berbew | cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddc

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
Size

78KB
MD5

aa923b53cf359d664db6a18bf6b17540
SHA1

03bd10d5086d242a9fbfa776f6ab5c742b08fa16
SHA256

cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddc
SHA512

70dd1d7a9c68d48351083c3207f48295ba2f68f7e7e5328340ecb1c6e98cae8b7a854575131f890d76933f052faae7a30398af222fc16252961cb1d4a2683342
SSDEEP

1536:ORnEdEa25dS18PVDuRYxC0VpiV/N+zL20gJi1i+:OpsEa2A1YVDaOCgiV/gzL20WK9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 14 IoCs

pid	Process
4572	Cnffqf32.exe
2736	Ceqnmpfo.exe
532	Cfbkeh32.exe
3572	Cfdhkhjj.exe
3608	Ceehho32.exe
2124	Cnnlaehj.exe
4928	Dhfajjoj.exe
1900	Danecp32.exe
448	Dfknkg32.exe
700	Daqbip32.exe
1552	Dkifae32.exe
4040	Ddakjkqi.exe
4748	Dgbdlf32.exe
5040	Dmllipeg.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2028	5040	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4572	4588	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe	83
PID 4588 wrote to memory of 4572	4588	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe	83
PID 4588 wrote to memory of 4572	4588	cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe	83
PID 4572 wrote to memory of 2736	4572	Cnffqf32.exe	84
PID 4572 wrote to memory of 2736	4572	Cnffqf32.exe	84
PID 4572 wrote to memory of 2736	4572	Cnffqf32.exe	84
PID 2736 wrote to memory of 532	2736	Ceqnmpfo.exe	85
PID 2736 wrote to memory of 532	2736	Ceqnmpfo.exe	85
PID 2736 wrote to memory of 532	2736	Ceqnmpfo.exe	85
PID 532 wrote to memory of 3572	532	Cfbkeh32.exe	86
PID 532 wrote to memory of 3572	532	Cfbkeh32.exe	86
PID 532 wrote to memory of 3572	532	Cfbkeh32.exe	86
PID 3572 wrote to memory of 3608	3572	Cfdhkhjj.exe	87
PID 3572 wrote to memory of 3608	3572	Cfdhkhjj.exe	87
PID 3572 wrote to memory of 3608	3572	Cfdhkhjj.exe	87
PID 3608 wrote to memory of 2124	3608	Ceehho32.exe	88
PID 3608 wrote to memory of 2124	3608	Ceehho32.exe	88
PID 3608 wrote to memory of 2124	3608	Ceehho32.exe	88
PID 2124 wrote to memory of 4928	2124	Cnnlaehj.exe	89
PID 2124 wrote to memory of 4928	2124	Cnnlaehj.exe	89
PID 2124 wrote to memory of 4928	2124	Cnnlaehj.exe	89
PID 4928 wrote to memory of 1900	4928	Dhfajjoj.exe	90
PID 4928 wrote to memory of 1900	4928	Dhfajjoj.exe	90
PID 4928 wrote to memory of 1900	4928	Dhfajjoj.exe	90
PID 1900 wrote to memory of 448	1900	Danecp32.exe	92
PID 1900 wrote to memory of 448	1900	Danecp32.exe	92
PID 1900 wrote to memory of 448	1900	Danecp32.exe	92
PID 448 wrote to memory of 700	448	Dfknkg32.exe	93
PID 448 wrote to memory of 700	448	Dfknkg32.exe	93
PID 448 wrote to memory of 700	448	Dfknkg32.exe	93
PID 700 wrote to memory of 1552	700	Daqbip32.exe	94
PID 700 wrote to memory of 1552	700	Daqbip32.exe	94
PID 700 wrote to memory of 1552	700	Daqbip32.exe	94
PID 1552 wrote to memory of 4040	1552	Dkifae32.exe	95
PID 1552 wrote to memory of 4040	1552	Dkifae32.exe	95
PID 1552 wrote to memory of 4040	1552	Dkifae32.exe	95
PID 4040 wrote to memory of 4748	4040	Ddakjkqi.exe	96
PID 4040 wrote to memory of 4748	4040	Ddakjkqi.exe	96
PID 4040 wrote to memory of 4748	4040	Ddakjkqi.exe	96
PID 4748 wrote to memory of 5040	4748	Dgbdlf32.exe	97
PID 4748 wrote to memory of 5040	4748	Dgbdlf32.exe	97
PID 4748 wrote to memory of 5040	4748	Dgbdlf32.exe	97

C:\Users\Admin\AppData\Local\Temp\cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe
"C:\Users\Admin\AppData\Local\Temp\cc5b4604932d0d2538f1c6c7e419c7f7ef80c80af5bc7203a9ee99407a97dddcN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\Cnffqf32.exe
  C:\Windows\system32\Cnffqf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\Ceqnmpfo.exe
    C:\Windows\system32\Ceqnmpfo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\Cfbkeh32.exe
      C:\Windows\system32\Cfbkeh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:532
    - - C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 396
        16⤵
        Program crash
        
        PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5040 -ip 5040
1⤵
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceehho32.exe

Filesize
78KB

MD5
236f13cf818a048a303d9031ef3a2b40

SHA1
83fa285047834a861c8f96066f1d51eca5e61a86

SHA256
a7675643c357141a3d8d2d5b454393bc923742e34fdbc2a528aaed46597b2e7f

SHA512
9a020f387d2f99cb322a55119b2708f5ff0496a1010bff13a21f1a275386979698acadf8f4f9e798062205ba15476d90d4c497043d7ca2f10380b2644f9b8272

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
78KB

MD5
aa8c51996e2a93e4c4646ea09378ad54

SHA1
b7a9d0c89c24e0e042caee9d76492923c11b019d

SHA256
93b55122982e75c7b8ccf3ce483d177f3ea73f3f3e6b4120bf6364862a682056

SHA512
cdebd46a4af80e4c64a33c2ecdd480d5e755fb72e8848424dfc510ce2475681993ad53e6a1b3d8147ed0875ecb726c259585b2692364a1c42588daf4d6e020af

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
78KB

MD5
00d01315e390a880200a42714d5bca5b

SHA1
c7d220cf1c7b1bd4cd5b74aa537f392cd9f6d508

SHA256
eacdee72e499724ec59362476398dc28ef811cd2f1c007764543a4391927db8d

SHA512
e645cc7c78012f995c8283029d7d8ea375deb48823c2ecdd5e138d1e5b117fe1a8b7bc7784db4fc675e58c434f768e8a2a5bbc70e29c056221118d84c4f7357e

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
78KB

MD5
1488edc397a5ea4fcadd555a85d4bbfb

SHA1
eb353f6a6b9c80fa186e1e0b027b6a327583d5e6

SHA256
d61d4d480ea58f3684c4bd6fa3975198b0e17419be9bbc895f4243287e299bb5

SHA512
5961f62ff70480d5ee66d6c16632e2301c872455591286a13addd61e61e7426a18b5c15cdc66c8a2b01b871428077652049f9bfcf7b145ac10505726433cd7d2

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
78KB

MD5
39583443111f6d55fcdb3db65b65105d

SHA1
35224c78047243c513ff9fd450c8f44bdd1eb112

SHA256
64a829063b9649c09c7d7b200c550fdc074f120f20cb8ffbe752e2662e6a4bbd

SHA512
af068a270574894ef64e525d252c39bcdceef4b784d9ace1bc94a804e622e32a705acf18b04abe3c65166fae96c88f75a5f5f77b16a9997bf93a5a2da6c114f8

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
78KB

MD5
01d98a1ac324fe4d27de5ceb56ca700a

SHA1
635a899458e0ed81bff4ef40847d47cdd0cbae81

SHA256
edcb54c91e8f07476a0b5025e3ec49cff2fd0c0bb38c25fd0d87d9b3313389f9

SHA512
ee9348d7e33b3e0766c6ed9247e672bdae581bcaaf8deb9bf311d65edc579e4c53dfd26b70a8d46b03298f85264879709311f213836ff4f161bd65507d709b47

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
78KB

MD5
4476094790dd9007b1a0cd9f7e378101

SHA1
4e0f288d6eb08298358af72d6a2dc7c3326cd229

SHA256
dc8989b5d3a8a7066c4ae02a3a7326f2bc05aff4e308b6c2cd50380fe0bdf6fa

SHA512
fd3efb14c896d29ab16e29b2129051e6f418ec965eaa2f67771da259b7f6324e613a1ebca52bd45664fe207bcb75bd81e784a31873b7ef3403ed91a8a453b586

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
78KB

MD5
db4b6dacd679e2537182e2a8d5476f66

SHA1
ee011401a507e47e306d40ea0a685760ad2256f3

SHA256
62d9281e22de50adb0dcd02253eca4d6b124a3863f89f68d03d27aaff93a4b98

SHA512
999bcf8f418100c09adf0badd6ea4ce1a3060cc027dee85b44d19ea7cbf703e17caaeb4470c80c59e1eb2f890af449ccbe7d133138606e878424e8a474e5811e

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
78KB

MD5
93c219f44c80a1e73439c1e00d2ef07d

SHA1
f9237e50537f4c1246cedb656900418c409b257d

SHA256
c06bf1d12a333ae1a783b7a4544e46883d203048ceaa10cd6baa7c6452f7d467

SHA512
6df77e9208a8f4b64d7f98f555ae33cc7a0d0bee3e0069a289f53e88e13529b20e2a15669ebb9d7b886315352596569c663cdd504cb17de1c4293bee5599a807

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
78KB

MD5
897cb0cb683bd52719638dbbd9f1cb26

SHA1
3e32804f655b33c6140213589b9f4d0f5adc9246

SHA256
d0e3329998727b5e64024a4309bb5ffbf55fa0dca55a6a3182e7b1cdfd950e3a

SHA512
426fe5f504f824be88657defd1d345c89381379a4fab98c674c2b72478c2faa4e68b5ae959623e586f28b5cbf42aabdcf7a57027a462e1014e58dae91af7eca7

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
78KB

MD5
3180ae36a73775e49f3962b62a189458

SHA1
9cf606684c712d8f0a737154f5e70024cd1bc8e2

SHA256
7cc1fc66174f99e65315cd52d0b3c8e5c079b2250654947621fc58723703d954

SHA512
b832de4c50caf4150400500ad655a41dd69e311560cd9ba8563f98e76c2e37dd9bb5c2c50969d3d38a879741865a0a9d2a70a705aa9b7677464191ac74535ed9

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
78KB

MD5
65b7549834e9a38a6f1e910ff354a9c6

SHA1
2b2d42c3ae7353eb9e0f98642f3a61213dbcff88

SHA256
8347a75adff27aa45ccb9cb87a33bb00f245b445167ebeaab6c74e5ad5e5c204

SHA512
9b2d576b7fd4092d0fc1dfe9e96b5ce45e558e3f809fd0e7b1ffd6e4ab6703b2a2abda731e6d35b67b2ef5abdfba5bb85c381dc8a11b1ba5bc9fd12fe6bf276c

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
78KB

MD5
b185fba8da3cb5353812f5c221c65030

SHA1
c97fb6aa2e827c0d8d0cf62e765f6efa59885a44

SHA256
29d8ea2b4dc8fa2a0803a56a10ed3990843572bf7dbdaf34205156db1a787d81

SHA512
e48ff4783cca0da0f6d4e89862107f9de15847c6c6c171302ce7d88e25ff9a379aa4cb80bc4a7e36f8c06a8c17454d9978200141beec1298e4486e3f06798e4c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
78KB

MD5
7a020442d8776dc1ca36a172647e8fa6

SHA1
a695d4a02eea9014e8239031f555f0247ace3be3

SHA256
988b86653bb19b454ca42761480445026784237f7228ae6123f83bd8411ce0b0

SHA512
1af4f7f57495f9c0f76223241bee442357e5d55182cc5fefb9a0dfeac9f783f8ea433597761eddcbde3bec9e269f377c8e9e775ab07bf9dd1cace048c3626b0a

Download Submit
memory/448-123-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/448-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/700-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/700-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1900-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1900-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2124-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2124-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3572-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3572-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4588-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4588-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4588-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4928-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4928-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads