berbew | f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17e

Analysis

max time kernel
102s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
Size

337KB
MD5

c556c10ce15217fe4f12b3b839402880
SHA1

55a0dceecbbeeaaa18a2606d1373f4f902997697
SHA256

f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17e
SHA512

b162d876178967c81d39d7a9ac5d2ddeb07a13685acefcda8e1bdabf999236b7c8d6c4668624990f22d91f030299ddf0f5b64f7c01cc69c0e0463ad42751966b
SSDEEP

3072:mDqYeMPwnGLZ+/gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:mle++/1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 14 IoCs

pid	Process
1960	Cnnlaehj.exe
4484	Ddjejl32.exe
4648	Dhfajjoj.exe
396	Dejacond.exe
3232	Djgjlelk.exe
1464	Daqbip32.exe
3036	Dfnjafap.exe
4552	Dodbbdbb.exe
4628	Deokon32.exe
4144	Dhmgki32.exe
4792	Dkkcge32.exe
3196	Dhocqigp.exe
376	Dgbdlf32.exe
4652	Dmllipeg.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3688	4652	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 1960	3228	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe	84
PID 3228 wrote to memory of 1960	3228	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe	84
PID 3228 wrote to memory of 1960	3228	f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe	84
PID 1960 wrote to memory of 4484	1960	Cnnlaehj.exe	85
PID 1960 wrote to memory of 4484	1960	Cnnlaehj.exe	85
PID 1960 wrote to memory of 4484	1960	Cnnlaehj.exe	85
PID 4484 wrote to memory of 4648	4484	Ddjejl32.exe	86
PID 4484 wrote to memory of 4648	4484	Ddjejl32.exe	86
PID 4484 wrote to memory of 4648	4484	Ddjejl32.exe	86
PID 4648 wrote to memory of 396	4648	Dhfajjoj.exe	87
PID 4648 wrote to memory of 396	4648	Dhfajjoj.exe	87
PID 4648 wrote to memory of 396	4648	Dhfajjoj.exe	87
PID 396 wrote to memory of 3232	396	Dejacond.exe	88
PID 396 wrote to memory of 3232	396	Dejacond.exe	88
PID 396 wrote to memory of 3232	396	Dejacond.exe	88
PID 3232 wrote to memory of 1464	3232	Djgjlelk.exe	89
PID 3232 wrote to memory of 1464	3232	Djgjlelk.exe	89
PID 3232 wrote to memory of 1464	3232	Djgjlelk.exe	89
PID 1464 wrote to memory of 3036	1464	Daqbip32.exe	90
PID 1464 wrote to memory of 3036	1464	Daqbip32.exe	90
PID 1464 wrote to memory of 3036	1464	Daqbip32.exe	90
PID 3036 wrote to memory of 4552	3036	Dfnjafap.exe	92
PID 3036 wrote to memory of 4552	3036	Dfnjafap.exe	92
PID 3036 wrote to memory of 4552	3036	Dfnjafap.exe	92
PID 4552 wrote to memory of 4628	4552	Dodbbdbb.exe	93
PID 4552 wrote to memory of 4628	4552	Dodbbdbb.exe	93
PID 4552 wrote to memory of 4628	4552	Dodbbdbb.exe	93
PID 4628 wrote to memory of 4144	4628	Deokon32.exe	94
PID 4628 wrote to memory of 4144	4628	Deokon32.exe	94
PID 4628 wrote to memory of 4144	4628	Deokon32.exe	94
PID 4144 wrote to memory of 4792	4144	Dhmgki32.exe	95
PID 4144 wrote to memory of 4792	4144	Dhmgki32.exe	95
PID 4144 wrote to memory of 4792	4144	Dhmgki32.exe	95
PID 4792 wrote to memory of 3196	4792	Dkkcge32.exe	97
PID 4792 wrote to memory of 3196	4792	Dkkcge32.exe	97
PID 4792 wrote to memory of 3196	4792	Dkkcge32.exe	97
PID 3196 wrote to memory of 376	3196	Dhocqigp.exe	98
PID 3196 wrote to memory of 376	3196	Dhocqigp.exe	98
PID 3196 wrote to memory of 376	3196	Dhocqigp.exe	98
PID 376 wrote to memory of 4652	376	Dgbdlf32.exe	100
PID 376 wrote to memory of 4652	376	Dgbdlf32.exe	100
PID 376 wrote to memory of 4652	376	Dgbdlf32.exe	100

C:\Users\Admin\AppData\Local\Temp\f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe
"C:\Users\Admin\AppData\Local\Temp\f249223712f563dd3d5b9532a95d3faad041e345b7cb7d85872f91f67f59c17eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\SysWOW64\Cnnlaehj.exe
  C:\Windows\system32\Cnnlaehj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\Ddjejl32.exe
    C:\Windows\system32\Ddjejl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\SysWOW64\Dhfajjoj.exe
      C:\Windows\system32\Dhfajjoj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
      - C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 396
        16⤵
        Program crash
        
        PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4652 -ip 4652
1⤵
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
337KB

MD5
ff0ca38f56b1281353bce3009dbb3cf5

SHA1
f838eaf9864192d21c7dc9549a2ad4bb750618d9

SHA256
c5657523c1fcf4d74d31f72612d60224d2008a918f9bdfe695c733e37b235144

SHA512
1e62371fdf202e6e15e4ed09e4f1e51e4060b1955d3e164599e201992a2e3b3ce19d68d2b73f03d4c23c6eb5463f878183799a2360e52e76e3497e5fc5755d49

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
337KB

MD5
16e097507d8ef74ba7ce2facb6dc85f1

SHA1
08da887fde89cc2ce9ed26c821eca7899a755c9e

SHA256
6be95a36aed3127f1d4aa5601bf8b6f0b57e85c6617cb6ebbc91f991484e744e

SHA512
a72f7748375b61f4a7dfb7ac4c5c277c75410dbbabbfd0b6a61de52aacf6f2b3ec51bb05cbb69c15d07e208c154dd528a86feae1c8a566e709c021fe52dbf78c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
337KB

MD5
88fc7c9770b8b2ecc0a5dfb5d6a2194e

SHA1
a303c771bae2af3be5442b2ddce98f521b4b333d

SHA256
ebc10a8ca46f58e9d49ae09936ca00749b166e73442f8fd98c77f38ec70a5927

SHA512
fafad2f303cb04add836d89a7a42bcf1161f0c8cd201f0853e69f3a519d218eb8bbcfed9637eedbcfc099e34e9a6c25ab02354383ecc389f8f51e1a469a9c9a9

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
337KB

MD5
b7fe88fb16c32290d22b7d78669fbc71

SHA1
f1dac78de66e160e635c370f4b3130d20a00713f

SHA256
bc8f099d11006501581fca7016509a81e2379dd5e4e266b47fafe5f3b460249f

SHA512
bbb32d59606d6ca7a04d08663b59a0d7829c18b9ede93b23146969b848ab0d41c2224fb32ba2d676677753bdfedcc7d0e4db53ca9b7ad607b56aa5a5d8052563

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
337KB

MD5
6bd7a6ad281d435d2d8e28afac1f93b5

SHA1
b6cd6ab92df53577af314836af35c80081325679

SHA256
c5c953cc9c5731cf6cf7e2be0bead5b6c85dc0a591dff42279f99b81aaa6ec36

SHA512
fcab115a118f68c2c9a89b08c9bfe5ac14bdf092711eb6c68395b19c405b5d1b17a413526a27103c7d182205ae4d1b3cb34cce784a12c77c75797a1cfbdd6db6

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
337KB

MD5
4ba3c200bafcba47f4b0d6ee6276f7bb

SHA1
d0b078f54e37b2db2eb1811b3c661823a31cbb08

SHA256
591aeec4fdc3a30edcd1be8f12c5d3db839028a3e505239e46163d7f8dc17cdf

SHA512
ed33c196410211ba2c8324e02cafb857a725bd89e9d02c0e7a4a75e702a3a9c36f00932ddc8dc132f135a881d39623c415d2e0bcc6906530ae043709c069546d

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
337KB

MD5
4917179b20f4c232b0bdf250526172ab

SHA1
77803f45db2f6cc5ee39ae2bcb87b13e83430639

SHA256
9b7b48470f17cbd638d1357db563297444b331f4e5a5e9481c31468e992a8e23

SHA512
82168e14fc63da2375c895303be6003310e23183fe6ac72a1d0822628fbe539c35383a1d63f4cbe487551e1f4ee77240925a8d43bbceacfcd334f3e219dcb854

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
337KB

MD5
e703d23808330077dc64d50cdccadc46

SHA1
7aeb342daedb101272c6553aec24904bd9feafdb

SHA256
4acf19074a1be89898da29d8b7365753671b30b55953150d872a584ed8e1317d

SHA512
14577cb8643be528a83b74fabb4a38f3557841a11356958e4f9e7d91823bd110ff96075487c4229d96b4ae0924ca733a0492d5f0ccb3e06230e20f13927d4a14

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
337KB

MD5
daadac24e20e3191e5e3cbe8b3f757c2

SHA1
34be673610b630b6f301a60f7c2b7e411bd73a8a

SHA256
1f9284b75f7473294e8d9702ebce249fb698d1ee65defc3dd00869be0159e53d

SHA512
f1a0344f75cd2dadff6925b1579eecdfda3afae451c8fb5f88ca6f35c10899739dde8dc8290c8f7e98b641d47a488608ddbfb95fdffa94ad584df19d4ce79a4c

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
337KB

MD5
49c5e213edea15361a2ab03841192339

SHA1
848536f53a53e4e2db85f9dee1f763cba5fad867

SHA256
73405b0be357baa2c858ee8e8e741ab7123184334e5b0a7d443c15c9380151c6

SHA512
f60b74cf42cd24bc12520939488de0b95f13550b8c11075d3e17febc24fee17ca5ee49cd827b7c56890280d7e4db3e296c9c18ada4e0d60c51a921f27e48fbea

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
337KB

MD5
3fb58ce95f74d593b827b858f1fe02a9

SHA1
5fee4221b0e75f12ae69b2a1fe8e803955fdcfe9

SHA256
58ade87ff6fc1e779493e30b36ec6aa53f2c4f6fbf1411eee1347f662363d9fc

SHA512
0a99b92519fa525ac0af7b1d920f5d7d951cd36d13721acdaaef130d1d14ee7c4a82e67fc55d82772b507876614378bae3819d9b08bdf253bb7916a801ba1e53

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
337KB

MD5
9f098b57607124544f9daa58591aeb1e

SHA1
e08fb501172d08a0b24e6a00cf07628272f8fa57

SHA256
82569b1235fed89c3a2a1669e2105602b83949022290048e6b1949dc43624157

SHA512
d4be2c059b63931c10580ad2f2ec99112900ce23ed45b6c52073f7b57c1e3d5b068b5f8efa5831e8dc41f16b61eded9b717097fe1ce1627d3a56c3c5ecbae4c4

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
337KB

MD5
0f50121fde2bc6b826dfad2083e6cd0c

SHA1
6d11bd65b134b96bcf8a4c743c4133bee3470629

SHA256
a3a4928a6a04ac65863fe4416c306c18b22d108e4a140f0946d3ad4e71a637b2

SHA512
86bc941da9bf2ba0385fbbd95ebc62f0ad70612a1dc8e1900c62c0d25a136d7f5f251506ff42e38b6905c7d1dea4fb5e4d62c848c01fabfb627ec76600299cdc

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
337KB

MD5
5b5d7b72c8cb21ca51081699640899c0

SHA1
fd049914a3f2afdc00b333f5ce6a3e01286a17c4

SHA256
2f26c7ce157c5ed4db608d6b77b64a6a71fccb850ba09939a745921051b4f0c7

SHA512
f6d4bc2404405a1a20c792c14c45e021e90bfedc23a929f08e0132e0ecf7f641cab26c4004fdb379a6678cbfb3bc203d71b0c865d29b84d48d5505d4c16c299b

Download Submit
memory/376-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3232-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads