA1
02cd5d2a74052189d0c32c9c72a2fb16d031c178

SHA256
4ada6db6b0752e5332e0cbe3ed57a34f8333d5f5945b7e464fc4caec7c991ec9

SHA512
b8ab991f4b0d215d7656e536b6fb08dad22fcc7145311c205a29d1e7750f04f27ba0441e3405fff8471723a1a7d84793aa931a394f8825773bcdc75daca95e4a

Download Submit
C:\Windows\SysWOW64\Dlqpaafg.exe

Filesize
337KB

MD5
60840ec842d7c515aa518576798dff5b

SHA1
098cb94d0ba04b2b2fe8042cefb29b68ae86c14c

SHA256
cb2a258ee5081a6500edc8768209805a39de6cbd2e334237138ae4622d4f008b

SHA512
2e37bb48390a8854bc8ac25c52a6fdd883493b5be5b858b993c141e58af4581b931b0b63cd1bf6dcb38ba6b3c2ca4d9ce5300146a478db9755a8d48a87eccb5e

Download Submit
C:\Windows\SysWOW64\Dmnpfd32.exe

Filesize
337KB

MD5
feefd04fbb5506bf32fca5b6dc5f8b40

SHA1
0bf027682f34eb880ff1eea68c2e05f32af00284

SHA256
175d380f0e3e0238650ecc8444058b9634e499db05df30adacb59bf6aeeb34d3

SHA512
1f2217c64a7d79a899a8c209994f79b52478856f26c99ce14d2702f427617a3ea039db611974ac2d160d76a3714bee2a8a43c4c49f69411c40762d5f2183cc1e

Download Submit
C:\Windows\SysWOW64\Dpefaq32.exe

Filesize
337KB

MD5
40d39b3bf7a2544935ea27e829312ecb

SHA1
cc86d728bd30854329cbe2f05a8b78a5a608d740

SHA256
865511c5ab8cb23bd8086620bf2bd98bf225857c7eeb90cddc4c0553e0064b7f

SHA512
ad62775fc598cc828e734ce858e6e39bfd057c2f5ed056bf3d7ec9b2b0a365a56c5364621539b6bf0c1863a706b1524cb66b0cf9091c97b4c3c64d5e3ac1bfe1

Download Submit
C:\Windows\SysWOW64\Dpjompqc.exe

Filesize
337KB

MD5
f81ce277a00b2fc5275c0888aa3f733d

SHA1
9c5eafb93f201405b91b710a91c1515d5ee4a999

SHA256
95c0812ebf1272d1c9366b237e475fab7978adf69d5266ede2bfa5659075e968

SHA512
d453278ca1d11532dddef5c354a450bf4aad3f2c756ccd4d7c30c08a2f624a1c091ec6a02550c5bacf6f9a09e4b2e5d85f78db3daeefa66cfefd8d605cfa10fa

Download Submit
memory/116-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2080-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads