berbew | 9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11

Analysis

max time kernel
89s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
Size

128KB
MD5

a7f06a12f4f3f83b0165523f524910ed
SHA1

8045a4e69a9f2fed0f6af36f60942d2b8d17667e
SHA256

9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11
SHA512

2a61daf56b2c910a50b66c9dff035b2760e4aae1829db96f01932f584124ced4752acc790a6ec6a11ff2e57222adc321478dad32af5384dddfa8345de1b5417c
SSDEEP

3072:t3XPJciwMpFrYgdLvDKdd+HnZnA0bwf1nFzwSAJB8e:NJiMFrfq2nZA11n6xJme

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpllbp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 15 IoCs

pid	Process
3756	Cbaehl32.exe
1076	Cfmahknh.exe
1128	Clijablo.exe
4800	Ddqbbo32.exe
1156	Dbcbnlcl.exe
1204	Debnjgcp.exe
3124	Dmifkecb.exe
4600	Dpgbgpbe.exe
3768	Dfakcj32.exe
1048	Dmkcpdao.exe
3832	Dpjompqc.exe
4292	Dbhlikpf.exe
2392	Dmnpfd32.exe
2856	Dpllbp32.exe
3908	Dbkhnk32.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jaepkejo.dll	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
File created	C:\Windows\SysWOW64\Cfmahknh.exe	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Fbelak32.dll	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Dpgbgpbe.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Nfmcle32.dll	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Dbhlikpf.exe	Dpjompqc.exe
File opened for modification	C:\Windows\SysWOW64\Cbaehl32.exe	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
File created	C:\Windows\SysWOW64\Dbcbnlcl.exe	Ddqbbo32.exe
File opened for modification	C:\Windows\SysWOW64\Dmifkecb.exe	Debnjgcp.exe
File created	C:\Windows\SysWOW64\Dmkcpdao.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Ddqbbo32.exe	Clijablo.exe
File created	C:\Windows\SysWOW64\Dpaohckm.dll	Clijablo.exe
File created	C:\Windows\SysWOW64\Gpngef32.dll	Dbcbnlcl.exe
File opened for modification	C:\Windows\SysWOW64\Dpjompqc.exe	Dmkcpdao.exe
File opened for modification	C:\Windows\SysWOW64\Cfmahknh.exe	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Dkakfgoq.dll	Ddqbbo32.exe
File opened for modification	C:\Windows\SysWOW64\Dpgbgpbe.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Idbgcb32.dll	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Dpjompqc.exe	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Dmnpfd32.exe	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Dpllbp32.exe	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Cbaehl32.exe	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
File created	C:\Windows\SysWOW64\Clijablo.exe	Cfmahknh.exe
File opened for modification	C:\Windows\SysWOW64\Clijablo.exe	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Dmifkecb.exe	Debnjgcp.exe
File opened for modification	C:\Windows\SysWOW64\Dbhlikpf.exe	Dpjompqc.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File opened for modification	C:\Windows\SysWOW64\Dbcbnlcl.exe	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Debnjgcp.exe	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Dfakcj32.exe	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Fiinbn32.dll	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Mckfmq32.dll	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Pkjhlh32.dll	Cbaehl32.exe
File opened for modification	C:\Windows\SysWOW64\Ddqbbo32.exe	Clijablo.exe
File created	C:\Windows\SysWOW64\Abbbel32.dll	Debnjgcp.exe
File opened for modification	C:\Windows\SysWOW64\Dmkcpdao.exe	Dfakcj32.exe
File opened for modification	C:\Windows\SysWOW64\Dmnpfd32.exe	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Dpkgac32.dll	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File opened for modification	C:\Windows\SysWOW64\Debnjgcp.exe	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Oihlnd32.dll	Dmifkecb.exe
File opened for modification	C:\Windows\SysWOW64\Dfakcj32.exe	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Ioeiam32.dll	Dpjompqc.exe
File opened for modification	C:\Windows\SysWOW64\Dpllbp32.exe	Dmnpfd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1276	3908	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmifkecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpllbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Debnjgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpgbgpbe.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckfmq32.dll"	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaepkejo.dll"	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clijablo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idbgcb32.dll"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Debnjgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpngef32.dll"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll"	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjhlh32.dll"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaohckm.dll"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkakfgoq.dll"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Debnjgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpkgac32.dll"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbbel32.dll"	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihlnd32.dll"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcle32.dll"	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiinbn32.dll"	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmnpfd32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 3756	1660	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe	85
PID 1660 wrote to memory of 3756	1660	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe	85
PID 1660 wrote to memory of 3756	1660	9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe	85
PID 3756 wrote to memory of 1076	3756	Cbaehl32.exe	86
PID 3756 wrote to memory of 1076	3756	Cbaehl32.exe	86
PID 3756 wrote to memory of 1076	3756	Cbaehl32.exe	86
PID 1076 wrote to memory of 1128	1076	Cfmahknh.exe	87
PID 1076 wrote to memory of 1128	1076	Cfmahknh.exe	87
PID 1076 wrote to memory of 1128	1076	Cfmahknh.exe	87
PID 1128 wrote to memory of 4800	1128	Clijablo.exe	88
PID 1128 wrote to memory of 4800	1128	Clijablo.exe	88
PID 1128 wrote to memory of 4800	1128	Clijablo.exe	88
PID 4800 wrote to memory of 1156	4800	Ddqbbo32.exe	89
PID 4800 wrote to memory of 1156	4800	Ddqbbo32.exe	89
PID 4800 wrote to memory of 1156	4800	Ddqbbo32.exe	89
PID 1156 wrote to memory of 1204	1156	Dbcbnlcl.exe	90
PID 1156 wrote to memory of 1204	1156	Dbcbnlcl.exe	90
PID 1156 wrote to memory of 1204	1156	Dbcbnlcl.exe	90
PID 1204 wrote to memory of 3124	1204	Debnjgcp.exe	91
PID 1204 wrote to memory of 3124	1204	Debnjgcp.exe	91
PID 1204 wrote to memory of 3124	1204	Debnjgcp.exe	91
PID 3124 wrote to memory of 4600	3124	Dmifkecb.exe	92
PID 3124 wrote to memory of 4600	3124	Dmifkecb.exe	92
PID 3124 wrote to memory of 4600	3124	Dmifkecb.exe	92
PID 4600 wrote to memory of 3768	4600	Dpgbgpbe.exe	94
PID 4600 wrote to memory of 3768	4600	Dpgbgpbe.exe	94
PID 4600 wrote to memory of 3768	4600	Dpgbgpbe.exe	94
PID 3768 wrote to memory of 1048	3768	Dfakcj32.exe	95
PID 3768 wrote to memory of 1048	3768	Dfakcj32.exe	95
PID 3768 wrote to memory of 1048	3768	Dfakcj32.exe	95
PID 1048 wrote to memory of 3832	1048	Dmkcpdao.exe	96
PID 1048 wrote to memory of 3832	1048	Dmkcpdao.exe	96
PID 1048 wrote to memory of 3832	1048	Dmkcpdao.exe	96
PID 3832 wrote to memory of 4292	3832	Dpjompqc.exe	97
PID 3832 wrote to memory of 4292	3832	Dpjompqc.exe	97
PID 3832 wrote to memory of 4292	3832	Dpjompqc.exe	97
PID 4292 wrote to memory of 2392	4292	Dbhlikpf.exe	98
PID 4292 wrote to memory of 2392	4292	Dbhlikpf.exe	98
PID 4292 wrote to memory of 2392	4292	Dbhlikpf.exe	98
PID 2392 wrote to memory of 2856	2392	Dmnpfd32.exe	100
PID 2392 wrote to memory of 2856	2392	Dmnpfd32.exe	100
PID 2392 wrote to memory of 2856	2392	Dmnpfd32.exe	100
PID 2856 wrote to memory of 3908	2856	Dpllbp32.exe	101
PID 2856 wrote to memory of 3908	2856	Dpllbp32.exe	101
PID 2856 wrote to memory of 3908	2856	Dpllbp32.exe	101

C:\Users\Admin\AppData\Local\Temp\9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe
"C:\Users\Admin\AppData\Local\Temp\9b702358daf3be859e32144765b84a9d6b98e533155e4d4c672bae42c6d7fd11.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\Cbaehl32.exe
  C:\Windows\system32\Cbaehl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\SysWOW64\Cfmahknh.exe
    C:\Windows\system32\Cfmahknh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\Clijablo.exe
      C:\Windows\system32\Clijablo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 412
        17⤵
        Program crash
        
        PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 3908
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cbaehl32.exe

Filesize
128KB

MD5
b9ad15b7865fad735801a463c499fdb6

SHA1
e07dcd3a637f87b022705a6922e483d85565d871

SHA256
4753c0760302b2c6600db5a4802c8578074f6f792045bbe15dec1a764cd4363e

SHA512
5f18dea26fe751a3a2b97076227209b89a64cf107058d81428ff60a9f63d0c47ea2b7ecd3d073dece1026bc990ee5303c094280fa9dd06284f5471458ccd35c3

Download Submit
C:\Windows\SysWOW64\Cfmahknh.exe

Filesize
128KB

MD5
6b2b6ecc0fcc85ea9317725b8ac675b7

SHA1
658de86220d32410069a89751b0a6a76d60cf391

SHA256
f5f60fef64a42793ff394b42960ba3989897c2707c733faac0086bc0e7376dbc

SHA512
1cf1dd1b7aecdb158c3d249881f6e64f57c1530f85f596393ab1ae53f2a411508900de067a970f3123693e9caf7e178011295813d1afd6478cb4652ffa85be38

Download Submit
C:\Windows\SysWOW64\Clijablo.exe

Filesize
128KB

MD5
d17c514152f3e7330b063ba8ec9b083a

SHA1
8ae0785e14dfa9fe91d7ff1aac3faa02d67f2f5f

SHA256
5977f1803c444c298cd7c2f95c0781f00493841275b015dccd954aae7421a804

SHA512
8a4561e07fa4f3ed6f24945ba6f14927da216bb15a0055caa99071991d3b2fee06c895c87a239d6cec0add6626a7c6225ff96823bd4937b88518a65264ae3467

Download Submit
C:\Windows\SysWOW64\Dbcbnlcl.exe

Filesize
128KB

MD5
f79cf789aab2b441826903b745c6f86d

SHA1
f071b69085c81268c9b9291080dbb1186d403ea0

SHA256
821e50d4892e34764b5178583dee0ed0756ffab6b4bb1ae2ed00b70d3906de87

SHA512
31f3343055d1cba7d40939cd8fedd829c7ab7ba69f9483dc76b82c6c7838e1c4852ec4eba2041a3c40df9c82af49d1a0d777ed172c8fd6c39be544732d1577a3

Download Submit
C:\Windows\SysWOW64\Dbhlikpf.exe

Filesize
128KB

MD5
3d2b6f86b3435319906edc62e5605ac2

SHA1
94c558794f6c8c457dc64b9a4870c0ea165302a7

SHA256
bc1248ebd2fb325f7e6d5e7288967fa915c187caee6a4f307ce390305b697456

SHA512
ba297972ff1ff80844d15b82131446d472202c8d835fdd7322ec103bbfcd72cf08859ce017b2d858c28d5795ed2e439c0d20a3fa1772649e41e9c0730ca1ee4c

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
128KB

MD5
0de8dcfa60acf1934822bc45b2fbeca0

SHA1
019a6cea98d7891f157ed87254c67956f470ea54

SHA256
da5cd657e475ab55e7e29b0da1465cf0d1e26b8d7f4dc457cff766a817d1ddd5

SHA512
5e483b41cf31759228d4d2723fe9ab012bfe20631a81dd33540a5f961ddc6c5c4057c475a235fdbdc2e21506da07acf29942ce18472be63722e9b724d141965f

Download Submit
C:\Windows\SysWOW64\Ddqbbo32.exe

Filesize
128KB

MD5
cb90348a884a70095a6409d1d855ff38

SHA1
3bc7e1b8c1d6aac58ee90cebcfcb89f1d9efe751

SHA256
665d116d224a0d6b699d28cf48d7a0f89b7ed420f58ef976c828ac6f672483c2

SHA512
4c963609f6add9175e2f453bf5ec4f190a9d7b1c9e548c37be5e83ea85cacb18f5104ef827f182d32adc54c3f90810d674877ac0328271688861c1b85bc20202

Download Submit
C:\Windows\SysWOW64\Debnjgcp.exe

Filesize
128KB

MD5
e9d6824a0b06c755486bb0397d04962d

SHA1
06455abe5110c97196c20fd911c99f27192f136c

SHA256
1b8cd672f797eed7a99d3f719a6f39aa23f0f78bfd9f1a69691a95274b3a6c41

SHA512
6cf9f029ee91de1cf6bf098005f52148a0e55a4243f0a5cdce842bbf255bfec26f7e1a9bb7075a08dfe6691ba568c01193557ea66bfc9288ac974575be0cfbed

Download Submit
C:\Windows\SysWOW64\Dfakcj32.exe

Filesize
128KB

MD5
23dd155cff84b6131d5b65fcd6187df2

SHA1
b79b61701fa6d4dde58a8ec3cd9f88ab58d3555f

SHA256
26f4138e4a47daf128a2f02b2a51f7ca119f4aec8d7bb350cae65c80228bd459

SHA512
9ca86d1c055bfc1ae42f198f4e24a4167cf95b7f7469982d7f6acb8871fd9d44658049e441127053db5d4101cc207369b6761b11e3f19312f484a6bae80c3cb4

Download Submit
C:\Windows\SysWOW64\Dkakfgoq.dll

Filesize
7KB

MD5
fcfbac2eddc3a3d5fa4cf22f6dd5de6c

SHA1
6dfb543c3b583cec120c4378c241fb6a5fd4b06d

SHA256
fc3c1c17f4b49e57c2a7d05eee84eff500116c3b6239443b0f4866dfd2fe7167

SHA512
a3dbfb3bcd37522fbd624112a1f1aca561666bf1d8a5d7057da32337466b877d0803f8e9854bea83792395393dd031e79d2f09387bbbf26b2ac518be8600ad05

Download Submit
C:\Windows\SysWOW64\Dmifkecb.exe

Filesize
128KB

MD5
816cfaf15b9c761f3767cc39cf75c61a

SHA1
3a52cbb3a183dbe61575bbed2b5c402572bbea7d

SHA256
ca4b3b7877246a11222caca2198ee6d408050cb09a7f7d8a6d7f52d8a1615ecb

SHA512
16725170f9ea7f3d58adb83c9f9bbb058ef2c5007ddc798054ac50bf343e32bb3a7d24a23d459b36a602fb2dc4c7141572e11d4a80d673ef91b6a8248270d36a

Download Submit
C:\Windows\SysWOW64\Dmkcpdao.exe

Filesize
128KB

MD5
10e1a54de7c59dee822241fec33dcf13

SHA1
b20cc85e856deeff77d2e2876f1588f6a2be461d

SHA256
297df7d24abc7af66823f41c196f4469a6eb20fc2beea861321ce17a05c289b8

SHA512
90849d1a6ba009a23169c66f04054be97dd4e79f56dead2c4b82a284d0fe164ab6fe4ace329c8559398a8c3f86e58eac9e0440697c378f75348803b072209a8b

Download Submit
C:\Windows\SysWOW64\Dmnpfd32.exe

Filesize
128KB

MD5
59cecea5fe428919c4ea6900b1e71e31

SHA1
852f1a6c457a7fb96cb3fc239b8353691b59d464

SHA256
f1f0b590df94801ccb6ab31ae40ca3ba91db22fd87f6b945f9b39cfe24636156

SHA512
fbfbcb38fb781e0563a5e6599ec1d070e25566d4e39c8d4e4ee8db6d7037b3ba81cf697009554589994330ad4f9e5a76a0f0e3869f2fa6f8c017165ed08423dd

Download Submit
C:\Windows\SysWOW64\Dpgbgpbe.exe

Filesize
128KB

MD5
167e065ec0819595fe9045126377aa84

SHA1
1a41503aff163ac6c93f4f5f55a16a33dd234a16

SHA256
b671e5a0dee620fa9555a2b1b4fdb568b54b6a96dfcde9e9d691bc75c86ea1fe

SHA512
9678316adee3405089333608a798cb218c503b9598ea6c1a39284e701cea9843da753e64fea19dec0ca51e99cc83504cc23020341d8aac766c9276f214068f4a

Download Submit
C:\Windows\SysWOW64\Dpjompqc.exe

Filesize
128KB

MD5
4ed66390da0d418d3a2763fc21959b64

SHA1
dccdef454ddfd624dcb760c951172c5c80c9c067

SHA256
6960644e1d6c9ca130eb24fc0864d714cc52c60f60340e5c1eaddb8044eaa64c

SHA512
3d68685ee7c8ba6ac37d109b64c398b9bcc9d8caac14236e7af88912a23ce9d2a5df5794bca10e8749d70f32279cb520882077daf8c401ad06f16dba2bc653dd

Download Submit
C:\Windows\SysWOW64\Dpllbp32.exe

Filesize
128KB

MD5
cc2f36a0e3cf32a1411cdf3043683aa2

SHA1
df1dc520a9ae35a23be0d5316fad088ca72a3d42

SHA256
b5240d0fee9728676552834247adece1dcbacfd7086cbe8c50b6e10d98c874cc

SHA512
24b0f4e721a44ac1a2e17dbf899c948027e881edeaf9faf5cf86a1ffe957990b480a02c42de3384043a93c9e2c123abcbbfd4d430c30562de3f689c62ee48a5f

Download Submit
memory/1048-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1128-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1128-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1156-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1156-131-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3756-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3756-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3768-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3768-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3832-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3832-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3908-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3908-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4292-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4292-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads