berbew | cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 02:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
Size

96KB
MD5

3c86429d516037222a8a991b7840ddc8
SHA1

1d770d200ba7368260576125982398a1b6e08fd2
SHA256

cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528
SHA512

4181f1a0754b35ad83c57c98415212e3ed9e9b9a7e98a749e798aff4ba304445f6823569c04f6031f5442c5cca022ecc2b6767c85ddcbd4198f9f66f215becb9
SSDEEP

1536:BYkMYEIlOLAAijX+fuf2LoNsBMu/HCmiDcg3MZRP3cEW3AE:aYEIn/jXiaa6miEo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklfll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balkchpi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 13 IoCs

pid	Process
2736	Balkchpi.exe
2876	Bdkgocpm.exe
2632	Blaopqpo.exe
2656	Bjdplm32.exe
264	Bejdiffp.exe
1588	Bhhpeafc.exe
2680	Baadng32.exe
1444	Cfnmfn32.exe
1592	Cilibi32.exe
2684	Cdanpb32.exe
2960	Cklfll32.exe
1752	Cddjebgb.exe
1660	Ceegmj32.exe

Loads dropped DLL 30 IoCs

pid	Process
2844	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
2844	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
2736	Balkchpi.exe
2736	Balkchpi.exe
2876	Bdkgocpm.exe
2876	Bdkgocpm.exe
2632	Blaopqpo.exe
2632	Blaopqpo.exe
2656	Bjdplm32.exe
2656	Bjdplm32.exe
264	Bejdiffp.exe
264	Bejdiffp.exe
1588	Bhhpeafc.exe
1588	Bhhpeafc.exe
2680	Baadng32.exe
2680	Baadng32.exe
1444	Cfnmfn32.exe
1444	Cfnmfn32.exe
1592	Cilibi32.exe
1592	Cilibi32.exe
2684	Cdanpb32.exe
2684	Cdanpb32.exe
2960	Cklfll32.exe
2960	Cklfll32.exe
1752	Cddjebgb.exe
1752	Cddjebgb.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Aincgi32.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Aheefb32.dll	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Cdanpb32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Cdanpb32.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Cklfll32.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	Cklfll32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cklfll32.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3004	1660	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cddjebgb.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2736	2844	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe	30
PID 2844 wrote to memory of 2736	2844	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe	30
PID 2844 wrote to memory of 2736	2844	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe	30
PID 2844 wrote to memory of 2736	2844	cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe	30
PID 2736 wrote to memory of 2876	2736	Balkchpi.exe	31
PID 2736 wrote to memory of 2876	2736	Balkchpi.exe	31
PID 2736 wrote to memory of 2876	2736	Balkchpi.exe	31
PID 2736 wrote to memory of 2876	2736	Balkchpi.exe	31
PID 2876 wrote to memory of 2632	2876	Bdkgocpm.exe	32
PID 2876 wrote to memory of 2632	2876	Bdkgocpm.exe	32
PID 2876 wrote to memory of 2632	2876	Bdkgocpm.exe	32
PID 2876 wrote to memory of 2632	2876	Bdkgocpm.exe	32
PID 2632 wrote to memory of 2656	2632	Blaopqpo.exe	33
PID 2632 wrote to memory of 2656	2632	Blaopqpo.exe	33
PID 2632 wrote to memory of 2656	2632	Blaopqpo.exe	33
PID 2632 wrote to memory of 2656	2632	Blaopqpo.exe	33
PID 2656 wrote to memory of 264	2656	Bjdplm32.exe	34
PID 2656 wrote to memory of 264	2656	Bjdplm32.exe	34
PID 2656 wrote to memory of 264	2656	Bjdplm32.exe	34
PID 2656 wrote to memory of 264	2656	Bjdplm32.exe	34
PID 264 wrote to memory of 1588	264	Bejdiffp.exe	35
PID 264 wrote to memory of 1588	264	Bejdiffp.exe	35
PID 264 wrote to memory of 1588	264	Bejdiffp.exe	35
PID 264 wrote to memory of 1588	264	Bejdiffp.exe	35
PID 1588 wrote to memory of 2680	1588	Bhhpeafc.exe	36
PID 1588 wrote to memory of 2680	1588	Bhhpeafc.exe	36
PID 1588 wrote to memory of 2680	1588	Bhhpeafc.exe	36
PID 1588 wrote to memory of 2680	1588	Bhhpeafc.exe	36
PID 2680 wrote to memory of 1444	2680	Baadng32.exe	37
PID 2680 wrote to memory of 1444	2680	Baadng32.exe	37
PID 2680 wrote to memory of 1444	2680	Baadng32.exe	37
PID 2680 wrote to memory of 1444	2680	Baadng32.exe	37
PID 1444 wrote to memory of 1592	1444	Cfnmfn32.exe	38
PID 1444 wrote to memory of 1592	1444	Cfnmfn32.exe	38
PID 1444 wrote to memory of 1592	1444	Cfnmfn32.exe	38
PID 1444 wrote to memory of 1592	1444	Cfnmfn32.exe	38
PID 1592 wrote to memory of 2684	1592	Cilibi32.exe	39
PID 1592 wrote to memory of 2684	1592	Cilibi32.exe	39
PID 1592 wrote to memory of 2684	1592	Cilibi32.exe	39
PID 1592 wrote to memory of 2684	1592	Cilibi32.exe	39
PID 2684 wrote to memory of 2960	2684	Cdanpb32.exe	40
PID 2684 wrote to memory of 2960	2684	Cdanpb32.exe	40
PID 2684 wrote to memory of 2960	2684	Cdanpb32.exe	40
PID 2684 wrote to memory of 2960	2684	Cdanpb32.exe	40
PID 2960 wrote to memory of 1752	2960	Cklfll32.exe	41
PID 2960 wrote to memory of 1752	2960	Cklfll32.exe	41
PID 2960 wrote to memory of 1752	2960	Cklfll32.exe	41
PID 2960 wrote to memory of 1752	2960	Cklfll32.exe	41
PID 1752 wrote to memory of 1660	1752	Cddjebgb.exe	42
PID 1752 wrote to memory of 1660	1752	Cddjebgb.exe	42
PID 1752 wrote to memory of 1660	1752	Cddjebgb.exe	42
PID 1752 wrote to memory of 1660	1752	Cddjebgb.exe	42
PID 1660 wrote to memory of 3004	1660	Ceegmj32.exe	43
PID 1660 wrote to memory of 3004	1660	Ceegmj32.exe	43
PID 1660 wrote to memory of 3004	1660	Ceegmj32.exe	43
PID 1660 wrote to memory of 3004	1660	Ceegmj32.exe	43

C:\Users\Admin\AppData\Local\Temp\cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe
"C:\Users\Admin\AppData\Local\Temp\cc10139e9fcd586344dd2b68cbf4dc0d342e886a89706013d0893f4f89b42528.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\Balkchpi.exe
  C:\Windows\system32\Balkchpi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Bdkgocpm.exe
    C:\Windows\system32\Bdkgocpm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\Blaopqpo.exe
      C:\Windows\system32\Blaopqpo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 140
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
96KB

MD5
5b327fa9adb7f5d91e5cdbe90fb412b9

SHA1
8d1ae6ddcb6499e5c43c549d73a670a06efe4dd9

SHA256
95f19614e43594840b6f7cb7e1cf774d74e434c257990e48d909e5091d387b14

SHA512
410f1c8bae86b0b966afca1f59ba4d1d6967f03fc8dd09ee5513ae752d8a295f8399ea06e36c2baa10ae10ab941f352c3c5f23bcde1f5ff2eaa1232ac6f303a2

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
96KB

MD5
9d2dac7001286c713864f8c4d7688563

SHA1
314d0549c0467e38d9acbaff3a7217b1705c6e0d

SHA256
43bbd0ed994529d1a55c8bfc6d9842cd4e95db614a30c30ca7828686a55c9d0a

SHA512
5ea388043e655d1c4969d267ea821948a7e8c0b2fc15469e2cefa2709a45b8a2adee7c7a4316a83ae912d824866fc4996297bd021dd6381fca343de2db2c08ff

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
96KB

MD5
9327b636d7085b169eca526583e5e379

SHA1
0827fd7f638698a2919e6aa0500c4a556392501b

SHA256
4fac2a3504cb6669cf88b91ae013f230153620a00463422ddc9b78d5f1817c14

SHA512
ae954fe731395642ba74f802b5b9f83761f182052f65441b9d97ea937f3d3c6952910736da8741d9861cee97dc80ed4d9172a67a13bb3e97f8b529062ca93d83

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
96KB

MD5
6598437b033c1e66181348ca0acd154b

SHA1
5106babc6c980900f5cf02c1b58208b367576042

SHA256
de1c92c50c64034a4c2ef4a773bc6346de8eafe946966005f384b19e5655dc96

SHA512
61123df946c7c6644f3c53c246b9cc4f5b4ac9d89fe997e2ded189aff2a6344c9228d49e441189393a9d4ff5eb2b2520c93bf070a09c965fd0610084a2001aba

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
96KB

MD5
4853ba0d50cc56bb360cc0ba05d20215

SHA1
f690630cefb25d0f442b9ed368d8b6fd7291c18b

SHA256
6c45fdd5e3947bb2e5fe7ea0f034cbc8a5dbcca917d260a1952a2f5325d5a190

SHA512
509f15298f726092454e07374d52eed54ef4a6bf6dd22fb3829d5374a58bcc0163f366df5e60609a52d9225c30f7ac10371db1e318434e3c785845037dc34b21

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
96KB

MD5
d17f164ad0e767b0e6ae1977a601df00

SHA1
d66239d04f7f11a58c29aef3b32acb69c09159c5

SHA256
567e763cb901853ad72fdb516d9c3b5a5597e0fa98a62a4909ba149ee4109f00

SHA512
fd7fb82fca3aa2b05fd6650f2994d975cd4e7a5c0dc62f1f627404cda11e16f1ebd41f2f8bfa4a56c69675d87dd28080d6f463dc567f3e36754c0c2abb41073d

Download Submit
\Windows\SysWOW64\Baadng32.exe

Filesize
96KB

MD5
eb3e0b8c75c16403ef0e78aa02d5ca72

SHA1
e604c78544b06f363ff2586ab909138b8304db6a

SHA256
48576dd5b1b5d6634e604766a17f39035aef9c1eec026c7ad7f956b80982c95b

SHA512
7325947ab210111cf0b4034d1d75ea2f4f5bb5c1ead9e8e694a8df66466a60c9ba13636a1cba52cfa82b6ddd5d178174d4c3c866ef3be0caf14b50b29ed06ac0

Download Submit
\Windows\SysWOW64\Balkchpi.exe

Filesize
96KB

MD5
395087f901f6e4a60fcb7fa11cc301da

SHA1
c0f064aa4c7cfa88c3178fc1ba680fb32db7cba3

SHA256
3f496e0a9f9929ed4f21bb60fbda168f00fb0a67afb8c1a931f03b30148fa942

SHA512
de76dfad932f3d874628edec28c1a9934fdefd30babe4feca19658be647982431cdb40e3c250fe1341d840985da83345639896a28021cb6d6049e58a6edb13f9

Download Submit
\Windows\SysWOW64\Bhhpeafc.exe

Filesize
96KB

MD5
b7401bcadf110a921677befa97461649

SHA1
11877459667fe46f3587742ce29253e29825cfa4

SHA256
03270d26d342a6f53f79ba5991ad833f2901fc1fae4732950f88b0bed81d0b6c

SHA512
dd5d8778e96c0a44fbf63cab013cbd05ca3ea8172512498cd212f110cf03e6f8fd6efb91f67d779856467cd267f3c281f10e9a0519ae2a18b538a5978214573e

Download Submit
\Windows\SysWOW64\Cdanpb32.exe

Filesize
96KB

MD5
6a2e0afd950f5ca3b0108e3f304477c0

SHA1
287b8235a8b855962cf7cce611a00987ab3020f8

SHA256
4209385878154bf93c0cbf2bf1929d655c0a888420dfe29b1699bbc40a05d5d8

SHA512
06fa773b07bf637a12fdd4599ecef77608117d14ca2d9dbb1984a6f402db8eb371f4744ea75dd3999034ad5d4c8aa4493534daee115a544ca7f659a8456ee907

Download Submit
\Windows\SysWOW64\Cddjebgb.exe

Filesize
96KB

MD5
b4d8c8444b40d8ce349cccdd6804a14b

SHA1
16ccfb4993fb30b6a9cf0d08e8a8f64fbd2c7f3c

SHA256
4b5c47f26e281d480675d3ba72bdd01bd7552832c7123f29681dc1eed8432a52

SHA512
ec29036bcec3bc1c9607995e2deaf2071ef04e7ff29879e605c6e2ae8267eeced32f1be709e494ae3b5b0e56fd49727a2b59d4c29b0aa0b2706b99c2308d096a

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
96KB

MD5
5d9a37f9537f071e7f0bc04b282e520d

SHA1
e00b57c21b34d4afa19d29a1ca1c14010706457b

SHA256
e24a5d4893cea21bd651f2583905052588d6da0e68a7f5b5c76ee9dd44ae2262

SHA512
a0a4838c4aaa581fa85412180ed79526943b6bb1ebf049a1a1aa88ca16a4eb9f1a7dac6bfe61853970fe968ee093a4dcf41a6f5519519edbdd7cefccde16497b

Download Submit
\Windows\SysWOW64\Cklfll32.exe

Filesize
96KB

MD5
6ff07f0d6b1a8f9e4419ef1e16f9134b

SHA1
e3355a776d8b5c675bce53f7789b02d84f886370

SHA256
7354aeb372305da66c49d74126e709dac5daf7e7fdec5e7f76dad9b9d806ed36

SHA512
6dd2eb0cee3fd57d096e30874abd1fc980a15c55be6dc67861ca695a6c7dc008ff9a00977a87f14b93ed816e5751b0abfce12d361e64eb3969a3f65339aca68d

Download Submit
memory/264-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/264-78-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/264-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-168-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1752-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-57-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2656-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-68-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2656-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-106-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2680-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2844-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2844-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-155-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2960-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads