berbew | a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabf

Analysis

max time kernel
114s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
Size

128KB
MD5

e5650b359ac0e661d5d195a744216900
SHA1

67bf13a09cb18feb3fa6c12f4eb65ae964571ddc
SHA256

a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabf
SHA512

123e9f13b6b911b121973629655310fdc205b23d2da7ca6e41b388b62e9048378ed85ef8f2d07bb48967af48b22eca4ded90a8e029c6023ac2917922917e395c
SSDEEP

3072:l2jn9CGYiLgQFmIfx3QsOKzDd1AZoUBW3FJeRuaWNXmgu+tB:uC7iLgQ1ZAsOKndWZHEFJ7aWN1B

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfcoblfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbjogmlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dibdeegc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bflham32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Defheg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bblcfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cboibm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmagch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cekhihig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmddihfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cleqfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ammnhilb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmagch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjlap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhhml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Almanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpcdfll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgjkpll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfcoblfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpcdfll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfjeckpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpgjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cibkohef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cleqfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 57 IoCs

pid	Process
3540	Almanf32.exe
2900	Abgjkpll.exe
1724	Ammnhilb.exe
2876	Abjfqpji.exe
2740	Aehbmk32.exe
2388	Bblcfo32.exe
788	Bmagch32.exe
324	Bemlhj32.exe
4232	Bmddihfj.exe
1604	Bflham32.exe
4704	Bbcignbo.exe
3964	Beaecjab.exe
2364	Bmimdg32.exe
2448	Bpgjpb32.exe
3120	Bfabmmhe.exe
548	Bipnihgi.exe
2288	Bmkjig32.exe
1952	Cpifeb32.exe
5012	Cbhbbn32.exe
4516	Cfcoblfb.exe
2768	Cibkohef.exe
4136	Cmmgof32.exe
1940	Cplckbmc.exe
1916	Cbjogmlf.exe
552	Cffkhl32.exe
2736	Cidgdg32.exe
1536	Cmpcdfll.exe
4360	Cpnpqakp.exe
4068	Cdjlap32.exe
3160	Cfhhml32.exe
4032	Cekhihig.exe
1636	Cmbpjfij.exe
5028	Cleqfb32.exe
2120	Cdlhgpag.exe
3696	Cboibm32.exe
400	Cfjeckpj.exe
1264	Ciiaogon.exe
1288	Cpcila32.exe
4700	Cbaehl32.exe
3476	Cfmahknh.exe
1180	Ciknefmk.exe
2984	Clijablo.exe
2572	Ddqbbo32.exe
3100	Dfonnk32.exe
2672	Dinjjf32.exe
4352	Dllffa32.exe
4304	Ddcogo32.exe
3424	Dfakcj32.exe
560	Dedkogqm.exe
644	Dmkcpdao.exe
1900	Dpjompqc.exe
4472	Dbhlikpf.exe
4456	Defheg32.exe
2400	Dibdeegc.exe
1816	Dlqpaafg.exe
1564	Dpllbp32.exe
4088	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bblcfo32.exe	Aehbmk32.exe
File created	C:\Windows\SysWOW64\Bmddihfj.exe	Bemlhj32.exe
File created	C:\Windows\SysWOW64\Ibnoch32.dll	Cpifeb32.exe
File created	C:\Windows\SysWOW64\Cbhkkpon.dll	Cibkohef.exe
File created	C:\Windows\SysWOW64\Dojahakp.dll	Bflham32.exe
File created	C:\Windows\SysWOW64\Cidgdg32.exe	Cffkhl32.exe
File created	C:\Windows\SysWOW64\Pdkpjeba.dll	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Adlafb32.dll	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Nfmcle32.dll	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Dedkogqm.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Fiinbn32.dll	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Bfabmmhe.exe	Bpgjpb32.exe
File opened for modification	C:\Windows\SysWOW64\Dlqpaafg.exe	Dibdeegc.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Gdfmgqph.dll	Bbcignbo.exe
File opened for modification	C:\Windows\SysWOW64\Bipnihgi.exe	Bfabmmhe.exe
File created	C:\Windows\SysWOW64\Midbjmkg.dll	Cfcoblfb.exe
File created	C:\Windows\SysWOW64\Cpcila32.exe	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Fjgnln32.dll	Dibdeegc.exe
File created	C:\Windows\SysWOW64\Ibinlbli.dll	Abjfqpji.exe
File created	C:\Windows\SysWOW64\Bmagch32.exe	Bblcfo32.exe
File opened for modification	C:\Windows\SysWOW64\Cpifeb32.exe	Bmkjig32.exe
File created	C:\Windows\SysWOW64\Cfcoblfb.exe	Cbhbbn32.exe
File created	C:\Windows\SysWOW64\Fkiecbnd.dll	Cbhbbn32.exe
File created	C:\Windows\SysWOW64\Cffkhl32.exe	Cbjogmlf.exe
File created	C:\Windows\SysWOW64\Cqbolk32.dll	Bmagch32.exe
File created	C:\Windows\SysWOW64\Beaecjab.exe	Bbcignbo.exe
File created	C:\Windows\SysWOW64\Cibkohef.exe	Cfcoblfb.exe
File created	C:\Windows\SysWOW64\Cmpcdfll.exe	Cidgdg32.exe
File created	C:\Windows\SysWOW64\Hkjfpp32.dll	Cidgdg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmkcpdao.exe	Dedkogqm.exe
File created	C:\Windows\SysWOW64\Idbgcb32.dll	Dedkogqm.exe
File opened for modification	C:\Windows\SysWOW64\Dbhlikpf.exe	Dpjompqc.exe
File created	C:\Windows\SysWOW64\Mckfmq32.dll	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Jaepkejo.dll	Cpcila32.exe
File created	C:\Windows\SysWOW64\Dpjompqc.exe	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Defheg32.exe	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Bbcignbo.exe	Bflham32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjig32.exe	Bipnihgi.exe
File opened for modification	C:\Windows\SysWOW64\Ciknefmk.exe	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Fbelak32.dll	Ciknefmk.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File opened for modification	C:\Windows\SysWOW64\Bmimdg32.exe	Beaecjab.exe
File created	C:\Windows\SysWOW64\Dbebgj32.dll	Bipnihgi.exe
File opened for modification	C:\Windows\SysWOW64\Cmpcdfll.exe	Cidgdg32.exe
File created	C:\Windows\SysWOW64\Cekhihig.exe	Cfhhml32.exe
File opened for modification	C:\Windows\SysWOW64\Cmbpjfij.exe	Cekhihig.exe
File created	C:\Windows\SysWOW64\Cboibm32.exe	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Cfjeckpj.exe	Cboibm32.exe
File opened for modification	C:\Windows\SysWOW64\Cbaehl32.exe	Cpcila32.exe
File created	C:\Windows\SysWOW64\Clijablo.exe	Ciknefmk.exe
File opened for modification	C:\Windows\SysWOW64\Dedkogqm.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Dibdeegc.exe	Defheg32.exe
File created	C:\Windows\SysWOW64\Nffopp32.dll	Defheg32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabmmhe.exe	Bpgjpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfcoblfb.exe	Cbhbbn32.exe
File created	C:\Windows\SysWOW64\Kqfaoo32.dll	Cmpcdfll.exe
File created	C:\Windows\SysWOW64\Aoedfmpf.dll	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Cdjlap32.exe	Cpnpqakp.exe
File created	C:\Windows\SysWOW64\Cleqfb32.exe	Cmbpjfij.exe
File opened for modification	C:\Windows\SysWOW64\Bmagch32.exe	Bblcfo32.exe
File opened for modification	C:\Windows\SysWOW64\Cbjogmlf.exe	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Amkejmgc.dll	Cekhihig.exe
File created	C:\Windows\SysWOW64\Dihmeahp.dll	Dfonnk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1736	4088	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cidgdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bblcfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbcignbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbhbbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmmgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfonnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aehbmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpifeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defheg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemlhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnpqakp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpgjpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabmmhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpjfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Almanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpllbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjfqpji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmimdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjogmlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cekhihig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cleqfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipnihgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcogo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibdeegc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgjkpll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnhilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmagch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfcoblfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpcdfll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcila32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmddihfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffkhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhgpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciiaogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dedkogqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bflham32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibkohef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cboibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cplckbmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllffa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlqpaafg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abgjkpll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaepkejo.dll"	Cpcila32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll"	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmddihfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bipnihgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodcma32.dll"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfmgqph.dll"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjfpp32.dll"	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlafb32.dll"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpifeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbhbbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqhqndlf.dll"	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Defheg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgeebem.dll"	Almanf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgide32.dll"	Bfabmmhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgfdkj32.dll"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doklblnq.dll"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffopp32.dll"	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbebgj32.dll"	Bipnihgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbcdide.dll"	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmagch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmimdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqbolk32.dll"	Bmagch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaohckm.dll"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midbjmkg.dll"	Cfcoblfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgnmlep.dll"	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Defheg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ammnhilb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmddihfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoedfmpf.dll"	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjhlh32.dll"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ammnhilb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cibkohef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdnkk32.dll"	Cfjeckpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Almanf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cleqfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bblcfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfijgnnj.dll"	Cmmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecnjaee.dll"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dllffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igqceh32.dll"	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3540	3944	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe	89
PID 3944 wrote to memory of 3540	3944	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe	89
PID 3944 wrote to memory of 3540	3944	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe	89
PID 3540 wrote to memory of 2900	3540	Almanf32.exe	90
PID 3540 wrote to memory of 2900	3540	Almanf32.exe	90
PID 3540 wrote to memory of 2900	3540	Almanf32.exe	90
PID 2900 wrote to memory of 1724	2900	Abgjkpll.exe	91
PID 2900 wrote to memory of 1724	2900	Abgjkpll.exe	91
PID 2900 wrote to memory of 1724	2900	Abgjkpll.exe	91
PID 1724 wrote to memory of 2876	1724	Ammnhilb.exe	92
PID 1724 wrote to memory of 2876	1724	Ammnhilb.exe	92
PID 1724 wrote to memory of 2876	1724	Ammnhilb.exe	92
PID 2876 wrote to memory of 2740	2876	Abjfqpji.exe	93
PID 2876 wrote to memory of 2740	2876	Abjfqpji.exe	93
PID 2876 wrote to memory of 2740	2876	Abjfqpji.exe	93
PID 2740 wrote to memory of 2388	2740	Aehbmk32.exe	94
PID 2740 wrote to memory of 2388	2740	Aehbmk32.exe	94
PID 2740 wrote to memory of 2388	2740	Aehbmk32.exe	94
PID 2388 wrote to memory of 788	2388	Bblcfo32.exe	95
PID 2388 wrote to memory of 788	2388	Bblcfo32.exe	95
PID 2388 wrote to memory of 788	2388	Bblcfo32.exe	95
PID 788 wrote to memory of 324	788	Bmagch32.exe	96
PID 788 wrote to memory of 324	788	Bmagch32.exe	96
PID 788 wrote to memory of 324	788	Bmagch32.exe	96
PID 324 wrote to memory of 4232	324	Bemlhj32.exe	97
PID 324 wrote to memory of 4232	324	Bemlhj32.exe	97
PID 324 wrote to memory of 4232	324	Bemlhj32.exe	97
PID 4232 wrote to memory of 1604	4232	Bmddihfj.exe	98
PID 4232 wrote to memory of 1604	4232	Bmddihfj.exe	98
PID 4232 wrote to memory of 1604	4232	Bmddihfj.exe	98
PID 1604 wrote to memory of 4704	1604	Bflham32.exe	99
PID 1604 wrote to memory of 4704	1604	Bflham32.exe	99
PID 1604 wrote to memory of 4704	1604	Bflham32.exe	99
PID 4704 wrote to memory of 3964	4704	Bbcignbo.exe	100
PID 4704 wrote to memory of 3964	4704	Bbcignbo.exe	100
PID 4704 wrote to memory of 3964	4704	Bbcignbo.exe	100
PID 3964 wrote to memory of 2364	3964	Beaecjab.exe	101
PID 3964 wrote to memory of 2364	3964	Beaecjab.exe	101
PID 3964 wrote to memory of 2364	3964	Beaecjab.exe	101
PID 2364 wrote to memory of 2448	2364	Bmimdg32.exe	102
PID 2364 wrote to memory of 2448	2364	Bmimdg32.exe	102
PID 2364 wrote to memory of 2448	2364	Bmimdg32.exe	102
PID 2448 wrote to memory of 3120	2448	Bpgjpb32.exe	103
PID 2448 wrote to memory of 3120	2448	Bpgjpb32.exe	103
PID 2448 wrote to memory of 3120	2448	Bpgjpb32.exe	103
PID 3120 wrote to memory of 548	3120	Bfabmmhe.exe	104
PID 3120 wrote to memory of 548	3120	Bfabmmhe.exe	104
PID 3120 wrote to memory of 548	3120	Bfabmmhe.exe	104
PID 548 wrote to memory of 2288	548	Bipnihgi.exe	105
PID 548 wrote to memory of 2288	548	Bipnihgi.exe	105
PID 548 wrote to memory of 2288	548	Bipnihgi.exe	105
PID 2288 wrote to memory of 1952	2288	Bmkjig32.exe	106
PID 2288 wrote to memory of 1952	2288	Bmkjig32.exe	106
PID 2288 wrote to memory of 1952	2288	Bmkjig32.exe	106
PID 1952 wrote to memory of 5012	1952	Cpifeb32.exe	107
PID 1952 wrote to memory of 5012	1952	Cpifeb32.exe	107
PID 1952 wrote to memory of 5012	1952	Cpifeb32.exe	107
PID 5012 wrote to memory of 4516	5012	Cbhbbn32.exe	108
PID 5012 wrote to memory of 4516	5012	Cbhbbn32.exe	108
PID 5012 wrote to memory of 4516	5012	Cbhbbn32.exe	108
PID 4516 wrote to memory of 2768	4516	Cfcoblfb.exe	109
PID 4516 wrote to memory of 2768	4516	Cfcoblfb.exe	109
PID 4516 wrote to memory of 2768	4516	Cfcoblfb.exe	109
PID 2768 wrote to memory of 4136	2768	Cibkohef.exe	110

C:\Users\Admin\AppData\Local\Temp\a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
"C:\Users\Admin\AppData\Local\Temp\a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\SysWOW64\Almanf32.exe
  C:\Windows\system32\Almanf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\Abgjkpll.exe
    C:\Windows\system32\Abgjkpll.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\Ammnhilb.exe
      C:\Windows\system32\Ammnhilb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Bmddihfj.exe
        
        C:\Windows\system32\Bmddihfj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Cfcoblfb.exe
        
        C:\Windows\system32\Cfcoblfb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Cibkohef.exe
        
        C:\Windows\system32\Cibkohef.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Cpnpqakp.exe
        
        C:\Windows\system32\Cpnpqakp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 412
        59⤵
        Program crash
        
        PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 4088
1⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1904,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:8
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abgjkpll.exe

Filesize
128KB

MD5
c49e15a982b545e6f0e0c6b875896647

SHA1
5a104f708c040c478c4fa11dbedef7cd6e224612

SHA256
d705b8c96252e3fb0fe7537e88732a44b84ff8ed1c23efaf29ca503698d5070b

SHA512
b3791591b115524d1297402b2b9dce4a84b95376e6c83726df088b15bb7a08327bbd1a5ce83b41e7868bd6b04371049f6beb5fa427394f07a417292911d9e1bb

Download Submit
C:\Windows\SysWOW64\Abjfqpji.exe

Filesize
128KB

MD5
ea39fdfbaf89a337c93626c87fa3f267

SHA1
965a58bd745857ce65d05b7d372191d7be358bc6

SHA256
26c35a73f4cf803c426c10680915ab20bb1089c7d1a0a43abd803725b58818cb

SHA512
3fb0872b358dfc798ee3c9c2f4bedb811f3e87a3a429731d566b8aea27af499ff78e37632a82d91d93f2615c9689ea7952c9b665d2ba7a59a53e9fde273b54d1

Download Submit
C:\Windows\SysWOW64\Aehbmk32.exe

Filesize
128KB

MD5
f3fd67b592d1a412952e2538743f4f33

SHA1
5aa232b7f7ae39b122d28f9c1486e0779e9f1af1

SHA256
45c333eb199787da2ae8bd55592716024a70cbfa8ebe064bb9121c46cfb5cfba

SHA512
75d4f4ca8b0772f1a9012ad82623d4d5d3daba2c5cbae3aa7215ae3502a504661b20648a3aa0f2b27bb7825e71da454b57efac9ffe6808d4929147ae13164c18

Download Submit
C:\Windows\SysWOW64\Almanf32.exe

Filesize
128KB

MD5
536b753d4859761cbca2371b1fe94096

SHA1
50271a9472e0428a087f4249d032a96e3db1678a

SHA256
5fb57faf1384c01505ff6297b22d310382e30fad1c9df8c9f39c2f4b491ece03

SHA512
72bddf679835037281c152ce387d8e99f0415dc3a7a7bc45a19b3bba72c964d1a0abb9c1fafea2c6f1bb1488d9cb4910b36693bb4f3a098a2ca5957f802555d3

Download Submit
C:\Windows\SysWOW64\Ammnhilb.exe

Filesize
128KB

MD5
adde00cadc28b45ac02dbd332f90a715

SHA1
867c486998b632964916b35332050c0aa8f828dd

SHA256
ddd94824cca87eede67f94b8c2c89fd9bdd3a55a972d9d2d7e659e4a34773021

SHA512
9240eda3eaa9d2b720a7bb3cb40f72a1f40cb1cf27e119e55e56745564745c0cdd6d33f697c3367f4ce106de1284a348776a3eb4e3d97ccb9900ca45e4677ec9

Download Submit
C:\Windows\SysWOW64\Bbcignbo.exe

Filesize
128KB

MD5
ade2e537865015641e35cd2192b49646

SHA1
93e6cd0efc0b0cd771b693c62e9ad172361b24f9

SHA256
9177db81e0fd83a469ec15a97f77b1844403faca71a5dd3648e57bf217732e1b

SHA512
cf688521888250d637bda182572ab37209bd8204940bdca324c1a53e3ae17215114fb0dbe38d908bc643fb933fccd43a5ecdae4d90467be721d8e2e1ff23d288

Download Submit
C:\Windows\SysWOW64\Bblcfo32.exe

Filesize
128KB

MD5
0102881cb0e148520a21f0389937c993

SHA1
ede30e13c7714b9a4df293e3fcc7135f2b19549a

SHA256
ac8aef837fdfc95383b9a58a1666c2c99b2785d983f5842d34e6f7962d2b6228

SHA512
b47368aa8e1b7698e41e3b284eca5315291d11251d4c7c31399415dc510e1fdef2bad678117911ca0804e89fbc3ba574140a0d6398e1bdf2f2271321b260bb77

Download Submit
C:\Windows\SysWOW64\Beaecjab.exe

Filesize
128KB

MD5
86d72513c5e9138c9b44d6b134c67a21

SHA1
5b6a1968372ae10319d8fce43156dfe65f617411

SHA256
2d4abe4b5ad82c6d61bb3c2316eec0d3a78ad54ec3f7e2cc9820688e5258a878

SHA512
73f02fd1eafcd8b78d5060d80afca916594bc1597c08e907272d421b5ea7469dd884fd23ba82c18d4913feb35132e4fbbc3daeee6d66d0928cf1011efa2fdd51

Download Submit
C:\Windows\SysWOW64\Bemlhj32.exe

Filesize
128KB

MD5
18081f70b4e9a14aff2081d5c587b1dd

SHA1
2ef8ca9d0bbddd1d0d26d00bff5258dfee38a05e

SHA256
7c6c2a20cbfcf570e778d1613b4bd5a74c51b6393b5e9df3a2d2d94fcaf78ab5

SHA512
21a6f4d53282d72df782f10618aca92526c878f112284fa3bc47f4e81e17fcf0c4cef8b9ef1b1c296ee77f83a0be9db7f1cbb08a2ff85b765e8478ec9c1d296b

Download Submit
C:\Windows\SysWOW64\Bfabmmhe.exe

Filesize
128KB

MD5
bf40456aeef976e42756da75069dd2c9

SHA1
a6f3df62b142641302f1afb92a6112c8a6ba2a13

SHA256
7fa81e9c2c25807ace9006c37c76dfb1aa2ed49776b1b20467b8bde3e7a94058

SHA512
3eb580ab25d0c3c1bd40c24e35b7c007790cb2271b69d13bcf4486aaa03b509284ea90704a15068a384e09fc97e307b35f1e483f04183ab2ab6f9b8bbe8d31f6

Download Submit
C:\Windows\SysWOW64\Bflham32.exe

Filesize
128KB

MD5
be9d91503d033c9ee6c7107679990991

SHA1
581b61ceb20a8a2719aabdf7d9ddcd912927e857

SHA256
7fb2044dd643cf856df25c5f4578574492592cf90078009f1f38be3b8bafb075

SHA512
1b422c6f7e6c88442cff9e6bd4de259321609ce9ddff3ff34297e1a9467f44fe537c4b9d282168511e23e8ee56e9ae4b4d19626251d1cd5a2e575e2fc8e3e408

Download Submit
C:\Windows\SysWOW64\Bipnihgi.exe

Filesize
128KB

MD5
5f6c418855ffd384c2368c6a4de4df71

SHA1
dd270871365c8536f5b5b3686e65c4e5967fde54

SHA256
96e9b80d2fabe32906a16c1d66c7389a233756e703fdea5f9aa6497e01b2495b

SHA512
e2c03def0513773c43744825ed6d81768dd0b5c6f99b5bb8dbbe03a7182611590db871114974004e24296c132e8a3834d05581dd15cf1c3256e0295424be3700

Download Submit
C:\Windows\SysWOW64\Bmagch32.exe

Filesize
128KB

MD5
817cff8006da37bde105bc114b55ece1

SHA1
fdb0ac9675256304368f5e5a3089fad63b020215

SHA256
12975d57c8107649aa289dc431b2dea8d3e8217895a10ed3df74c2d72116ed9d

SHA512
578c3e927a61416ed1b28de4ceb3c5d51c4e48244c8441a2c6c572a7d5e8f15101013c37381e65127e4a64dc2c76b69ad732b082deec9aed8dd981e570cabe95

Download Submit
C:\Windows\SysWOW64\Bmddihfj.exe

Filesize
128KB

MD5
19022fb49cca8ab59fcc9e88d520c998

SHA1
ec3c19e4b6edd5cf6f267e90000c7ddb5d8e468e

SHA256
d81e0c655b824da2c38a8545ccc7aa27c4dcd2663ae9d886a589dcd3aa20ffc6

SHA512
46e3a12f1ad50c13f2474f7a2a5041e9e3c940332298f5b0c66641b86d3447274448297f7921b8462a745e7e15a10567e82aec940004a8ceb6b403a399d0da41

Download Submit
C:\Windows\SysWOW64\Bmimdg32.exe

Filesize
128KB

MD5
eddca6c07a478fe83a55b24dbd96ca38

SHA1
5f5eab7572ccec3c689e095e28e1897953badfab

SHA256
b36822e119f884276b4f927337d5abbcfe5d7d796ab728bc6d537c39401bbe6e

SHA512
25034d06a5a4b04268b4e45993b5d6605e6a7f133c1898f16545a046ba4b3e886b8d5f1def39f6a9869a9c745ee0b695ee781d2698873a9214089b37d7ca80ef

Download Submit
C:\Windows\SysWOW64\Bmkjig32.exe

Filesize
128KB

MD5
0b17079ad78195ecd3937a0b849a6463

SHA1
8693f67479a0ad4030879150e6d608d73224a539

SHA256
c6d0179108ec6e1da17811db84248b95e8d04e6fbc981d561e201ddb8c1c6e07

SHA512
1a77930cb8f9bed1dd3f8235a0c6ed5c32526831e8c7b71168dcc96829af48ba0acdb7f1a132118edbb9e9a61983695ad8305fdf2f5489565d3b761ca8d78d55

Download Submit
C:\Windows\SysWOW64\Bpgjpb32.exe

Filesize
128KB

MD5
0921a034f61beb7c14322718a9867baf

SHA1
4e3666e04e84b8c03b876c17662ae3df92d3b0f1

SHA256
bbc85273a107dac9514a8b28eb626c6ffd157e582c02e4e0cc22c43123561471

SHA512
8dcc15ae4d1eb522ac9e210116799007031043f43f668c7cebd58dee2fbc59d07c8ac3e5dab39e7f3c17a6d07dfdd37f6e5fa0380b8a4f66943dc166d4715f67

Download Submit
C:\Windows\SysWOW64\Cbhbbn32.exe

Filesize
128KB

MD5
8e908614b94a25e376f5063ca079abe2

SHA1
7b3abf981395e067b235853c097ce8cfe3138092

SHA256
0ab90ae48b393ff81355bfb91fe4575bd03be2f3c7a139a2aa4903e25058104a

SHA512
b8594f6c8fce94a3ce3de2a237a6e4a9da8c96a5cc39ff3983bab0348194eb6da1bbaafd6fb33857a14b163fe7cdcbb624743b98af77a0c419a718b74b168f54

Download Submit
C:\Windows\SysWOW64\Cbjogmlf.exe

Filesize
128KB

MD5
b9d9e59083660ca4c659701a220b8e47

SHA1
f0bc4ca460cec1e90e972d8482d5de1941f33b7f

SHA256
989bc993be602d795d8b42ce282624383728be721df0612af3aa8e87f219fd5f

SHA512
12702729c87c2ed795665fb1d45b7b5c808b0de4512a0f3f27e63a8977f344a7e25b52a1292656630af06a00b0c3ae685637d48f26d02181d8ce22a6ec80a8b0

Download Submit
C:\Windows\SysWOW64\Cdjlap32.exe

Filesize
128KB

MD5
ba04e5d27e37ad7025675b315e71c98c

SHA1
956479e0ab74b179782ab232c88479c6b36080a7

SHA256
f9d974bbe3f7f6e0d6b6827c5737ea601306d1092cd67c415338846032fd91cc

SHA512
0099c980d1c2f98f337c806ff74914639cc9da0fab0c280252a580d153b8b2793bda9f0f3f59caf5fec562226a74c0a4d700837a16165e04fc1a5c0fc4924aa3

Download Submit
C:\Windows\SysWOW64\Cekhihig.exe

Filesize
128KB

MD5
28d269567bdc5f6ce3dd1d668ae7037f

SHA1
fd394a8aebbb71aca267f1689c9d0f5c519ac69f

SHA256
9d5d5252a7fb046889670c1aaf8690fa80017f92acd9d2aeef2f57095f0757b3

SHA512
d68c3eb5226146bb0a687170a9acab4a9d13de8808a0962b6d7e01ca98fe4814190c00e75572cdda5ee8e496c118b519a2a4d779d84badd3c16b84cf2f888c5e

Download Submit
C:\Windows\SysWOW64\Cfcoblfb.exe

Filesize
128KB

MD5
9729227881609e4989ddbd0fb66f77b2

SHA1
dab045b6581b70f4e8670a291e838d109881e42b

SHA256
753de582a0642ec6a1ae1676574de2346929a5a2f0f101c4ea62adc9934a30c7

SHA512
3d88e05bdb15380ac5d9b123556d39ce6964badcdacc8da7a72a271c818a19578693bfe1b72eb28cc9bedbb7524161ba5df40f8931373e734c687f9ad67f73ac

Download Submit
C:\Windows\SysWOW64\Cffkhl32.exe

Filesize
128KB

MD5
e399c9e388213c1b826705c7e24a3c6a

SHA1
30fd3f314ec6e5a390ee31c21c66330b7a742ea1

SHA256
c9236deab69c65fce7402871f29576cea7a691b7aa40677d6cd1d90400dcdc3d

SHA512
bb350dc100f2c465d039b70eb1c9f40210ef6e6528298441116173b5fe4d34381dd1e352e406fe5b299d62121e4a4109ba0e0ed0d42f7a798f2cb69c54cf95cb

Download Submit
C:\Windows\SysWOW64\Cfhhml32.exe

Filesize
128KB

MD5
2fb62cf3c233a393f91f0dc1ded0aef2

SHA1
3d6942836ca6e99f04e4802641cf796be42b0256

SHA256
56c824fefc288a7ed646a879d2bb6195754bd44d28f1b474cfa03b81647e6814

SHA512
47f6743ba63bd659a8e06d3c50a53434e7e0c38cbbb9e7eca0a4316ade97fcd8015e03581758b621027c971f030b1601a2e8d4548c397e33054a006ad3f672aa

Download Submit
C:\Windows\SysWOW64\Cibkohef.exe

Filesize
128KB

MD5
61af3de2d12583bf9677ca1efd8d87a7

SHA1
e55a2e45c41eb588508f61b3bca244e80fe5c568

SHA256
f8e97162afd2ec79e5568a92833b219ee1955daf8aca119fbd9fff79a1a28622

SHA512
4aa16d1832d7423425d977d8cbeb159bbe4721ea9280780c8448a63483b05654620ce9c6e86484ae2d7dc0ca03f46df452c0a13035402f48dc6d61e71b19f30f

Download Submit
C:\Windows\SysWOW64\Cidgdg32.exe

Filesize
128KB

MD5
4d7dd04877b1de6142e760cdf531a42b

SHA1
cf33a09a9be491da526a2b783be639df92acebff

SHA256
bad11daf96c3189b86ee89b2b2646de321932c199934a54e483577582d25adda

SHA512
5e6faa0d54021bc288f074872d87116eb3ed12acd850049c20f04bc10610332f329e747b64c280600932cd521fee6499b96182fcfdc9bfacfc0b96b3e5753eea

Download Submit
C:\Windows\SysWOW64\Cmbpjfij.exe

Filesize
128KB

MD5
0cc7255e4b9adb2115d60897da4378ce

SHA1
6f50b898300dfbacdc9ce2a8fe8f530c48f034d7

SHA256
8f5aee8b2c66e0b5c1d284ee6f4cc060c837fa6a7a2329c36e2dc6ab216a2a48

SHA512
01e12cc2b38dc135962a31cd4340c1a8e6b12e9bb1a04df4bb669d02660cfdbac766498f56b9df1bc9add8debf65239a11a1c74a596c883f6bf7e89c4d8654c5

Download Submit
C:\Windows\SysWOW64\Cmmgof32.exe

Filesize
128KB

MD5
2dfb5e5cd4d93d1a02f297de91876f66

SHA1
f88ecdad9475dca38122a021164d156ac9a78f89

SHA256
98532352b30607ce385c73fa275791199161b318e9f5e72cacb00ae00845045e

SHA512
ca6adfa3b9fa7daf080ea93c36d307546404eb4554459275bfea275586b779de7f03711eee4f106edc4ad1e684138bfb7a823d0f341b24ea4dc57567f64a8190

Download Submit
C:\Windows\SysWOW64\Cmpcdfll.exe

Filesize
128KB

MD5
7f1107a674352b98d5da758de3035c68

SHA1
a190cb40e5ef3439ab325f0129327652053d72ec

SHA256
a7e7aadaa28fdeefb488bcef65df5eea395fd68aff8a8e6389e7d90b1d052bb6

SHA512
6100dd4c7372fa0decdd8c7eb602c8d360131462905bd031fcddac1dd54e1678d2256e1d5a12022b43b3190dbd614db9ff1ce342d8b955072c3269a76ae56096

Download Submit
C:\Windows\SysWOW64\Cpifeb32.exe

Filesize
128KB

MD5
a36aebfd1cf061c28d571d4af9af8296

SHA1
0ab84a027049cff013a600fdfcc4284a1f03eb8b

SHA256
c759015872973f14f29ce3346335f828b2afa94b90e1e3e45a6b9c9491893b60

SHA512
fef16742b4a4b13b0c0698bc7f9b733bbb5ef77bb2945da2c1c5115d401c32ab68d562812a40f8c0e80da15804e6992196323c78e8c6c84f32cbba1862e5927c

Download Submit
C:\Windows\SysWOW64\Cplckbmc.exe

Filesize
128KB

MD5
32dc8db2253979d59aab520373ca5222

SHA1
87aeddfa7b2f7b846a03e7503c727235f8fed3d1

SHA256
cc9337a37e3b3b27f6b0a13eab80fc6a9a781972fa24657da5e0d38d66deec5b

SHA512
e8898902c37c1342fc20d55827651f66346d59bf805ebf8fa51d4177cedc471c4d66f0676bdaefbebf3afbd9b7eb85604193d5385770ee2ee85024f035e89989

Download Submit
C:\Windows\SysWOW64\Cpnpqakp.exe

Filesize
128KB

MD5
3a36cf213b30be0394f1512681ce6369

SHA1
086d4bca987f7cd7319a6e1308e08ba28cb92da9

SHA256
73037726849a51f9dfeed3c51395c5509948d764f8c02c6e9b7b4ecd33cef028

SHA512
b2dc8770a2ef140d94f0d56ccfc7e78c2f7f3c5fa4b0550edf7ffac8f2f3ae3dceedc176b2499782920ca910484c2f13b78c0df19ff75086ab37b7e8829ec803

Download Submit
C:\Windows\SysWOW64\Ibinlbli.dll

Filesize
7KB

MD5
a6d140e886cc911be4511062a0bbacfe

SHA1
b06b7be947bd4d73f70ca6c38d1abb2868519ed0

SHA256
e08a1d5dc71cb54a7fb30f6ec4f5214cf1408c6b275dce89b737a83e52685ba7

SHA512
fcd02b071f31a0fccb0b863ba7217c76753e5b0b751fce70af16857db010c9ea4836dfce60c0e3e81bd436a32cb19135a355b02db23b60b89478bb9940d889a5

Download Submit
memory/324-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/324-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/400-289-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/548-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/552-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/560-378-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/644-384-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/788-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/788-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1180-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1264-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1264-294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1288-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1536-279-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1564-420-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1636-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1724-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1724-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1816-414-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1900-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1916-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1940-271-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-408-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2448-117-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2448-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2572-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2736-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-270-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2876-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2876-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3100-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3120-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3160-283-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3424-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3476-319-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3540-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3540-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3696-288-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3944-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3944-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3964-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3964-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4032-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4068-282-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-422-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4136-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4232-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4232-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4304-366-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4360-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4456-402-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4472-396-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4516-269-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4700-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4704-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4704-325-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5012-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5028-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads