berbew | eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118

Analysis

max time kernel
97s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
Size

302KB
MD5

e0b0385abeb85144d5bafba1cce4cb31
SHA1

2a5b65f4dbb0ec0db1c9aa15728a9d50396ce1e9
SHA256

eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118
SHA512

a1dba4396689fda9dae2ce28a4a8010950b3976f0aa854672f74f316d3bb76d74100c59b447b6827f771bccaa790f531c5147f0d87ed39d7bbeea54906c305f3
SSDEEP

6144:c4/OuMM3FF7fPtcsw6UJZqktbOUqCTGepXgbWHz:7WuD3FF7fFcsw6UJZqktbDqCTGepXgbo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 14 IoCs

pid	Process
4196	Cajlhqjp.exe
1360	Ceehho32.exe
3096	Cmqmma32.exe
2340	Ddjejl32.exe
2848	Djdmffnn.exe
1432	Dejacond.exe
116	Djgjlelk.exe
2692	Delnin32.exe
3472	Dfnjafap.exe
3552	Dmgbnq32.exe
3008	Deokon32.exe
3740	Dmjocp32.exe
2120	Dgbdlf32.exe
756	Dmllipeg.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3304	756	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4196	3496	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe	82
PID 3496 wrote to memory of 4196	3496	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe	82
PID 3496 wrote to memory of 4196	3496	eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe	82
PID 4196 wrote to memory of 1360	4196	Cajlhqjp.exe	83
PID 4196 wrote to memory of 1360	4196	Cajlhqjp.exe	83
PID 4196 wrote to memory of 1360	4196	Cajlhqjp.exe	83
PID 1360 wrote to memory of 3096	1360	Ceehho32.exe	84
PID 1360 wrote to memory of 3096	1360	Ceehho32.exe	84
PID 1360 wrote to memory of 3096	1360	Ceehho32.exe	84
PID 3096 wrote to memory of 2340	3096	Cmqmma32.exe	85
PID 3096 wrote to memory of 2340	3096	Cmqmma32.exe	85
PID 3096 wrote to memory of 2340	3096	Cmqmma32.exe	85
PID 2340 wrote to memory of 2848	2340	Ddjejl32.exe	86
PID 2340 wrote to memory of 2848	2340	Ddjejl32.exe	86
PID 2340 wrote to memory of 2848	2340	Ddjejl32.exe	86
PID 2848 wrote to memory of 1432	2848	Djdmffnn.exe	87
PID 2848 wrote to memory of 1432	2848	Djdmffnn.exe	87
PID 2848 wrote to memory of 1432	2848	Djdmffnn.exe	87
PID 1432 wrote to memory of 116	1432	Dejacond.exe	88
PID 1432 wrote to memory of 116	1432	Dejacond.exe	88
PID 1432 wrote to memory of 116	1432	Dejacond.exe	88
PID 116 wrote to memory of 2692	116	Djgjlelk.exe	89
PID 116 wrote to memory of 2692	116	Djgjlelk.exe	89
PID 116 wrote to memory of 2692	116	Djgjlelk.exe	89
PID 2692 wrote to memory of 3472	2692	Delnin32.exe	90
PID 2692 wrote to memory of 3472	2692	Delnin32.exe	90
PID 2692 wrote to memory of 3472	2692	Delnin32.exe	90
PID 3472 wrote to memory of 3552	3472	Dfnjafap.exe	91
PID 3472 wrote to memory of 3552	3472	Dfnjafap.exe	91
PID 3472 wrote to memory of 3552	3472	Dfnjafap.exe	91
PID 3552 wrote to memory of 3008	3552	Dmgbnq32.exe	92
PID 3552 wrote to memory of 3008	3552	Dmgbnq32.exe	92
PID 3552 wrote to memory of 3008	3552	Dmgbnq32.exe	92
PID 3008 wrote to memory of 3740	3008	Deokon32.exe	93
PID 3008 wrote to memory of 3740	3008	Deokon32.exe	93
PID 3008 wrote to memory of 3740	3008	Deokon32.exe	93
PID 3740 wrote to memory of 2120	3740	Dmjocp32.exe	94
PID 3740 wrote to memory of 2120	3740	Dmjocp32.exe	94
PID 3740 wrote to memory of 2120	3740	Dmjocp32.exe	94
PID 2120 wrote to memory of 756	2120	Dgbdlf32.exe	95
PID 2120 wrote to memory of 756	2120	Dgbdlf32.exe	95
PID 2120 wrote to memory of 756	2120	Dgbdlf32.exe	95

C:\Users\Admin\AppData\Local\Temp\eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe
"C:\Users\Admin\AppData\Local\Temp\eb3804d02f1aab7d0867a907758d5eacf8606a70ad8e8601e0fb136cd38c0118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\Cajlhqjp.exe
  C:\Windows\system32\Cajlhqjp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\Ceehho32.exe
    C:\Windows\system32\Ceehho32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\Cmqmma32.exe
      C:\Windows\system32\Cmqmma32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 416
        16⤵
        Program crash
        
        PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 756 -ip 756
1⤵
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
302KB

MD5
7a0165df46ae11ccca8d6cbf5a88573e

SHA1
3be3decf4cd8ffe8374a820b910aba43fb301339

SHA256
63e5324daeaba8e80482df2645cec37a11ea17201fb9f3d5ce4ff80dc5dff2f2

SHA512
fec5b7906837ae760c9e6d98bb69c7e28e8baf64f9cfb740a3058745b6ee399b2a914fac216592e92b0eccd0917a9c31bc2ef6be566443af3325d26f94fb27ec

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
302KB

MD5
426f3ede43f00409c804397db7f2c2ca

SHA1
6a039673c20876b84003c4ab0d6ef2ab5dd6df90

SHA256
b61be2eedbebac4d8807b529e48128af8e32b1e6f71baa80ebb49b4c922eb884

SHA512
c0b0d633ede99d02dd5db7e1f9fe7d109cf8ceb2ed251e08ce36f63b0e9ebb1409dc356871763c0a6cfd0fe6b8577edefa0fd9c567a520de1d564fa4ea25dae3

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
302KB

MD5
c98836d0513e631779ebfa68b5ff17ad

SHA1
b737c7af494a4763a3929060f9c349976744b4e5

SHA256
9f48dd98bec7a7baf1c9c57318923a72511b8c2956c6e91187a748b4d978b371

SHA512
35ce9100f4b37d9add5831a7de19350d9746168609bcda8c5e73c7347654d4b6fdcbb70ba2680690fd3a547ff7053363466a2a66c6553c35501fcc560640b322

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
302KB

MD5
f628cac344f16e26a8cef245322f7ebb

SHA1
56b085cc21c94b25fcebbc96f4804690cdb2a3f1

SHA256
dd1467640728bd289475f42359ebf4b406acd7b3d16df73538f0db3983c01462

SHA512
2eda11c14b3a5f56af5f7f29e4ef1a4040ec081485e1d4790374ba7ec43a2a1c37087f672a3c94316ba49932247fa4a6c16c3c9530201239fbd9e67f1c83e22d

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
302KB

MD5
aa7c862a4f59888e9074c10cc1816069

SHA1
7ae17e72ace49b8acbafb7823aad1ead80d01392

SHA256
e08deff46ee0cc9246848c603dba443fc1c81f688b836cff4172619833dea046

SHA512
b93c2b09127a35e5bde240f265111b890e44182c5799c4193886dc95f9cfebc06fb1fccb575f9125fb002342fdbe6fbabcda93e6ac4a53b7e01518d5c70487cc

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
302KB

MD5
bf4138dddc248e9a27317e974e3e2721

SHA1
5df1a53815ca188fa90c29d366998606cfcbeea1

SHA256
00dd76e7c0c5a3f47c0504a11874a0217e11fd5419159583701e61a171ca61fb

SHA512
37b473c6e5f3aaee1e6fb8b8b83ed0995167e3c3daefa4f7848c8dd6c0401f85658432e2bc05cfc0a581c4bf72f3c39c3135a0ee7e7108bfd6db7f0d9a6851a0

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
302KB

MD5
c0fd40d2e61cb4240fc34b96d2a6ebb6

SHA1
04ece645d265d40cedd84c7ffa1de6bfde252d77

SHA256
2022c97a960a62b80bb7dab3cc7cfc83f7c228998f11c4474726569c8ea6a30c

SHA512
9f00fb1652206feaa95bfb1a9d073f4bd1a38ec9d3db2686c8a98a2766fc241e8f37f26c2a40e65ca788c8439ab1bdfa642af3f13ae43b18bfdd65fa309b92a8

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
302KB

MD5
531acc2e6ce524d98ed658296e146a6a

SHA1
fe51d22373cbcee7c8fe866763d64838dd2f6e77

SHA256
a2f5475bbe391433f3d59c6f1569d6c00c4d04d194d9a22e7635a0691022c45c

SHA512
2681cccf5a0ce2379c184a6e211087c20e8469660ec6453770d2af7ff481f75646eab18a378becbc71a93639ee2d7ab5f5606b1b69a4de12eee986dcd5b5df6f

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
302KB

MD5
17401df9d4f9243bba793b420660f16a

SHA1
82d19a8fa4ca16381a4d67df041a0001e37c3295

SHA256
7b0faac85100a3e5c6fd706db57a729049a2cc30bb43fdfdae7a8380971662eb

SHA512
3660fd5385e13c85da58d280acd57b8104425a5c4c3e79cf982b910648ef278057b400fca80f8820307ba3682dd243342aed4510c0ecc85daed67f9b6a879e6f

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
302KB

MD5
64bad3bce4386518c590cc38b8196abe

SHA1
2dc658911bc9f1dc18dd3d885f35ab815130b5c6

SHA256
1725244512e3fad941a4ddc554667c45ceb174d9d84c6c5fe4742763778e392c

SHA512
35df8ab608544fbe9d8f0319cbb037f44dc89b9d0e3677a068482407ddcbe5d89c5a928c25dc6de8e443ff7802e7356fb2c6eaf6a414c44b36c71476d41390f9

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
302KB

MD5
1b6fbcf5a152931089083a3117fd6736

SHA1
6d4ad3bd00261c4344ea937664cc5414ddaf225b

SHA256
dc33da3f4efab610e46f13bf7feaa704326df5b9c7bce46a672d0ccdc72130bb

SHA512
7ef0bd328cca92d509c6f53649f4e7515b4fffcdab2745407ca533b4142f17a755f4645e2ac5f03e7778143caba1a6d417e785a6e601413f02a5a06b96180d29

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
302KB

MD5
905e370985785d67fb29046e779904c6

SHA1
acc57f46a4da1fdca115bafcc9106cc302976fbe

SHA256
f4e79d305e47040bed7391d5c85a0668dbf056a80b3580c3533c225e9cedadbe

SHA512
0fb0bca90102b1261d9e8cb7d79406c0e07b247e530298dfcda8e3c3f5869d941869edda081cf454ab2a20c5a0271c13ad8356fb10c7f9ca2ba46f83ef8dd364

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
302KB

MD5
a9ceccff39d84ea963f7f3d63cb8fdb7

SHA1
daab78f93519d05915c81fd30e44b8dee866c2e9

SHA256
fd278a6ae62679fcddd813b2ff24788e1b7394594512e74e874a30af5057712e

SHA512
0fd35414b6fefc187b9c45d92a6a1ce410fb176adcf9cacd72ab076712a4e3fe201853fcd643d1f0681c9b6cdbbd2112e42c234a40d0cb705c4728de7dcbdc5c

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
192KB

MD5
6ad919a52fd63628489a54c471e8a7e6

SHA1
a0f6759ff975e8da8536f50e502be64518336b91

SHA256
144085e88f049e22264a13f9f476915a08c67e43794de2b6dc948dda85271188

SHA512
f03daed5fcae23034acc90ab44c80c48ddd1dba7d75f042a3dedcd111568dffd981e5264aa3d5d63be7e0413ac0606fc7823173ec0c7f1f9a946f1cdab384afe

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
302KB

MD5
7ae1bc3135a401511664904cb8c3e63e

SHA1
d24c9f8bd11362acc1fd5168e5ee21f628e00eef

SHA256
7cc07359ff59c29f75fc3f4abe56893db568f12023039ece440dd6b7855b6f45

SHA512
a7bafd75b3209c3c5a886994431c9ed3369cf8671f0926b32f53b410256037192f222c248675e4357bddcb16bb10bdca5d6d8f010f55a0bf06f9947ef1b2e5fa

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
302KB

MD5
99f885b923a97e142dc348a128fde67d

SHA1
94122de3b60a829f52df740213a77fc8ed2c9a4b

SHA256
1c9f37d3d8ecfedb656c289351ef4180b2d657b96a922be1ef91c1aaee4b609d

SHA512
0203fb00fe00ce556c9e54d45f7735f47abdf290e915f79105e5b590de34e7787208ff63e704f6fbfe474bed1f63c51e61d950561a03a013971fc25024cc8e73

Download Submit
C:\Windows\SysWOW64\Hdhpgj32.dll

Filesize
7KB

MD5
2bda381eb257f161804efe2cc7deb0a0

SHA1
0ad1483173982418331a91fba086f215064bc533

SHA256
000aa33f45433ea8efd25b960bec241b2e7fafdc9f9e59930f7719942c7ab1aa

SHA512
8ae4d715dd6159a5a75241dc12cd2e4528f93fa96da24100ae2c51fc50346d21c1afa74f0bd1b2da3d00a55839d238949e55465f5912cdb222042e548fde1ff9

Download Submit
memory/116-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads