berbew | bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072

Analysis

max time kernel
93s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
Size

96KB
MD5

804934b57f2ee7c89c8f195dbbd831a8
SHA1

48e00c4e253cbcff740954755aa912c41c44cef3
SHA256

bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072
SHA512

33fad6af7ed1cc385835bd90c3fec44600c47090c7fd3928692e12a8f3e69c7069437975be2252d891d502d4642341b6451349eee985396505b693573f4fb205
SSDEEP

1536:rZ0bpWyNXcjMVBHA90Fcpjwo+2Lt7RZObZUUWaegPYAy:r4WyVc4zVqpjwctClUUWaeP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 14 IoCs

pid	Process
4324	Dhhnpjmh.exe
3752	Dobfld32.exe
3696	Daqbip32.exe
380	Delnin32.exe
4012	Dhkjej32.exe
3584	Dodbbdbb.exe
464	Daconoae.exe
228	Dhmgki32.exe
112	Dkkcge32.exe
3016	Dmjocp32.exe
1848	Deagdn32.exe
764	Dhocqigp.exe
3200	Dknpmdfc.exe
1944	Dmllipeg.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4380	1944	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 4324	1708	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe	83
PID 1708 wrote to memory of 4324	1708	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe	83
PID 1708 wrote to memory of 4324	1708	bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe	83
PID 4324 wrote to memory of 3752	4324	Dhhnpjmh.exe	84
PID 4324 wrote to memory of 3752	4324	Dhhnpjmh.exe	84
PID 4324 wrote to memory of 3752	4324	Dhhnpjmh.exe	84
PID 3752 wrote to memory of 3696	3752	Dobfld32.exe	85
PID 3752 wrote to memory of 3696	3752	Dobfld32.exe	85
PID 3752 wrote to memory of 3696	3752	Dobfld32.exe	85
PID 3696 wrote to memory of 380	3696	Daqbip32.exe	86
PID 3696 wrote to memory of 380	3696	Daqbip32.exe	86
PID 3696 wrote to memory of 380	3696	Daqbip32.exe	86
PID 380 wrote to memory of 4012	380	Delnin32.exe	87
PID 380 wrote to memory of 4012	380	Delnin32.exe	87
PID 380 wrote to memory of 4012	380	Delnin32.exe	87
PID 4012 wrote to memory of 3584	4012	Dhkjej32.exe	88
PID 4012 wrote to memory of 3584	4012	Dhkjej32.exe	88
PID 4012 wrote to memory of 3584	4012	Dhkjej32.exe	88
PID 3584 wrote to memory of 464	3584	Dodbbdbb.exe	89
PID 3584 wrote to memory of 464	3584	Dodbbdbb.exe	89
PID 3584 wrote to memory of 464	3584	Dodbbdbb.exe	89
PID 464 wrote to memory of 228	464	Daconoae.exe	90
PID 464 wrote to memory of 228	464	Daconoae.exe	90
PID 464 wrote to memory of 228	464	Daconoae.exe	90
PID 228 wrote to memory of 112	228	Dhmgki32.exe	91
PID 228 wrote to memory of 112	228	Dhmgki32.exe	91
PID 228 wrote to memory of 112	228	Dhmgki32.exe	91
PID 112 wrote to memory of 3016	112	Dkkcge32.exe	92
PID 112 wrote to memory of 3016	112	Dkkcge32.exe	92
PID 112 wrote to memory of 3016	112	Dkkcge32.exe	92
PID 3016 wrote to memory of 1848	3016	Dmjocp32.exe	93
PID 3016 wrote to memory of 1848	3016	Dmjocp32.exe	93
PID 3016 wrote to memory of 1848	3016	Dmjocp32.exe	93
PID 1848 wrote to memory of 764	1848	Deagdn32.exe	94
PID 1848 wrote to memory of 764	1848	Deagdn32.exe	94
PID 1848 wrote to memory of 764	1848	Deagdn32.exe	94
PID 764 wrote to memory of 3200	764	Dhocqigp.exe	95
PID 764 wrote to memory of 3200	764	Dhocqigp.exe	95
PID 764 wrote to memory of 3200	764	Dhocqigp.exe	95
PID 3200 wrote to memory of 1944	3200	Dknpmdfc.exe	96
PID 3200 wrote to memory of 1944	3200	Dknpmdfc.exe	96
PID 3200 wrote to memory of 1944	3200	Dknpmdfc.exe	96

C:\Users\Admin\AppData\Local\Temp\bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe
"C:\Users\Admin\AppData\Local\Temp\bc125ad969ad5432aba0e83546f72ffd102dcc1f1902f7e8d5ec27a68c0c3072.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\Dhhnpjmh.exe
  C:\Windows\system32\Dhhnpjmh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\Dobfld32.exe
    C:\Windows\system32\Dobfld32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\Daqbip32.exe
      C:\Windows\system32\Daqbip32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
      - C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 396
        16⤵
        Program crash
        
        PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1944 -ip 1944
1⤵
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
a1302b32d69c19998894a121819ffea2

SHA1
4606487d626986954f388f37e1bd5d2eff7d4c8d

SHA256
a9ada7041748d30455d79df193d991714de74d40b9e0167aeec627ee6f52790e

SHA512
2cb0eb4125897d4187eb70bbaf488c13ef8aad186797c2af9433026cc1a49346b63658b14ca4a826e44e61600aa70b0a8700388b297a7b36c397247e7da0f325

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
96KB

MD5
e4a27fa725e55b32e97bf066fc6a0e78

SHA1
9c08dc2031a96c5d4d5b1497f342b36c77a59525

SHA256
6cdcb1e203485d8f598fae981dca8b64e0e14736f14f1717369dcab3ecfe31e3

SHA512
8b208a39590aab2b3fbd73693588be6e16ea182cebb4c6afa63913fe519a6543a65c7f30bf354acafe00c75d8a15c58a575a7f6351a7fa9dfb33b967e517a5f5

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
648afa1fd3a33be3541f3838d3c64eb2

SHA1
f47f2551624afb772fc74bde1cea5322b4a7ffba

SHA256
a65d078a5a33decd1a633b991baeb415f0ae05f4df57edf37fb9ff4e8a77ea6d

SHA512
2c30688198d6bf87a3c113db8b4627c0e80ae5d1b79763c37347ab3ab2f95b75f4c99d40a762c389250f1217eb8866ff628d616dea74534dcd1f3e3b99b4d9cf

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
6b2a1dca6437f8737b9c6e2a657a3cde

SHA1
d67e1c9dfd13420974cdf9ff441a27801b34df29

SHA256
d74d5ab6e1b5c69c6b2b8c2f877dbb613de30635d411ae2e67ebaeef127a376d

SHA512
28d2430889f67ce6d0c5b991e93203f71f2c1975ca09f85a7a24ed7b9eac2992add331aba618ec1ce197054b2d49ed86eb57945fb750f5e9c544a04e1654f502

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
eb14f96d8751a7ad57ca89c7dc2dd772

SHA1
296eefcf55ee75bf37aca91e8eba8d2464f9ff58

SHA256
86490afd47fee63e52e9ea302c2cd8601c0a091411f84d8c06e2f7cfe0362d14

SHA512
bfa8e9eb01b80e1cbfe41b540d1017fe7e7618a02622a164b6c0b203d8a633aaf4eee52766dd38ab120fd2da9fd98f3dca28e1fd3abd9b8595b09e6f09d6506b

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
8950acc92aeb3a5fedf5cb9c5814750e

SHA1
6f0e138782609734c28bae61b2f341b68c049635

SHA256
2d37166ec5e954093e49cd3d8017bacfa7742c3589524301b6ff407fce7b6a52

SHA512
3fa5149b8c4ac8330afa522eb093964759944da3e6520533e638af285d18f4cbd015b5f9f328be415d9ec9e7f063ce2130b8bd68178ca2f4edae00c35996f5f8

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
1093429351778f1664aa625a867aef02

SHA1
d0a82cb0cd0d6d5b5914a647c54eecb770bc9b08

SHA256
93b5847b535469ed2b5520f28213ac4bfb19e39829dff4446465f2821f20b2f1

SHA512
277647009bf89d21dccf7743d136e3438777dc8a21b53076d2c9bcb74870184c14f337b5a8eff2020de92ff1aac83ca67528e85046e2ed7fd8279d2be363fa4e

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
96KB

MD5
14d715d93d36987e26c7b2c09b022093

SHA1
3147ca2d8ebd1c5bba22a93df40bd259a0bdf0ba

SHA256
4caa7dcdd274545ce3f96bd8030a5e4ebc17533216ce72bc728fd0390f572164

SHA512
7225e909754356fa83685c07eb58b1bd27823c5f5e8db6a50ed569de3db290c20306f6acccaaf8ac679a3a31fb950e5216f75adb1e6b035db69948af55b31815

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
96KB

MD5
b1e596a3c4460832a5256dc1a6694680

SHA1
20def61d6fdb5ba14881b1cd238dcbed6b4ec3d9

SHA256
268a5a5bd5c7c13694549949499315272198cf5d722a3622ce2bda10344866b8

SHA512
88233f1329c46ffa868eca601612f2af454ff9e2d779289123c428aca9898e3f4d35c8e2d37c217ec3972bb07677d353f6c5dbefc2d986093a85232653bd28f0

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
9f7d9e5bd8defb92471864b0565a46f1

SHA1
8ddfbb2d98827a5a7a3b9ee6cdf48456c0ee02b5

SHA256
5e57789a4b55a14c090604e53cd3a358de0b38ffafe49776409de8c5775ac4e1

SHA512
abf9dea41379e860f76987bb59ea12b02537d16942ad3958a4e971f1eedd8833f7420e4acf647d796db6749b5d1ceeb68bc3d18741f0071f78b56749dc5883c2

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
1088de9852c0cb514a13215c2b5fc28d

SHA1
3ddb8800adfe1040f0c45f3efd2e0463f8c6849c

SHA256
8cd61f93b2521374535a789b17fa13df85920d612f99e1bc34c4fa357b966bad

SHA512
0adf269804f8376f404f5bf399d7cc75bd237c09a8480eb26bb362404d12d04d4b6ca40ef7346b98878a81009b2764119f05f1ff186d04d3155b02b7b7dd3715

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
aab13625b9e9b3633a11d8e8a7b35da4

SHA1
e1f0281355eca2216570bc529fe4c0b2122e331b

SHA256
7468b744e2b8dc20a46a6543e9a83cff4f8e7b7c390371d67cf5607d2876d6bb

SHA512
67b7dd72a13c53ce65473d2898fc688731e82839542a4b61c09b18a745a0e096933874ea0c0c55ca2b4630fbcf5a30b97181ff7b0039400f35f9a8570fff80cb

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
96KB

MD5
9a5859bea700d8f4bb3d86466891f8d7

SHA1
da2a555ed77988393bbee2a40ce35833cbea8290

SHA256
a3f7edad01985f58f5ee986c91a3fcdd9de4de9c27c07f7d1532efb703fc835e

SHA512
fa29b89dc7a1e0a3e06d00ee3e5e657a7a0d59f5336720d16d658130781edc270d2238c7451ce3515b873c3c1945f2cef91ce16da8c8788486a48d1dfa28bc2d

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
16dd2e39dcafce83b21a08edabdd4071

SHA1
9b20bc0678c3397f707d86a8ca435c9fc2642326

SHA256
9e52f2cdf2516e4eb4cd6d184ef7b1580e5d8f365963123fd24fa3bc1314761a

SHA512
6ce211eb4c44d779b83c32b84d98ca37598b79dab6aea3b62b2de101bbaba0ceb2685e0cf45de10aeb76bd4fd528b4b7bce25a170f667578e7ae863827063fe0

Download Submit
memory/112-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1708-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads