berbew | f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178e

Analysis

max time kernel
104s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2024, 18:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178eN.exe
Size

96KB
MD5

4e41eb12287a9e101f41a3f31ccbba90
SHA1

5a18ca865cef79e7807ce2d9dfd79a6c1b5270d6
SHA256

f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178e
SHA512

89110db90388dc2588de403780ff1fdff98d65307d9d9c4654c9924eb8365b818bbec415cbb378e91ecec7b7703ed555392d0551afdece1a758163a6d4140494
SSDEEP

1536:BQA3Udlmbwns35Y1AHWzGkoE/HM4/qNkc8Gdg+FFqWpvU2LJ7RZObZUUWaegPYA:4QvJOc8Gd9FFqUvtJClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178eN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 62 IoCs

pid	Process
4808	Ambgef32.exe
2796	Aeiofcji.exe
868	Agglboim.exe
2152	Ajfhnjhq.exe
1224	Amddjegd.exe
2076	Aeklkchg.exe
2920	Agjhgngj.exe
2424	Ajhddjfn.exe
2816	Aabmqd32.exe
1168	Acqimo32.exe
1588	Ajkaii32.exe
5056	Aminee32.exe
2184	Accfbokl.exe
3772	Bfabnjjp.exe
2208	Bmkjkd32.exe
1140	Bcebhoii.exe
1616	Bfdodjhm.exe
1528	Bmngqdpj.exe
3368	Bchomn32.exe
548	Bffkij32.exe
1396	Bnmcjg32.exe
2056	Balpgb32.exe
1428	Beglgani.exe
700	Bfhhoi32.exe
1360	Bnpppgdj.exe
5116	Bmbplc32.exe
2736	Beihma32.exe
2988	Bfkedibe.exe
1592	Bmemac32.exe
4828	Bcoenmao.exe
628	Chjaol32.exe
4476	Cmgjgcgo.exe
4260	Cdabcm32.exe
3660	Cfpnph32.exe
956	Cnffqf32.exe
3796	Caebma32.exe
1952	Cdcoim32.exe
4108	Cfbkeh32.exe
3528	Cmlcbbcj.exe
652	Ceckcp32.exe
3176	Cdfkolkf.exe
3480	Cjpckf32.exe
3500	Cmnpgb32.exe
4660	Ceehho32.exe
3032	Cdhhdlid.exe
1472	Cffdpghg.exe
3052	Cmqmma32.exe
1612	Cegdnopg.exe
3888	Dhfajjoj.exe
4076	Djdmffnn.exe
216	Danecp32.exe
3748	Dejacond.exe
3012	Djgjlelk.exe
2428	Dfnjafap.exe
3644	Dodbbdbb.exe
1668	Dhmgki32.exe
1844	Dkkcge32.exe
5084	Dmjocp32.exe
4604	Deagdn32.exe
4324	Dgbdlf32.exe
3612	Dknpmdfc.exe
3540	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178eN.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4636	3540	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4808	4608	f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178eN.exe	84
PID 4608 wrote to memory of 4808	4608	f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178eN.exe	84
PID 4608 wrote to memory of 4808	4608	f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178eN.exe	84
PID 4808 wrote to memory of 2796	4808	Ambgef32.exe	85
PID 4808 wrote to memory of 2796	4808	Ambgef32.exe	85
PID 4808 wrote to memory of 2796	4808	Ambgef32.exe	85
PID 2796 wrote to memory of 868	2796	Aeiofcji.exe	86
PID 2796 wrote to memory of 868	2796	Aeiofcji.exe	86
PID 2796 wrote to memory of 868	2796	Aeiofcji.exe	86
PID 868 wrote to memory of 2152	868	Agglboim.exe	87
PID 868 wrote to memory of 2152	868	Agglboim.exe	87
PID 868 wrote to memory of 2152	868	Agglboim.exe	87
PID 2152 wrote to memory of 1224	2152	Ajfhnjhq.exe	88
PID 2152 wrote to memory of 1224	2152	Ajfhnjhq.exe	88
PID 2152 wrote to memory of 1224	2152	Ajfhnjhq.exe	88
PID 1224 wrote to memory of 2076	1224	Amddjegd.exe	89
PID 1224 wrote to memory of 2076	1224	Amddjegd.exe	89
PID 1224 wrote to memory of 2076	1224	Amddjegd.exe	89
PID 2076 wrote to memory of 2920	2076	Aeklkchg.exe	90
PID 2076 wrote to memory of 2920	2076	Aeklkchg.exe	90
PID 2076 wrote to memory of 2920	2076	Aeklkchg.exe	90
PID 2920 wrote to memory of 2424	2920	Agjhgngj.exe	92
PID 2920 wrote to memory of 2424	2920	Agjhgngj.exe	92
PID 2920 wrote to memory of 2424	2920	Agjhgngj.exe	92
PID 2424 wrote to memory of 2816	2424	Ajhddjfn.exe	93
PID 2424 wrote to memory of 2816	2424	Ajhddjfn.exe	93
PID 2424 wrote to memory of 2816	2424	Ajhddjfn.exe	93
PID 2816 wrote to memory of 1168	2816	Aabmqd32.exe	95
PID 2816 wrote to memory of 1168	2816	Aabmqd32.exe	95
PID 2816 wrote to memory of 1168	2816	Aabmqd32.exe	95
PID 1168 wrote to memory of 1588	1168	Acqimo32.exe	96
PID 1168 wrote to memory of 1588	1168	Acqimo32.exe	96
PID 1168 wrote to memory of 1588	1168	Acqimo32.exe	96
PID 1588 wrote to memory of 5056	1588	Ajkaii32.exe	97
PID 1588 wrote to memory of 5056	1588	Ajkaii32.exe	97
PID 1588 wrote to memory of 5056	1588	Ajkaii32.exe	97
PID 5056 wrote to memory of 2184	5056	Aminee32.exe	98
PID 5056 wrote to memory of 2184	5056	Aminee32.exe	98
PID 5056 wrote to memory of 2184	5056	Aminee32.exe	98
PID 2184 wrote to memory of 3772	2184	Accfbokl.exe	99
PID 2184 wrote to memory of 3772	2184	Accfbokl.exe	99
PID 2184 wrote to memory of 3772	2184	Accfbokl.exe	99
PID 3772 wrote to memory of 2208	3772	Bfabnjjp.exe	100
PID 3772 wrote to memory of 2208	3772	Bfabnjjp.exe	100
PID 3772 wrote to memory of 2208	3772	Bfabnjjp.exe	100
PID 2208 wrote to memory of 1140	2208	Bmkjkd32.exe	101
PID 2208 wrote to memory of 1140	2208	Bmkjkd32.exe	101
PID 2208 wrote to memory of 1140	2208	Bmkjkd32.exe	101
PID 1140 wrote to memory of 1616	1140	Bcebhoii.exe	102
PID 1140 wrote to memory of 1616	1140	Bcebhoii.exe	102
PID 1140 wrote to memory of 1616	1140	Bcebhoii.exe	102
PID 1616 wrote to memory of 1528	1616	Bfdodjhm.exe	103
PID 1616 wrote to memory of 1528	1616	Bfdodjhm.exe	103
PID 1616 wrote to memory of 1528	1616	Bfdodjhm.exe	103
PID 1528 wrote to memory of 3368	1528	Bmngqdpj.exe	104
PID 1528 wrote to memory of 3368	1528	Bmngqdpj.exe	104
PID 1528 wrote to memory of 3368	1528	Bmngqdpj.exe	104
PID 3368 wrote to memory of 548	3368	Bchomn32.exe	105
PID 3368 wrote to memory of 548	3368	Bchomn32.exe	105
PID 3368 wrote to memory of 548	3368	Bchomn32.exe	105
PID 548 wrote to memory of 1396	548	Bffkij32.exe	106
PID 548 wrote to memory of 1396	548	Bffkij32.exe	106
PID 548 wrote to memory of 1396	548	Bffkij32.exe	106
PID 1396 wrote to memory of 2056	1396	Bnmcjg32.exe	108

C:\Users\Admin\AppData\Local\Temp\f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178eN.exe
"C:\Users\Admin\AppData\Local\Temp\f9dc5283a19859f3a92a5134fe470d4be0ece004256f9feef4349353ee45178eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\Ambgef32.exe
  C:\Windows\system32\Ambgef32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\Aeiofcji.exe
    C:\Windows\system32\Aeiofcji.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\Agglboim.exe
      C:\Windows\system32\Agglboim.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 396
        64⤵
        Program crash
        
        PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3540 -ip 3540
1⤵
PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
d61c4d719e0fe2472d54d3f50f409a42

SHA1
55fd821011b06fe3fcf6b94988be33985f951c35

SHA256
94f705b93ca0dd63865e91d0769d994bf532d1b10052bbb956b0c6f965165141

SHA512
d3c4f592f14a5915aa29226bc9dfbaca098813e88c95e4996c431e9ebf0ced6201d4fe30f2ee2c1855b4cf7d39ab0841215df113ea97b4e4e61a0c6ab7a231c6

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
96KB

MD5
26973997ab79c25097f2dcfe9d09a793

SHA1
e26bb647be52c77019bdf37d477cc5ec966f1a2b

SHA256
ddd3c94ff6a2e7e8d18be42a15aa56992ede92a237a996818a388216d7f71de9

SHA512
14130c8a8280b41354b12ade9e042df8a150b80da7135c69e01f85e54102f811fb0e0fb99a7b2dfec2672045511d00cf8b4d87a189ca695c2e8fcebbdfd3e20d

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
96KB

MD5
d87938e25c99a0f9ce2c108c0451f359

SHA1
392795a240677a049b949cc082b8caf4b4a1bcee

SHA256
ad2d932421577274ae0a965f8e5e75ab90b69a59faf670aa65573acbe5037901

SHA512
f9c80c6d7a9be1baec1060d26c41c7a4b1ecd76aadf1fbb4623840b53a40b158b1029b45c1b9f502db6455caca1d0df535c93aa7ba8be8939d735e738822a74d

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
bfdb477bd0260ecb0964aef56ad32bda

SHA1
96078567b4bd0405655968969b48568cee2f874f

SHA256
4a0f843c6d69e2c5391760fc547af7a08f12979c651bdefd43f5bc8bfda3f0fa

SHA512
096c2ff2970cbdc2785c79e24efe8b76d0aae64d75b4e6192a3d8202f350d88b8a868bc0a8c2f23198f5818c317b78326a3c07d2233b8e9b6fb577cb22a47815

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
96KB

MD5
4ca69afc7d97a77a1f9456c4a8da5553

SHA1
ddcc95f008e08ff66c8394dba706bc6c93f78f30

SHA256
747dec3bd8d9e568dd626d9ae0bf9d8de589d6a8becb8d4b569291c6be8bad7e

SHA512
12fb00ec16555b59f23dbef2910fb6aed72b03fe9932ece0b0d54c118db291f061dd17a1d0101c9d07cb23688e2ebc1294d32f7b9cc0347588138021015e5720

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
96KB

MD5
0102375a22f86e0737a437588a91c5c6

SHA1
940e9b4491245f07d7f2a85b3e30ba72e08fda72

SHA256
e263ce7ed9988daaad7b23890eefb454f8d5f1ba05685b8b42296b33ae28fb93

SHA512
c5980bb46cf6ba218051f4396fc060248e4dfe4924140d859fa0cf8a4c25fb01eca3e5f7dc46fd82dddab0dd7e7bec7dc6522c2f039c6082819c28d6234d66db

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
96KB

MD5
2a7cee5180333c281a6ac79b652d5723

SHA1
4a5808c40c521fa6beaa9e7f63be0df39ba4f8b1

SHA256
a869c1b589b1adcb1173d5673f2efd1dff62f49b721922232e98aaf76fabbb8b

SHA512
a0ddf99679c5259d973ffc64dcffb1f8d56364c7cc570f7a70e04831550be44a71e56f3c2c80547156af8803b17e82701bc90b5301563ebdaf6df05eb0f9c5b2

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
96KB

MD5
07500078cdb404f1c9662ff7e027c49a

SHA1
0038bcb94b672538ad949d972937fed485e6fc65

SHA256
96925b380ff0b80fd670cf15f0317fd46a4fce359affff3097da9b9bc016c547

SHA512
19cd16543f8a7e7cb73bed37a19c22cd447a21e57fac085d56dbe97175d46369e135a8aac918d40bce2ebf252cb35b64a2351466bd4fd8c4c81f0e1fb9485000

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
96KB

MD5
c8473889fa0438cf9d689d19ef9a8131

SHA1
298f2017e44c2b276cdfdb0bacf8fba1547e192b

SHA256
faa3c845b524e69b5e82daa290bd8e7619d773f2e88f0fac298df4730c5f8621

SHA512
c648c051a10dc864c6539af9da668cff1c235f3a19c9f563179c9a03ab4b2f6cd21cb5b341ef022f0a85c667ad04e7842f1a2acd42215d49b0888ff1aa136fd0

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
481285ad52e86f93352032a4719c1e82

SHA1
97f041e91bb52829b2f5e0a48e8ccddc4f7b73b1

SHA256
b0218fa7ba414684daa6665526215ac9f765e1d35b93986d930ca4cb0b609641

SHA512
a347e8762b6fed2b1a0263d11215adf2e63803d170dcdd9f13c821be68f04b4e364e79d4bcfa888c0ddc2fdba02fa661968989688eafe76125a887b5e3eb390e

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
96KB

MD5
d44cb5411fdec63d702ba2c57cd1ed36

SHA1
dd209d120d2fc2d7a9b415fed159d2172c5ff73a

SHA256
01048827afff0f8e6661a84d881c4272960ffb03bcc3e94ed8e8521c1c145b7e

SHA512
54456c25c7ad77edbbaec57b4f7f0ba4630f55d4dded9532b56d3094eed8851e68b83991b8e4690ea4e0a4e367631e5f8b453728ccba7e778adaddff5900f243

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
96KB

MD5
3d50e6d916119628226c2409882803f5

SHA1
c7b174c169d1a333c23820b2c91fbea4ab46fdb6

SHA256
f323b15e314d581e165b4ff6dba679086c78ba7a7cf593240a0d9160f1a03f58

SHA512
3554e34ad7589f9c9249237bb674b1727418b10a3a436a202af810197bb42b4e80e1190556e2a1c882da163fcd2ae6667a15d5c49f22532c5e4dfc2052843f57

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
96KB

MD5
a2fe268759627923b266fe504e7088db

SHA1
5508df761e3f4b506a1e1595339f4123ca3d0d33

SHA256
8f2c39cc8b025b5be233beb178e682cab183c0fb28406d4f4324b5e8d7c09986

SHA512
fbe4ee30b33c0228863d302f28d1b705c1622ab5b75603dc9c1386247ac5faf7ce10134bfa4197283c9c396558a02efc1bfa9b4f3f6722581ceb9eaf32ee95bc

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
064444451e62664b2e6cd09f657b441d

SHA1
b5e49d0f380433f985e9ef6ace800aeb042bd881

SHA256
d3e91bcde41d95110a4712603f3d4259217d1e0742ba9353e4005ce5808cc1bd

SHA512
03fadacd42d9a64aa46e60306f32d4a557172bac7833768d5f3bfe3c893c0527137ef0ae84e4cf9f6f32048cb99be7e1f56e3cff35ed73b374cddf33bbf50adc

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
dd6b0a4743007e958a82c631d13004b3

SHA1
9f8f2d8fab481593c29d1a1dde87268ea6280a03

SHA256
17789c65c7478070c0f1a775f3388c88a6c987d23e051039764bfc9c74cf7312

SHA512
28985b2b3e55790991c4fc20587fd03dd8cdce3c9c65323bca82231f04d3fd1270af8174f88dbdf090931b35e6349891083c4fa90e9426f7c0d2b9f7b7336181

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
96KB

MD5
3258c75bb6192b5460c3bc36312b6c8d

SHA1
3eb659abc960d24286238ec46479f80e10b8eff4

SHA256
6ae2f6b675a7a5e338149f3262fbd5ef23b09e97e6418c2cf4922a2cc1326939

SHA512
70fd8a094bf14cae1ccef1b3a45b66eadf491402e72043f31d74fa71408e3d3d5273aa731c397a8301f08c590b33b06abcfcf0904878288a6f99f998bf90ef05

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
96KB

MD5
07b062631d2c85e78d0d458a1f79e198

SHA1
20aaeff2ce98ccbfb62e8e3a59c4777b19e9d550

SHA256
841965cff57e9a81275d4100db3f57cb01ab3870226df61f3e5f72b78b376b20

SHA512
82062fcc73b815334c78e6c89d4a779ca6bf096fcb25f6f734b725dcc4de30fa3f85ed2fb440201a15d4c5da6455c4a8a6eb8f409266866f8401edeeac05f5bd

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
96KB

MD5
7ab4c25764b04083d306689bf85bd1ec

SHA1
14abc6091a2ecc5b1b6eab9a89dbf2679c670598

SHA256
4cd3e34bb5cad73fd18419e17f20629310dcd805df947ea950faceddfdfa6207

SHA512
749aa2aa0221a90b7a5302a8fbf0379a8eb7926352f38ec0392239217486363d02c06f532ba682df3db0d1200659f41936dcaa02d9e6c2289a28626037d5f4cf

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
96KB

MD5
621499565e8031412618baf15b7b513c

SHA1
a965ca38e2166ec3a91f3ec42ab4f921f66fcb03

SHA256
2ec9ae3a451a13b5d37296c72309f2040e4beb6c77d5bd2753c0d91c8cd3a81d

SHA512
df93f415e590e7a7448015b1ee86ce493dca93c011a12394b1b0c0e8165d2ad209d8cc3912756e84a37caa13ea41eb67f995323bf0fd8315a5c2098f9f0f3353

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
96KB

MD5
0fd528ca74de708c5beb00c7c59648c3

SHA1
7082100b3227c5c2981130cdc1ec1cedb8357957

SHA256
9e2c1e2c4a5295e1e89b763a8b909d3b2bdbc57b91601c21a708f6c47ea51819

SHA512
106ad23b3db6854406072931a900a8649646974ef9d7a7c0aa663a70b3bbf90c42c221c3b2857a9950eaaf62c30fed9dc931eac16ff243cb00cd60b75c590c54

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
8c528e9069b8a52d397e885c513011d6

SHA1
6752031788dcf0e11f6bd9e40e4fb6e53e83653a

SHA256
2541cf240420eb1360e637aaa439d56ee5fa097dd254a7ba5a904e7a727ae377

SHA512
42ec9db2aa5150362a701a24bd08c64e824ce620633779ecaeb9b66aa6a386236ab667748a878dc0f2960b388b2899bed4e3ecf448321630687c1af8f0f8f257

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
d0d3b18e5acb88fa2502b6dc171f9c03

SHA1
5c2ceb7ece5b9fe6f63b94a73343e6b8cecab590

SHA256
58beb83182fff439bc3173b81613a3e37d5984f32471c91f32a646547d328cbf

SHA512
e63baf7a74e1dab6292fc7828ebc0a45f45c97d700ea2050045756a2c03634cab221b6ceaf9fee0e091e87cbbc7ff9af9f7cd38c19c396ae080b348706e1abbe

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
c895d1b0212e724836d85da16d05f2ea

SHA1
417b7c7fa09b9586612e8e71753125ad34606ace

SHA256
05cfa5d6825ea029f7b8a5e7fc7e68f53684ffb5e03ef7a3c217637de288da94

SHA512
a3d0a2b89b90c012a833b8a6b330e32c56c29cc80c2f58c3e82e1e5e5836112a87a93185f57b43ac9993c6cf8ab21b86616fe0cccd80c8e315d91824c1dcc6db

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
96KB

MD5
2e4ddbc19220f5894526f67ca484998b

SHA1
31a0875d20125133ae9d252417a453da04035012

SHA256
3be96bdecd9b64b869d823b79a64ef2084a4c986001147102edcc1ca820d8111

SHA512
57ba77cec65c1c554fdaba6d288cca196fd636af9ac5d800e4be7d6c43e20db93585c1a1f2db6e0864a95e4bf077f02a6e3683b10f67fe3b076d42bc67c9b329

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
96KB

MD5
e613e2582da64b4e2a68c0b98178ecf4

SHA1
c9bc54f9b361aa3d086ab055b47e2b9935a54d65

SHA256
4c98c7122a8b472e03fd18f25dcd3b269f438a00d4e2b0f77162041a01df678d

SHA512
b74028da2d6201b246132ffd1a0c41309f4ae5fc7a0c9dd0fc759979ce1c50414a3aafaea2d6ce7f7551ea7f803e3dbcc48dcdfdef1326d84a81dfc03ec887a4

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
96KB

MD5
87a71ddf5f9cbae377f1738239a20ca9

SHA1
24e765d8bc63f779043381cbc92ac7e36e1ca1c8

SHA256
cb6d85776cebaf81331753edec8355511cd83fc455fdcffe23786975d90815f4

SHA512
227497146ed7d5668a42edc37c7cd7db81011af327fda877d5cbe8f614ae3a4842a9eecf78c1e03a2c91e9d84b2b2b856a1915c44b08e96238cb3250ae67e3df

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
96KB

MD5
d380cafcdeca97e9b3b8f03b6701445b

SHA1
c0b9a1d7c80c2fa8628f60e09783d3a9b347265f

SHA256
9747e85c3ccc25d6a6d82663167bac4a620001ab5f36ddef5c8258c6fd4f632c

SHA512
01649ef26c50197174f968ac9db71b5c797ed7d7195aa889abea459a7d3cb83505726d9846eb7d044f10a580f9f2373430745475e3bfe1585d27dba5a80f4a42

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
ad2f1c5c4da6d8a775b6d00326c7e504

SHA1
5eab7c1ee15bfe11eea8fdc29e3c10d61a2ca0a0

SHA256
d80cd2dd522305a78f485aa5a383b0413ceb60b93570c91d416f2617f24925b3

SHA512
dc5820eb45d7c8599974d6f3c7a4bc88b257b0640df126ad7e818867b58dcca85b294922383a21bc5224c32f97de5663b7a357d78a6914d90c74a0e68e554178

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
07dc70797b4cca2c6e7131a10dfeec8b

SHA1
0d3a4309d275d24fe061acc1e5dd444d2696bebe

SHA256
8bf3bcf5cd957c78fd2b671a070f4d8a18e32fc136ff4a700d6e8ca64c79eba0

SHA512
c83fc096f8129687058a54a7bc90dbb3786dea7a2f53cda06e5b4856220610ee17aef2d7281ce9d30defb869b71992d6fb519313d5ed3e883309fd192a75c9bb

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
68aeb04bb68902abc51316938ef8388d

SHA1
965cc4928ea67c7d5cd848316f6f5a73cadc3ba6

SHA256
1c92627f201c595f2f5fe66a60cfbea877b808fe7f9197d7968bb6a906fa003b

SHA512
880ad3a9a8f13cfd2fd2c2a217c7dfd14edf4871b5608a3810a4e14ef653943640999daa8f5453af198ea71d500a2e4c63045d242778669ba0652bb4dce12edf

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
1c82cb1260628e373839a0efc430779d

SHA1
6699a68178c22b88fc8fa8f1ddd685066dd39b5d

SHA256
bbb8bc74a32c8ae86418acc455e6f1d9786a96aba5a1d93781fcd3e84d24eaec

SHA512
b476724fcc914e2880d3c9c3d224625286e9015fead34a6ea01a342a90fc153a250ccd0259a3cd541ba53195d14706ffd1c88692fd4082e607ceebc35aa3cd49

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
96KB

MD5
8a139cfbc1ae59f7d21076093c540863

SHA1
b4cfa45a4d12e46a2990ad8e0d690b0049604f32

SHA256
896787c1c84ec494d1a99b8d1a57f8299c1f69b4bc3a10ef925fe0aeb46c2f07

SHA512
ef7ac56905697e08a4b1cbe8684c6669971aa07bddece19e0560808e67c9430934dc5c375fd3327e840364ba578ae4e51f162b1d864f129669501fc9beddb36a

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
96KB

MD5
f72f7a1584f361ab0b91a4f960b07000

SHA1
85f26be2aad840f38e763ee233e0e0ca59e80aca

SHA256
c096bdb61741a56d207d2f36d65b84c5ed88991a10064b2e572530a629118edc

SHA512
6e89a6cae12e9bdbdd0f3ded576cf6dfac3ffdded1a6bba8dc75ebf810ecf311775d343a59fe32b1518bfcaed7f3405efd5c863c56df435d76291956da4f9914

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
96KB

MD5
d8a87d8c567ef129a2f77fce67abd060

SHA1
e8231a920d63a82da548614f2492357d440f4da9

SHA256
e26181a8e1f007eca84a7331b3cc2dfc4792356f7388ce27bacca5ed7aae8559

SHA512
228d73993ee95e88ea16e7060e925e47640db50328be1c1179efddc48f67f81d7c3cf5beb3e74691142f532fb4fb5491f951d13379ceda3f83c8c9c1fdd22adb

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
e7c0b63da3752f4dfc8da6bca8e5576b

SHA1
6cff7cae2649b54d06d30b079a2bbf8723f8edf8

SHA256
8791d13fb6e4ba6e03f8908db25f6e3bf062b4c1b33cce7ae5dddc41d9082286

SHA512
5b4f06047baa5c7283c83cd70b19f84892c16b1038052abfbc7131bada568d8aa8f7b6c92b3b680015083cc67684c25f112f0f24d31397e75f285cb36724f78d

Download Submit
memory/216-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/700-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4608-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads