berbew | b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767N.exe
Size

576KB
MD5

aeb85981dd738899f5aef28d76fb11c0
SHA1

7ddad8fae2723ea2e173a153b32e12337ee40ecb
SHA256

b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767
SHA512

cb4eb8fdea1a4047697d4caaaef171a0df1698b35a62fd76eaac1a95474e0a2f13b0553da8e2cb376b76972b1dcda735116a2b64216e1d19b07119c5fb31a73f
SSDEEP

12288:iPipV6yYP4rbpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJh:iPiW4XWleKWNUir2MhNl6zX3w9As/xOd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmagch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmimdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciiaogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepadh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aiabhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeffgkkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alpnde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amkabind.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeffgkkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cleqfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcicjbal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bblcfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciiaogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clgmkbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cepadh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpefaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmfqngcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpemkcck.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjogmlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlncla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdebfago.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcicjbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfcoblfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpcdfll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dllffa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgjkpll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alpnde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmagch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beoimjce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmfqngcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bppcpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbcignbo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2144	Amkabind.exe
1444	Apimodmh.exe
1644	Abgjkpll.exe
2564	Aeffgkkp.exe
2652	Aiabhj32.exe
3428	Alpnde32.exe
3204	Apkjddke.exe
3608	Abjfqpji.exe
2424	Aehbmk32.exe
3536	Aidomjaf.exe
2004	Albkieqj.exe
388	Bcicjbal.exe
4856	Bblcfo32.exe
4480	Bfhofnpp.exe
1616	Bifkcioc.exe
4636	Bmagch32.exe
4488	Bppcpc32.exe
2464	Bboplo32.exe
3476	Bemlhj32.exe
220	Bihhhi32.exe
2984	Bpbpecen.exe
2216	Bbalaoda.exe
5024	Beoimjce.exe
720	Bmfqngcg.exe
4744	Bpemkcck.exe
1064	Bbcignbo.exe
552	Beaecjab.exe
2904	Bmimdg32.exe
2552	Bbefln32.exe
2392	Bedbhi32.exe
3036	Bmkjig32.exe
4424	Blnjecfl.exe
1960	Cdebfago.exe
3216	Cfcoblfb.exe
3212	Cefoni32.exe
2992	Cmmgof32.exe
4844	Cplckbmc.exe
4384	Cbjogmlf.exe
3668	Cffkhl32.exe
4448	Cmpcdfll.exe
4476	Cpnpqakp.exe
4184	Cbmlmmjd.exe
924	Cekhihig.exe
2868	Cifdjg32.exe
5160	Cleqfb32.exe
5208	Cdlhgpag.exe
5244	Cfjeckpj.exe
5280	Ciiaogon.exe
5324	Clgmkbna.exe
5360	Cpcila32.exe
5400	Cfmahknh.exe
5440	Cepadh32.exe
5480	Clijablo.exe
5520	Dpefaq32.exe
5560	Dbcbnlcl.exe
5600	Debnjgcp.exe
5640	Dinjjf32.exe
5684	Dllffa32.exe
5724	Ddcogo32.exe
5760	Dfakcj32.exe
5800	Dipgpf32.exe
5840	Dlncla32.exe
5880	Ddekmo32.exe
5928	Dgdgijhp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dpllbp32.exe	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Pimdleea.dll	Bemlhj32.exe
File opened for modification	C:\Windows\SysWOW64\Bpbpecen.exe	Bihhhi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmfqngcg.exe	Beoimjce.exe
File opened for modification	C:\Windows\SysWOW64\Clgmkbna.exe	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Pdkpjeba.dll	Clgmkbna.exe
File created	C:\Windows\SysWOW64\Pkjhlh32.dll	Cpcila32.exe
File created	C:\Windows\SysWOW64\Ibinlbli.dll	Abjfqpji.exe
File created	C:\Windows\SysWOW64\Qpiidi32.dll	Bifkcioc.exe
File opened for modification	C:\Windows\SysWOW64\Beoimjce.exe	Bbalaoda.exe
File opened for modification	C:\Windows\SysWOW64\Dpefaq32.exe	Clijablo.exe
File created	C:\Windows\SysWOW64\Dkakfgoq.dll	Dpefaq32.exe
File opened for modification	C:\Windows\SysWOW64\Aeffgkkp.exe	Abgjkpll.exe
File created	C:\Windows\SysWOW64\Jfdqcf32.dll	Bfhofnpp.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjig32.exe	Bedbhi32.exe
File created	C:\Windows\SysWOW64\Ldbeqlcg.dll	Dgdgijhp.exe
File created	C:\Windows\SysWOW64\Mckfmq32.dll	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Dfakcj32.exe	Ddcogo32.exe
File opened for modification	C:\Windows\SysWOW64\Aiabhj32.exe	Aeffgkkp.exe
File created	C:\Windows\SysWOW64\Ipekmlhg.dll	Bmkjig32.exe
File created	C:\Windows\SysWOW64\Lgkkbg32.dll	Cfcoblfb.exe
File created	C:\Windows\SysWOW64\Cbjogmlf.exe	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Djbehfpe.dll	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Eicfep32.dll	Clijablo.exe
File opened for modification	C:\Windows\SysWOW64\Apimodmh.exe	Amkabind.exe
File created	C:\Windows\SysWOW64\Bppcpc32.exe	Bmagch32.exe
File created	C:\Windows\SysWOW64\Bbalaoda.exe	Bpbpecen.exe
File opened for modification	C:\Windows\SysWOW64\Cepadh32.exe	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Dllffa32.exe	Dinjjf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfakcj32.exe	Ddcogo32.exe
File opened for modification	C:\Windows\SysWOW64\Ddcogo32.exe	Dllffa32.exe
File opened for modification	C:\Windows\SysWOW64\Ddekmo32.exe	Dlncla32.exe
File created	C:\Windows\SysWOW64\Oahmla32.dll	b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767N.exe
File created	C:\Windows\SysWOW64\Ifgeebem.dll	Apimodmh.exe
File created	C:\Windows\SysWOW64\Apkjddke.exe	Alpnde32.exe
File created	C:\Windows\SysWOW64\Nkebqokl.dll	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Ppbeie32.dll	Bihhhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ciiaogon.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Cbccbiml.dll	Dlncla32.exe
File opened for modification	C:\Windows\SysWOW64\Bcicjbal.exe	Albkieqj.exe
File created	C:\Windows\SysWOW64\Beaecjab.exe	Bbcignbo.exe
File created	C:\Windows\SysWOW64\Bedbhi32.exe	Bbefln32.exe
File created	C:\Windows\SysWOW64\Cfmidc32.dll	Blnjecfl.exe
File opened for modification	C:\Windows\SysWOW64\Cdlhgpag.exe	Cleqfb32.exe
File created	C:\Windows\SysWOW64\Cfjeckpj.exe	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Neiiibnn.dll	Cifdjg32.exe
File opened for modification	C:\Windows\SysWOW64\Dllffa32.exe	Dinjjf32.exe
File opened for modification	C:\Windows\SysWOW64\Dipgpf32.exe	Dfakcj32.exe
File opened for modification	C:\Windows\SysWOW64\Dbcbnlcl.exe	Dpefaq32.exe
File opened for modification	C:\Windows\SysWOW64\Dlncla32.exe	Dipgpf32.exe
File created	C:\Windows\SysWOW64\Hmjmqdci.dll	Albkieqj.exe
File created	C:\Windows\SysWOW64\Bemlhj32.exe	Bboplo32.exe
File opened for modification	C:\Windows\SysWOW64\Cplckbmc.exe	Cmmgof32.exe
File opened for modification	C:\Windows\SysWOW64\Cffkhl32.exe	Cbjogmlf.exe
File created	C:\Windows\SysWOW64\Qecnjaee.dll	Cdlhgpag.exe
File opened for modification	C:\Windows\SysWOW64\Clijablo.exe	Cepadh32.exe
File opened for modification	C:\Windows\SysWOW64\Defheg32.exe	Dgdgijhp.exe
File created	C:\Windows\SysWOW64\Nfcnnnil.dll	Cpnpqakp.exe
File created	C:\Windows\SysWOW64\Imdnon32.dll	Dfakcj32.exe
File opened for modification	C:\Windows\SysWOW64\Abgjkpll.exe	Apimodmh.exe
File created	C:\Windows\SysWOW64\Eobepglo.dll	Aiabhj32.exe
File opened for modification	C:\Windows\SysWOW64\Abjfqpji.exe	Apkjddke.exe
File created	C:\Windows\SysWOW64\Kfhfap32.dll	Aehbmk32.exe

Program crash 1 IoCs

pid	pid_target	Process
3012	6080	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcicjbal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnpqakp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cifdjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcila32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpllbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amkabind.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dipgpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhofnpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjogmlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpefaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cefoni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpbpecen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpgjpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfcoblfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beoimjce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpemkcck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cplckbmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeffgkkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiabhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albkieqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmimdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpcdfll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apimodmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbefln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmlmmjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepadh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgjkpll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blnjecfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciiaogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clgmkbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcogo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkjddke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifkcioc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemlhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cekhihig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmmgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidomjaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bblcfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bboplo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbcignbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bedbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmagch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmfqngcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Debnjgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdgijhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdebfago.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffkhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cleqfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpnde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjfqpji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aehbmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bppcpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defheg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhgpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllffa32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amkabind.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bihhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeoha32.dll"	Bmimdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bppcpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bedbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfcoblfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcnnnil.dll"	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bboplo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmmgof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doklblnq.dll"	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeffgkkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdqcf32.dll"	Bfhofnpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqhqndlf.dll"	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiiibnn.dll"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhfap32.dll"	Aehbmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofndo32.dll"	Bpgjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimdleea.dll"	Bemlhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciiaogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbefln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodcma32.dll"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjmqdci.dll"	Albkieqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkebqokl.dll"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Albkieqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeffgkkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpgjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdagi32.dll"	Bblcfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqbolk32.dll"	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhfaig32.dll"	Bmfqngcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Alpnde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beoimjce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cekhihig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Blnjecfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aehbmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppbeie32.dll"	Bihhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgkkbg32.dll"	Cfcoblfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpnpqakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhopqko.dll"	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bifkcioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbalaoda.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 2144	3232	b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767N.exe	89
PID 3232 wrote to memory of 2144	3232	b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767N.exe	89
PID 3232 wrote to memory of 2144	3232	b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767N.exe	89
PID 2144 wrote to memory of 1444	2144	Amkabind.exe	90
PID 2144 wrote to memory of 1444	2144	Amkabind.exe	90
PID 2144 wrote to memory of 1444	2144	Amkabind.exe	90
PID 1444 wrote to memory of 1644	1444	Apimodmh.exe	91
PID 1444 wrote to memory of 1644	1444	Apimodmh.exe	91
PID 1444 wrote to memory of 1644	1444	Apimodmh.exe	91
PID 1644 wrote to memory of 2564	1644	Abgjkpll.exe	92
PID 1644 wrote to memory of 2564	1644	Abgjkpll.exe	92
PID 1644 wrote to memory of 2564	1644	Abgjkpll.exe	92
PID 2564 wrote to memory of 2652	2564	Aeffgkkp.exe	93
PID 2564 wrote to memory of 2652	2564	Aeffgkkp.exe	93
PID 2564 wrote to memory of 2652	2564	Aeffgkkp.exe	93
PID 2652 wrote to memory of 3428	2652	Aiabhj32.exe	94
PID 2652 wrote to memory of 3428	2652	Aiabhj32.exe	94
PID 2652 wrote to memory of 3428	2652	Aiabhj32.exe	94
PID 3428 wrote to memory of 3204	3428	Alpnde32.exe	95
PID 3428 wrote to memory of 3204	3428	Alpnde32.exe	95
PID 3428 wrote to memory of 3204	3428	Alpnde32.exe	95
PID 3204 wrote to memory of 3608	3204	Apkjddke.exe	96
PID 3204 wrote to memory of 3608	3204	Apkjddke.exe	96
PID 3204 wrote to memory of 3608	3204	Apkjddke.exe	96
PID 3608 wrote to memory of 2424	3608	Abjfqpji.exe	97
PID 3608 wrote to memory of 2424	3608	Abjfqpji.exe	97
PID 3608 wrote to memory of 2424	3608	Abjfqpji.exe	97
PID 2424 wrote to memory of 3536	2424	Aehbmk32.exe	98
PID 2424 wrote to memory of 3536	2424	Aehbmk32.exe	98
PID 2424 wrote to memory of 3536	2424	Aehbmk32.exe	98
PID 3536 wrote to memory of 2004	3536	Aidomjaf.exe	99
PID 3536 wrote to memory of 2004	3536	Aidomjaf.exe	99
PID 3536 wrote to memory of 2004	3536	Aidomjaf.exe	99
PID 2004 wrote to memory of 388	2004	Albkieqj.exe	100
PID 2004 wrote to memory of 388	2004	Albkieqj.exe	100
PID 2004 wrote to memory of 388	2004	Albkieqj.exe	100
PID 388 wrote to memory of 4856	388	Bcicjbal.exe	101
PID 388 wrote to memory of 4856	388	Bcicjbal.exe	101
PID 388 wrote to memory of 4856	388	Bcicjbal.exe	101
PID 4856 wrote to memory of 4480	4856	Bblcfo32.exe	102
PID 4856 wrote to memory of 4480	4856	Bblcfo32.exe	102
PID 4856 wrote to memory of 4480	4856	Bblcfo32.exe	102
PID 4480 wrote to memory of 1616	4480	Bfhofnpp.exe	103
PID 4480 wrote to memory of 1616	4480	Bfhofnpp.exe	103
PID 4480 wrote to memory of 1616	4480	Bfhofnpp.exe	103
PID 1616 wrote to memory of 4636	1616	Bifkcioc.exe	104
PID 1616 wrote to memory of 4636	1616	Bifkcioc.exe	104
PID 1616 wrote to memory of 4636	1616	Bifkcioc.exe	104
PID 4636 wrote to memory of 4488	4636	Bmagch32.exe	105
PID 4636 wrote to memory of 4488	4636	Bmagch32.exe	105
PID 4636 wrote to memory of 4488	4636	Bmagch32.exe	105
PID 4488 wrote to memory of 2464	4488	Bppcpc32.exe	106
PID 4488 wrote to memory of 2464	4488	Bppcpc32.exe	106
PID 4488 wrote to memory of 2464	4488	Bppcpc32.exe	106
PID 2464 wrote to memory of 3476	2464	Bboplo32.exe	107
PID 2464 wrote to memory of 3476	2464	Bboplo32.exe	107
PID 2464 wrote to memory of 3476	2464	Bboplo32.exe	107
PID 3476 wrote to memory of 220	3476	Bemlhj32.exe	108
PID 3476 wrote to memory of 220	3476	Bemlhj32.exe	108
PID 3476 wrote to memory of 220	3476	Bemlhj32.exe	108
PID 220 wrote to memory of 2984	220	Bihhhi32.exe	109
PID 220 wrote to memory of 2984	220	Bihhhi32.exe	109
PID 220 wrote to memory of 2984	220	Bihhhi32.exe	109
PID 2984 wrote to memory of 2216	2984	Bpbpecen.exe	110

C:\Users\Admin\AppData\Local\Temp\b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767N.exe
"C:\Users\Admin\AppData\Local\Temp\b066d89985d34b215e5132672b79f4d1b9e38eeaedfdf863df2aaa5622951767N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\SysWOW64\Amkabind.exe
  C:\Windows\system32\Amkabind.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\Apimodmh.exe
    C:\Windows\system32\Apimodmh.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\Abgjkpll.exe
      C:\Windows\system32\Abgjkpll.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Windows\SysWOW64\Aeffgkkp.exe
        
        C:\Windows\system32\Aeffgkkp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Bfhofnpp.exe
        
        C:\Windows\system32\Bfhofnpp.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Bppcpc32.exe
        
        C:\Windows\system32\Bppcpc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        30⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Cfcoblfb.exe
        
        C:\Windows\system32\Cfcoblfb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Cpnpqakp.exe
        
        C:\Windows\system32\Cpnpqakp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Clgmkbna.exe
        
        C:\Windows\system32\Clgmkbna.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Cepadh32.exe
        
        C:\Windows\system32\Cepadh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        70⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 412
        71⤵
        Program crash
        
        PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6080 -ip 6080
1⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4340,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=1904 /prefetch:8
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abgjkpll.exe

Filesize
576KB

MD5
190d7b76db708c3358580da5f5a89c8c

SHA1
648bfc630c0452f664095675333fd3e83df71842

SHA256
bdeb189f1c54c696a0298ba0b638ff056509cb65ebdd4d8d98ee8d094370c704

SHA512
9479d4f0acd74492006af499d30c3e3c7509e7441867d41aa0fc8832de1fc73e65d28ea710fdf2feb6435d153321f449e7324d634ca6a4a7bae6589db931b211

Download Submit
C:\Windows\SysWOW64\Abjfqpji.exe

Filesize
576KB

MD5
05914fcc166df27b37fe9d1ccd99eec4

SHA1
dc7468f6ec184dc9a9110110ccad0a6a2671bcc6

SHA256
7c33c204cd67ee505bf94941e2575af3dc76b075bf20231ac6fd22ffeef82933

SHA512
bb4bfa054cf04bae64ee0b2ce4bff11f50bc94e57c2f3bec7243b1155c8548bd3223f64db558688887eadba230842e94d3499e7819790c47cf1935c4412152f0

Download Submit
C:\Windows\SysWOW64\Aeffgkkp.exe

Filesize
576KB

MD5
f6648e52e66d708d39f5ffdd3f046fe7

SHA1
9df7eaf5519665b80405323c16b18ea1f4327c70

SHA256
5586bc4523338dde975c97d25f7e93c56a8965947ad7bfd7f1256465cc39a694

SHA512
efd643ef879ee3cb7fbd3dfd24dc05c87b32bc40a4f7187dddd0d655bd7b8b6d0d5cc8827f08b47d09764d2914c911d07024a34799c8747e03fce1e4d7994981

Download Submit
C:\Windows\SysWOW64\Aehbmk32.exe

Filesize
576KB

MD5
a2be672ff61854a435ca6202068973f7

SHA1
56d3d5379ff8865ecc0e67b4d0ffa4f5c9f3e05f

SHA256
f01c1782ef5c6875a5404093e8755f2ae38c7712404fa4c3721984473aedf5c7

SHA512
3b63e16ee14b56c6c0d3936cb9029f1b410c58d7e852244a24cb98e43239ea0912963843cb3f90311fe2434c4b4d043fe92f07f4c1cc25f7f1fb0ac37e4bc148

Download Submit
C:\Windows\SysWOW64\Aiabhj32.exe

Filesize
576KB

MD5
1b2a7d8833cc90b25401521fee6d80fc

SHA1
11d1b2bb9b47b98cc15bba5f7564607960b554d9

SHA256
45128942085b8d42db28755f1b6eb5caf3f5cdcc70ae9b3a56bbdf84354e820f

SHA512
619865ca661e50308c277626599d5403f32888005c36170bbf0d65333a5fed71012e0f9f44c90203d1c6a9b49391de92a37f3750daa584156efce16751af8d1f

Download Submit
C:\Windows\SysWOW64\Aidomjaf.exe

Filesize
576KB

MD5
80c32c26aec7b139e3c4bb493e8e658f

SHA1
2dc2a5062a3181fa1ab04722936194ee2235a85f

SHA256
fffe83b78bf3412fa459989f88374e8bb2629b56c1a1fa1211dac657435c534e

SHA512
c32d2e530180f792ede6ee62627ef2c4c672ea87b59454ce904e3e563adf46c1e7a12cc09098651a18fd461dbbef1dd7bcb9aabb7e1da28a172e9dd8b210c076

Download Submit
C:\Windows\SysWOW64\Albkieqj.exe

Filesize
576KB

MD5
b7147b7e00b3a68cdc943a8f169e1bf9

SHA1
1b407a536d5e2220c8f3bbe96f8dd037bcd93934

SHA256
d5ac86b3bd5111ba74b2ac7f125cb60d7ba0091a0470d3895a070d65dcfed46a

SHA512
0fc1824ff61c4c5a29d971c59a389b93e36533dc7b1b0652f3ef03d377a4e818733a94d557babcd86002400455e8bf2ca9d617081f57a80ed968a13a23ae00ac

Download Submit
C:\Windows\SysWOW64\Alpnde32.exe

Filesize
576KB

MD5
64a07ce620df075b5c1fa5a683ac76c3

SHA1
f1f085bd57c517ee4472932477f928693f0a9a04

SHA256
7643ba29d235a79eca3e82280a7d0ff902a70f8141c4d12f8c6a803a94b784d7

SHA512
2fc6a111ff4b53536b4de3438ea7946c42553832fde31680059a72c2a497f3d6c53e04ff97e3734cb0050c35330f1687f5d76ebbe7ba19130b0922def473c43c

Download Submit
C:\Windows\SysWOW64\Amkabind.exe

Filesize
576KB

MD5
c65bae0c339c6bd961b10ec0cbb812fc

SHA1
0b947832ab28cab96f2f4b1991e94ff9f335205d

SHA256
da7bb2d70de432f837543863a0b55c672655eed798f5cfcd5cd1602671cbd84e

SHA512
c86743a72156dfb7a9b89bc31f464faf5450f6e0a092244267e3209ea4b1d789e4b8f4bb7cc74ff78e44644f3ec26e73824aef8109c170a1b1dc0376d2113b21

Download Submit
C:\Windows\SysWOW64\Apimodmh.exe

Filesize
576KB

MD5
893c74f6a2af17d18efdac3cbb9ff616

SHA1
40431848de72b12927472cdef91bb39b587c1c4b

SHA256
4dd830e07dbd12657b30edb59f2795a9c9cb4e20c801bc3c473addf1ccccb282

SHA512
bf979e4114edc4ed71e9a7fba50e3a1c9944f366ca16574a0e418320904436f45d8f9212e684a5b8c32bd8c982db2ba85df71b52673ae12932e3cba939dd41fc

Download Submit
C:\Windows\SysWOW64\Apkjddke.exe

Filesize
576KB

MD5
3f7a45a6233bb67fd3a8e33dd94f9d98

SHA1
702ebb5da209aaee655569a544b5048e0e5a7044

SHA256
0596f335532c1907d7e8762868521fd77986efed2c7583f3c26aa2ae4dce4078

SHA512
40f3ce6ea8a40fddd75a4c4ea99cb43b5af4e9a22e5a4e30ef13f72341f2776637b4be6bf4433af68db26b62f3928c7b7165c87480ec400e4ed9b1ed8c624cda

Download Submit
C:\Windows\SysWOW64\Bbalaoda.exe

Filesize
576KB

MD5
cbb5207349cf5342c6ab471f55949085

SHA1
5960996b20121bc1f2a1838388e2b83234d99b29

SHA256
59edea54d4a1a0459a9b99b3176fa8619ecca58fae776b50644b4e002c95d46e

SHA512
d697555d2e9672c70cdd2a4f753ad3618dcbae300ea28697d9f464512f64f727effe45f3cc38e31f2e2ad6090b059973488d65d858c9a039a45f196bebb0eb89

Download Submit
C:\Windows\SysWOW64\Bbcignbo.exe

Filesize
576KB

MD5
e5302f7ba1e9e69307ec799594e6e39f

SHA1
fb2e2a56bf6203e646da985638e0fdb08c55534b

SHA256
564f829535fa6ae1c0e845ea4b2b12521e223b4b365062aafa7575608c39a171

SHA512
c9c7a43403b85ef08a5d5396007e4ea4804417482a7be779414324fde60a29a56feeebad9a1dcc2429e0c7c6e8642c811c35dbbd4cccc6f789d7b301623fdabf

Download Submit
C:\Windows\SysWOW64\Bbefln32.exe

Filesize
576KB

MD5
d06e06c815e75525ee6ca34035d18b23

SHA1
140af2fcf56ccbf903ae5cdb8a0bf84090d73565

SHA256
036f5be4aac1cefc7754cf4334c40544ecccb50863f8bf380ec5cca696f3cf41

SHA512
36538006e642b5ea98b25bb6015a10c3f69bde382a45294192d5ac4eaad5213264fde1595bd9b86587a62089e4e8e86ef1db3bb898d2d4fdb2a0c1ecbc31ae07

Download Submit
C:\Windows\SysWOW64\Bblcfo32.exe

Filesize
576KB

MD5
13c26ef499c89ad3c1b3c623578b6439

SHA1
6f46279baf40f37588e5afbbf8a8da40e3f8185a

SHA256
661bfc39a26834588bb9503b59fe8afb1aa9d0381f8d70cc77d74cdac21d062f

SHA512
55f3be9238d09e6f4f1abe789dc3c10534086bd2fa926762045bcb457aebed6565cbbcb7c454d6782b5376fabacdc93b44dfcf98f3d684a8b8a52d93811a01a9

Download Submit
C:\Windows\SysWOW64\Bboplo32.exe

Filesize
576KB

MD5
a9d168a6e596bddb6e12c439a1d8edce

SHA1
a10a89e7c1a89bc8804fd7f3d4ffc2e5e2487fb5

SHA256
9c8015e7ed5962a61346455f5e439755db2cd2144d10f9ce58a3846060b1d24b

SHA512
d664e523128bbd0f590ec64f625adc035de570f0c433030f244a220f6e556d8851ff1c3d1d3a8a384591232ff54beeb1b54abd05a6970b646fb1bca56ab441ba

Download Submit
C:\Windows\SysWOW64\Bcicjbal.exe

Filesize
576KB

MD5
33c0cf99755e3e0e52bcec2aeabe278f

SHA1
9f86bf56b5973a8d04861775bebfa0f58fb52cb1

SHA256
ddda48b93cf706bb2fe9b7017674994e774ddb0cc2809c898ca5f83b051fe5cf

SHA512
e1b563af533730fe3c61a87e5fc88c0e7ba99184e36441a9f9ca729438ec37e8d6fb5632c8a31ba2a46c1586c3ac5a79736ad920b28332245b710452ace615b4

Download Submit
C:\Windows\SysWOW64\Beaecjab.exe

Filesize
576KB

MD5
3355c08e7c5efc8618879568a6cdc48a

SHA1
a06762bff03892819a632a08f00d4973133ce3bd

SHA256
25df9b2c27b4297d24b90fd184100e28bdabaff3f03f633ac84a6213b4df0c06

SHA512
304146e0b46fc6e3c82ed31577721fd680f89466c7e929eaa84422a31e8ed5dd9429005121e5223a099562080ab96d398d6704283497d364cf6f921bb361508c

Download Submit
C:\Windows\SysWOW64\Bedbhi32.exe

Filesize
576KB

MD5
881b3bcf1385756286216d5e3974ab8e

SHA1
89cf163785dbae1342d23e57c478c481033cf220

SHA256
c3c6cddef22a20f3e4aa09e3ff427efe77f8eb3e1c2338264c8e93bc0a07bfc0

SHA512
de6d6283c8c97d08ab617a4e9b96bbecc8a9e2305ef25250b23ee59614f74b4e0b38b4eac4308eff4cc0fa62b13d3a4c5d202dd66b08e86f5a08ef95f8c6b49e

Download Submit
C:\Windows\SysWOW64\Bemlhj32.exe

Filesize
576KB

MD5
702935068dbcf7f6b707657ad06fde0f

SHA1
24e4f0cc19709bacf5bcdaf9c2b5d6d832d0b86f

SHA256
070b11abe4cea741dfb6da945d92726bb04b3ae5b318a4de25b7ddd94837fbde

SHA512
b84cfcf1a9f100d072b03d3c9c361f37b7005ee68da0912033c64481b4a8d80c707ce97f5bc69147bf816ddd262c504b72f930373c7d9e658a2c53b3dd123fc1

Download Submit
C:\Windows\SysWOW64\Beoimjce.exe

Filesize
576KB

MD5
0f565a2afc3dc21fa2e175f25e4594d7

SHA1
2f72cbc832f8fb97daa4e066ae1d8feb3b7e9fed

SHA256
4e75f249c97c743a13ee5d26f15026a952d659df8eee2a9066ba0f4348b8e233

SHA512
ebc4f90532255d3dbfa681eb02a917239c9cdbdf7bee191d207514d2345d6f3c5a2dc9a57877a7179858926b84cede8654f4491cfde106b05fa5b49573e5556b

Download Submit
C:\Windows\SysWOW64\Bfhofnpp.exe

Filesize
576KB

MD5
b2480c2cfc30402ee669208fd7916fe3

SHA1
bf4daba961a9b0bca56375a46870fd750c1b1941

SHA256
08f41586f85cab760c7923571e15dc52a2cbcd57a822f8add64b960c0c85c381

SHA512
190e446a7538d6ad936c004edeab2db7772a873e271c1c424b1ff3af199a04e2e9155f18bae5141a77dc9971d84d5c8b885259f22caebcd986c05620717a42b8

Download Submit
C:\Windows\SysWOW64\Bifkcioc.exe

Filesize
576KB

MD5
7865b2e1b5bee84ac702da8fd22f1fa6

SHA1
11bef04cf2ea9ff6ae00f4d7774c27f250734fd1

SHA256
10dd38c04ca21cfe14b8f1f50df4b6cc0bfbc135fc608db163e342249b9802c2

SHA512
5b19f34f596b9a6a6b827903ca9c050e0ba1f43566b567be99bfc8a1ca2334aaea103ca24c2ff155508989ea91b092fd2f01835c2ceebafd934891db9a069a4e

Download Submit
C:\Windows\SysWOW64\Bihhhi32.exe

Filesize
576KB

MD5
1720923560ed372ac40565d5996494fa

SHA1
92459f4776583d32767de35bf28a7f2ca62d5ff2

SHA256
9354a74d8bf52f1a88d4a2cea5b97aa2355416bca9c8b4181486e66e8f940d19

SHA512
0fe388a0933dc6831bde4759195b7f76094ef56251828e53e5d254783d54699cd334ef8055e02db9d57314ff84bb69fbf7016d94a6c5e33c4c9845f4531fbe11

Download Submit
C:\Windows\SysWOW64\Blnjecfl.exe

Filesize
576KB

MD5
e7c5c69c2660a299e89c6224a3047825

SHA1
a796a7dee5ed36706e5e1b2eecabbad0b0e93f01

SHA256
6f80390dfe74fbd5e36c4237ae1cd66541bb24f62e0665f23c85a78f83981ba5

SHA512
6136e77289cc563afaaf35c1b34290715f324d6cb2f1efb7439b96912636459ea0644aa353f7923b1dbe833511480d85845c962c62a16261bc2b79fce64df9ca

Download Submit
C:\Windows\SysWOW64\Bmagch32.exe

Filesize
576KB

MD5
e05955ee296a3e564cab52b90cc6ee2c

SHA1
ba376594587773ed54050098698a5ee47b4f476f

SHA256
cf27bd5d47652e9ceb6b74dda239c1afdec8b2ae533bba735d0a82979ae08ec8

SHA512
29585c97dc29d7741c85261c19bb8bc970a04eb76d0af373ea59be9a05339048c71775600386f577b0096689a2cd57be6f2ab80dfab8fcf0b614b4b96740705e

Download Submit
C:\Windows\SysWOW64\Bmfqngcg.exe

Filesize
576KB

MD5
32ec5ea8de2bd95c22f64395de603de5

SHA1
8645b0f18d7e4546e5b35ab431ec9df8e3c901ef

SHA256
47f43cebaf712357626be0559d7585425b20b672b14101e79b09b5ee6601d4ba

SHA512
792f3dbd294f36544a0dfd65e6a5f15c3f4d5c0ed15893151d63004a677901c782776dee47162744614f3f15ffc9fa21476434feffa90e5b05e3f209c916c09b

Download Submit
C:\Windows\SysWOW64\Bmimdg32.exe

Filesize
576KB

MD5
166e00f71a19e772d368f33d38a05b02

SHA1
3be303de7fb8450452510d8acd170cf48e8646f2

SHA256
66373550ad0f0a3a96572d9c43aab97d1ea2fb93130fe743c900aa68ad7e633c

SHA512
6354a256256d5df05106ca4f6c909e90c5fb9f06c301a268ae926e1bb0d535aa0f157fab53525ffa445b24010ea52564ab940b84c54daba267a80c5f0bc9a947

Download Submit
C:\Windows\SysWOW64\Bmkjig32.exe

Filesize
576KB

MD5
c1979e5e852c36d38edde85e0f3b331d

SHA1
6b7b6d7499361855f5546be34438f7c2236ab82c

SHA256
10f8c5c6400873d832be635a80a555402d4d76ef290625b8936a0194369c5854

SHA512
9441d79750f8de5adae548cb638b86d9b0811c411e0ace8a62ba27eaf520c0092f5493b503228c01a21b9963cf9f11176485d4d242460c94dabbb72307a8574f

Download Submit
C:\Windows\SysWOW64\Bpbpecen.exe

Filesize
576KB

MD5
13e29db790401c946b6df6a6a180029e

SHA1
420fd9a283e6c6d252d8f3d2c55fdcbb2752bfbe

SHA256
795bca6d8c352567cf6ed45a29c4e6b424dbe836ca75f0af3b0be19628bec46e

SHA512
58a84014b941acbbc0746a2485473dc52178af00a52c7f3b1230b020a781c3cffd7bb7a1e571902138eaeef4f02b505bde4959d000f7bcd5d3ac0f8060e01e5f

Download Submit
C:\Windows\SysWOW64\Bpemkcck.exe

Filesize
576KB

MD5
1a071eb95b609d9a5f9aa755dbed8c62

SHA1
472867c483920297c33a7afa7d140b4155daaee4

SHA256
55a4483da0fae1a5a2711b08cb3a069a029360c4a8947ed0d732fee1495ab3b5

SHA512
f8548ba3da9e536711927436b9d20c23627f8ff7c048e467cadc0a0abaa064fda3376390f6b4f6bfe8926d7a3aa2cd03eddcc65d821d8f07e993c852707b2dde

Download Submit
C:\Windows\SysWOW64\Bppcpc32.exe

Filesize
576KB

MD5
c6b000a40dabfa53c7859cf437d19d93

SHA1
d921e6bc18856f6a6dca85b72a97042493bfb668

SHA256
4cb50a7d10a03adc2023b7afb9d7f0c944e9593d05634d5324284f1d8f54f119

SHA512
43557aa3611730a8afebb89a44ceee49bb0564e263f5c42cbac13e6ed6e9062333bf740f00c60a1f4ae2f1373dd29ab5ad05cc67b34e28e92cbc4b30ea2eefae

Download Submit
C:\Windows\SysWOW64\Cdebfago.exe

Filesize
576KB

MD5
1d0d5d35fa53bcae3353498c0fbad424

SHA1
882d26cabd16892f9794e7c18affacd2772d7ff3

SHA256
4cc5d0e9ed07b74ec5436f604bc2b6b46011d4ef4ab11ed9a17a3b7938e6e56b

SHA512
ac8f8f6624f622e2e57419acf8dc6defd90da5dbaba4cd70d9fe0ffa41a2a9962eaf35710bf70c38d8bd0faa5f8289c2b11d9e0db23a9f46588c50c0abe7c0f8

Download Submit
C:\Windows\SysWOW64\Lkafdjmc.dll

Filesize
7KB

MD5
55cd8f7c71468cf1e7673e84d9899f98

SHA1
9655e805bc2f45e4218e68fd44fc5218e8e475a7

SHA256
917fc0e5fdefc5034db2c0f7502fe1f0d7bfac5f0c8b5c4059ef73ea0eb9a47d

SHA512
c23e4f4782b3616f7f89982014ed206342ea67060d1537ccc4ce84d3e0656b1f6284bd34b89a660df25f143839905ac857d5ba5eacb4cff9b95c2ec4396d26e0

Download Submit
memory/220-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/388-100-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/552-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1064-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2004-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-475-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2464-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2992-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3036-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3204-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3212-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3216-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3232-476-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3232-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3428-52-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3476-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3608-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3668-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4184-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4300-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4384-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4448-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4480-116-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4488-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5160-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5208-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5244-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5280-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5324-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5360-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5400-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5440-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5480-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5520-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5560-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5600-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5640-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5684-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5724-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5760-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5800-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5840-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5880-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5928-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5960-459-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6008-465-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6040-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6080-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads