berbew | 2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe
Size

163KB
MD5

a8390c0cf04f41733d44e639bb948cbc
SHA1

3e683ba2bcd24a03463572c713782e4a14ad1533
SHA256

2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838
SHA512

d076c4f3b0b069fc3593c7929f2c947d0d78047d5809aa7568d3897c4d999775a4382d9550970c947a0774503398b14428cfa6f1aff40ed086241fedc71df6a3
SSDEEP

1536:PT8E2ZsXQVN0dCNZqRrEqAm5VLTlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:F7gQU7YEwRTltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 56 IoCs

pid	Process
2432	Ampkof32.exe
2436	Acjclpcf.exe
5012	Ajckij32.exe
3688	Aeiofcji.exe
4232	Ajfhnjhq.exe
2792	Aqppkd32.exe
1800	Agjhgngj.exe
3744	Andqdh32.exe
4464	Aabmqd32.exe
3972	Afoeiklb.exe
2656	Ajkaii32.exe
4960	Aepefb32.exe
8	Bfabnjjp.exe
4024	Bnhjohkb.exe
3532	Bcebhoii.exe
1148	Bjokdipf.exe
2336	Bchomn32.exe
4280	Bffkij32.exe
5100	Bmpcfdmg.exe
2056	Bgehcmmm.exe
4376	Bjddphlq.exe
860	Bmbplc32.exe
3596	Bhhdil32.exe
4696	Bnbmefbg.exe
1092	Cfmajipb.exe
3864	Cjinkg32.exe
3188	Cmgjgcgo.exe
2472	Cenahpha.exe
2484	Cjkjpgfi.exe
396	Caebma32.exe
3868	Chokikeb.exe
2760	Cnicfe32.exe
4872	Ceckcp32.exe
3456	Cdfkolkf.exe
4568	Cjpckf32.exe
5108	Cajlhqjp.exe
1020	Cdhhdlid.exe
1972	Cjbpaf32.exe
3736	Calhnpgn.exe
3196	Ddjejl32.exe
2620	Djdmffnn.exe
3232	Dopigd32.exe
4528	Danecp32.exe
2016	Dhhnpjmh.exe
1840	Dobfld32.exe
3040	Daqbip32.exe
2844	Dhkjej32.exe
2496	Dodbbdbb.exe
3552	Daconoae.exe
3472	Ddakjkqi.exe
3816	Dfpgffpm.exe
4360	Dmjocp32.exe
2148	Deagdn32.exe
2180	Dgbdlf32.exe
3812	Doilmc32.exe
4364	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4336	4364	WerFault.exe	142

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 2432	4836	2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe	84
PID 4836 wrote to memory of 2432	4836	2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe	84
PID 4836 wrote to memory of 2432	4836	2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe	84
PID 2432 wrote to memory of 2436	2432	Ampkof32.exe	85
PID 2432 wrote to memory of 2436	2432	Ampkof32.exe	85
PID 2432 wrote to memory of 2436	2432	Ampkof32.exe	85
PID 2436 wrote to memory of 5012	2436	Acjclpcf.exe	86
PID 2436 wrote to memory of 5012	2436	Acjclpcf.exe	86
PID 2436 wrote to memory of 5012	2436	Acjclpcf.exe	86
PID 5012 wrote to memory of 3688	5012	Ajckij32.exe	87
PID 5012 wrote to memory of 3688	5012	Ajckij32.exe	87
PID 5012 wrote to memory of 3688	5012	Ajckij32.exe	87
PID 3688 wrote to memory of 4232	3688	Aeiofcji.exe	88
PID 3688 wrote to memory of 4232	3688	Aeiofcji.exe	88
PID 3688 wrote to memory of 4232	3688	Aeiofcji.exe	88
PID 4232 wrote to memory of 2792	4232	Ajfhnjhq.exe	89
PID 4232 wrote to memory of 2792	4232	Ajfhnjhq.exe	89
PID 4232 wrote to memory of 2792	4232	Ajfhnjhq.exe	89
PID 2792 wrote to memory of 1800	2792	Aqppkd32.exe	90
PID 2792 wrote to memory of 1800	2792	Aqppkd32.exe	90
PID 2792 wrote to memory of 1800	2792	Aqppkd32.exe	90
PID 1800 wrote to memory of 3744	1800	Agjhgngj.exe	91
PID 1800 wrote to memory of 3744	1800	Agjhgngj.exe	91
PID 1800 wrote to memory of 3744	1800	Agjhgngj.exe	91
PID 3744 wrote to memory of 4464	3744	Andqdh32.exe	93
PID 3744 wrote to memory of 4464	3744	Andqdh32.exe	93
PID 3744 wrote to memory of 4464	3744	Andqdh32.exe	93
PID 4464 wrote to memory of 3972	4464	Aabmqd32.exe	94
PID 4464 wrote to memory of 3972	4464	Aabmqd32.exe	94
PID 4464 wrote to memory of 3972	4464	Aabmqd32.exe	94
PID 3972 wrote to memory of 2656	3972	Afoeiklb.exe	95
PID 3972 wrote to memory of 2656	3972	Afoeiklb.exe	95
PID 3972 wrote to memory of 2656	3972	Afoeiklb.exe	95
PID 2656 wrote to memory of 4960	2656	Ajkaii32.exe	96
PID 2656 wrote to memory of 4960	2656	Ajkaii32.exe	96
PID 2656 wrote to memory of 4960	2656	Ajkaii32.exe	96
PID 4960 wrote to memory of 8	4960	Aepefb32.exe	97
PID 4960 wrote to memory of 8	4960	Aepefb32.exe	97
PID 4960 wrote to memory of 8	4960	Aepefb32.exe	97
PID 8 wrote to memory of 4024	8	Bfabnjjp.exe	99
PID 8 wrote to memory of 4024	8	Bfabnjjp.exe	99
PID 8 wrote to memory of 4024	8	Bfabnjjp.exe	99
PID 4024 wrote to memory of 3532	4024	Bnhjohkb.exe	100
PID 4024 wrote to memory of 3532	4024	Bnhjohkb.exe	100
PID 4024 wrote to memory of 3532	4024	Bnhjohkb.exe	100
PID 3532 wrote to memory of 1148	3532	Bcebhoii.exe	101
PID 3532 wrote to memory of 1148	3532	Bcebhoii.exe	101
PID 3532 wrote to memory of 1148	3532	Bcebhoii.exe	101
PID 1148 wrote to memory of 2336	1148	Bjokdipf.exe	103
PID 1148 wrote to memory of 2336	1148	Bjokdipf.exe	103
PID 1148 wrote to memory of 2336	1148	Bjokdipf.exe	103
PID 2336 wrote to memory of 4280	2336	Bchomn32.exe	104
PID 2336 wrote to memory of 4280	2336	Bchomn32.exe	104
PID 2336 wrote to memory of 4280	2336	Bchomn32.exe	104
PID 4280 wrote to memory of 5100	4280	Bffkij32.exe	105
PID 4280 wrote to memory of 5100	4280	Bffkij32.exe	105
PID 4280 wrote to memory of 5100	4280	Bffkij32.exe	105
PID 5100 wrote to memory of 2056	5100	Bmpcfdmg.exe	106
PID 5100 wrote to memory of 2056	5100	Bmpcfdmg.exe	106
PID 5100 wrote to memory of 2056	5100	Bmpcfdmg.exe	106
PID 2056 wrote to memory of 4376	2056	Bgehcmmm.exe	107
PID 2056 wrote to memory of 4376	2056	Bgehcmmm.exe	107
PID 2056 wrote to memory of 4376	2056	Bgehcmmm.exe	107
PID 4376 wrote to memory of 860	4376	Bjddphlq.exe	108

C:\Users\Admin\AppData\Local\Temp\2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe
"C:\Users\Admin\AppData\Local\Temp\2e4e670039dc869f9664150ebda1bbf0cc0dd435e87786a1258ab75713388838.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\Ampkof32.exe
  C:\Windows\system32\Ampkof32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\Acjclpcf.exe
    C:\Windows\system32\Acjclpcf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\Ajckij32.exe
      C:\Windows\system32\Ajckij32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5012
    - - C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
      - C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 404
        58⤵
        Program crash
        
        PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4364 -ip 4364
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
163KB

MD5
b76f43c7a61d4b635b060c577e368dbf

SHA1
1e0b70d66288a6c8419ed88e850f5d62a547d3d9

SHA256
12ae50f1c33ea4508483dde744dc00f5e917ea993dbef63b086bbac0a45b2759

SHA512
16732fc45509ac90826e2cad3467f25d97aaa9d4bdb7e4b03c1b55b67f1ae45e98fe4a685f820473c3565cc788682902bad4dd65c7f4c6adb34995bf9ab3d251

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
163KB

MD5
4f0dbb3b01567030249e40628891115f

SHA1
69504ffeb981fb729882907ae94da15ef1c7efe0

SHA256
f08879aa2ff06c0b49949d5dfaefa817f00ac6bbeb7a2e32eec8d3e838c12a47

SHA512
b42faa2afb26f1cff89810096a0ea849fc392e88245becd6c94adf9cc91033888866e5831181bdf9c4d99cbf84dc29b67a6e0b5c224be37dbc91c08a037f2467

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
163KB

MD5
d07131ed78dcc7267254776a949f34d6

SHA1
528dbfb013ec962f2e3b5bfd649a961941ae1172

SHA256
aaa96965d8f7ebf3e844be300b720685a8a04615aca9b78ca66ed84c4c30d125

SHA512
277652f473ff29dc8af4a1fe9007f78ca6af190107f874c6568050b573e69d31508bcaac19c193553f25c55923022b85fd93f410ba51c17d9beec0268bd8079a

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
163KB

MD5
e627217422188e83bc5ab2b1b9784530

SHA1
ed785ad759655ddc6ca063a58d8b1551d43c085a

SHA256
151e9125aa8da7d245bab53f42481ca8140b017bba5b84d2c520bc0bc006225c

SHA512
12c86972fd9f8a61bb58ec688909334b457980ce742d8293e626fe47eb62c18b664b3af5f1376a518dd49920759bff5d927510d9e9f7c039e7b0617b97224eca

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
163KB

MD5
527074bb2c8924749237fa6841fb7c89

SHA1
4ee7539c9a73786a6c93923fda995cef4fc224e6

SHA256
f48ceea346e69a91b155fc40f1ca5c33afa0a04de62196f4d84336f61b9e4694

SHA512
551500a0de98dfe7c04dbc25ff7a2809898682a56153433d564209194f1bb2e351797328813913e97a126a567d681ccbfacb26fcae869bb64c70c9b90b898cba

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
163KB

MD5
cd0ceac40fdc7184b4aa8a44dfe78381

SHA1
eac444e1c91091ecb8edc472ee7df7fff7dbdc98

SHA256
c0a8cdf15107f0063a28445a3e8c05c76cfbce7c4fa848d9edf9930eba3fcd9f

SHA512
00c40ddce78eb9319ff72ecfa6b4d607047a3d43613674ee2f1e8e30ae002af27ee78f432e9160ce29b56b2315e525b696ab28f3eb70a008ba87018c4a91d5fc

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
163KB

MD5
0bb3e24c8674d9b11381f1d2f9b1fb1e

SHA1
9e2006e2a6e3e90d4f3aa412ccc78c151dd12691

SHA256
e8d3bac37dd8ea4d0d48237cf4af05de6651b98f788a6ef16132e0c6ee3afa37

SHA512
bb76d8a8b3c3fdd740c10b84250451176a948aecd54399df845af5adbabcd608207edfea1cbc326b4117b731047ddce7df71aba72e31695c0d1e3c74d0dc440b

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
163KB

MD5
b3af530eef26cde2e07f980799baa9eb

SHA1
0bb6f88fce4e66cc08d655299f88586d293a2b36

SHA256
456b08b7b6a281241e51ad5c27d12f087fa3e1b4d1c1a3b88ff698e196b9be98

SHA512
5af5a439a3b61eda568ccce210682f770c29c9f4def04b7496bfb0928900c1e916d70c4c4fba9518b5875c81c20bfc3e98704cc16c4550c275853c8b3e272f43

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
163KB

MD5
4d50bcb27bb759594cec27fb5dce9d78

SHA1
2cfa2f50ea7286482bc70a0f908fc4a1fb003914

SHA256
695c6ace3b152e16a78a9c47cfcb3c84a978a231fa7298fcacc248999d9c11a1

SHA512
9cdfff6f2e5891cb4eb17214c42236a46b1684feddf410bf210582901d997674a0dfb412c47f8a5dc4cd45bc0f5bc25e781592660e7f125fd6e6d375c27e191a

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
163KB

MD5
c631fd61ebd581dcde3a305263429f27

SHA1
9536d375804620f7343ea5c954f5ccf6a011231c

SHA256
07f72a095e3a1133be29dddde84e0df766344ad4990e0dcf31a918222fb2ad7c

SHA512
b65e666eda721da8148791bf22d47058a39e4e2bc3dcda267b5c591c64de75332e956377680a752c73304099e13efa81d607c36b27a7f4a67f29a94e803a9348

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
163KB

MD5
02b96e55bdb78fdc9dcbfd896926fb05

SHA1
25106e74d1f69f95f963e0eb7069bc177aca1f6c

SHA256
6d353d25d7ea4c6a2e61377600d1238f6a3df7fca7a10dbfedeafeb5c48ea208

SHA512
9d703f8c277b1dadcbe99979e25a207fe2dccc3723e9c745caf16332090178b4a03984883af272f737439930151575b19652a912686cc35b02495c4d2186d2bf

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
163KB

MD5
d34893b7fa126f15db9e131b9543cc18

SHA1
81cf0a09763340d92e94bbfb5e4cf936513ffd9b

SHA256
fcfd840d30841b5a14de10240ba97b85206b43b4f46b47d374186f2cf63a478d

SHA512
c745abb96e62d6ca81a43448a096c5198c4b539f910c7781fe72ed2c5cbf03dff0d11684c84ddb5d3df999256dd3fd437cce4d2d8404e3dc390038f1aeba5ff8

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
163KB

MD5
0006c3f05c8a2e9e6d83e4527c3429b0

SHA1
1152730ac48256f8876bc6c4aab0b7aa486eec8b

SHA256
b060dc1bcc2506094a9ff847002910041c741f85196fb52d9dfe8433b946fa3f

SHA512
b3be4cadb95738283e59d0648ba923f4abff94052424d878e11374803253a285659b89d62fd7fff1fb0dc346fef6bfa06a8ca5b83fc5c316c42439888f67d7f9

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
163KB

MD5
ef6aba10adf45b4fb92a21fce718b8b0

SHA1
4983af55bc9df0d6a9f1452ebc2e6adc59ab6e54

SHA256
77f07744ae95b1c32c1f6bcdca98ae8883751ce2ce4553b83016dc380f5ac7be

SHA512
f9aacf134ba032416c3226e66d6aaf0e7ef0e9f29a88546fbaf7fe02df1bd08b6c6965acea6d9c20e6d02ecf58d98c3358056a4daf2b5892381d25a7f265ea8c

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
163KB

MD5
85c7c835f74a951439954ab66b3b88c3

SHA1
53bcf3bb121de6d27a9b7d25e7ae9e3ec7d90afd

SHA256
7bc242ca7a000b4d7d6722ef0ace3b29c407e7b75ce268a29cee1affd2a04df3

SHA512
4b0453c5bc2e9fbaf2fd3079b00a6ce5814155e6301857131022bb89caa322cbbbd5b1e9769ed0da4ca44006e2f5d9a7fdbc0a09fe0d9614108a3918cb7e041a

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
163KB

MD5
3053cd837bb4891c16a30cec67f1d092

SHA1
8fa32d738eed2329da6b16cc4e6e3691b3939681

SHA256
0da6689ab19c0830e895e2824608beeb63f21d4c382c2249831cc620e0260aac

SHA512
d9a221470602a0aef4e9ef4a32c96626cb94e552c91afd3af72e7857533a3efc1b3b7f05a4b776ebf036e7a776843fff944b6114a24de0f7469fe50a59253cc1

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
163KB

MD5
662dd7b001a15fe597885c62f3a50586

SHA1
43c1490ee6e0ece9c24f1160075ef53ef7d99704

SHA256
2721cce16b9559f77234c11dec0f0a1755fa3d1c5733e78afb4049f7eda1a06c

SHA512
cd62346b61517a5e8b06ec513b56443d9dab057fd8c2ce67915a110c293df7ba78673f7a101d669abf8c7d8f666cf6bf961379705f9bc13406b281aae6749ec8

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
163KB

MD5
952d7393dfc2416b7bb23c4648126e91

SHA1
68b84eec22958583b2741006feb83e03a3ace7e5

SHA256
4e587738381d9ec1f5eaa7fe037f816d91ef6e92e33ac8676ed5ed20fd8e7a26

SHA512
a577c4e4f63e5c40cf5637a6ca8e2244644bd89756398acb61ce00a29dd5a449fa36259ed876c111d919bcb8491f337c1441435ceb0cb345a6c59aeb0d237f7e

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
163KB

MD5
5083c4687126fa29559932efa003160c

SHA1
be99134af6ed08fed5c0c957e446fb35c7fabf35

SHA256
55060b8f33860aefc07b310272af4577a367f5b3f8f65617caf5e9307ba4bc9b

SHA512
b78eaa724a04d21d0872d78d9d74ecbb454a69c0948f5ecf529c3b0317fd1d46eb0f2f572b403fd3944804ce4f6d0e7c1cf7eaaac532d9b1235899041fd3e1f1

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
163KB

MD5
2a849515e42b32d7e461935de19c53ce

SHA1
961fddd7ee3fd2e1a3c495de3d23551d89a25ec1

SHA256
19b44b899108ca3ce1ff4702666ed9f7cc5a96a474394069f9aeecce70f499a1

SHA512
c63490a37f3d57c157a9a19f72fdd2e2d30b3e1e11d421bef47178c964a924b27bb2bcc53c61a5bd761fb89ba94e134e3de7fecacb7379b80b412ab10ca007bf

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
163KB

MD5
8dc835a154dc5c633eca33828f8d31d3

SHA1
c0b4f98f2dbecaa0143a564e8ffe89cbe5559e24

SHA256
a6a8101828476895850b93ea9c8f502cd501edfc9d1e417b75da9cf2af7b826b

SHA512
09ce807dd6b1547a57a6bf8844e8f1abed396c124fe26fd1334cc5cf78b856ebb9ffa19251cd78667f9efc9e4f59c0d3195e8df41528125e1a9cee2a708c2b82

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
163KB

MD5
ea6ee89fc721980cc59bec1c8e06087d

SHA1
a8e68924111db6bb9bb43e1304f1b94ac96e4e37

SHA256
293f9758ed03b7ac97f4b581053435ef1fae516759f60cccf5c581282a5b4f0d

SHA512
02f6edb664a2f3ad794c8423b4adb26ade00890b3e4cded258b3a7af898daa6df6118d0a06bc9fc2615537716c395ae9db9e79ec8da04a01e96fa54b57841511

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
163KB

MD5
f1441606687b4818c06cb6cb4fdc65c5

SHA1
6cf938bcca4e8e16667ae9443c226460037cb9e9

SHA256
246e18ffc7d4a205dc4d4d82ea828b9f8899e72e8ce9c05a3847ca146e9711ee

SHA512
5c0fb8c4cb220e19e0a4d8d69a61fd13bff581cfe2383250d836faf574ef3640856ffba7354373ebcdc9f44ca22c3a27c204bfb00e96b437c9d55f08b2091955

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
163KB

MD5
ed9a908c9229866f2765b1d25cc09f6c

SHA1
f73642e5aaf6bea30404ac13bbf2c06802115ab1

SHA256
0fa89c7835bb0f9eaaab5b898e03c6bc6f1d8065870a06fba5c9465278863cf1

SHA512
cc8b05b32e9d08a4b1d7bd5d9d4348458433f6b3a9120df5de6a92dd4094bfd352ce3abe3d8b79963c4e6e0638a08fb073b2f5fb302b05aa6d7a325cd8e6f0f8

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
163KB

MD5
b5ba02aebb68b3c0ea1720070465330f

SHA1
4a8e04f98618983e145164c7e7040d294122778b

SHA256
9cfa76a372358e9512616c00a59885c34a8e2be1474927fa711b6927ef1496db

SHA512
480f7bd46cc3249a8e930f96895bb94d54d0e58eca673fcfa5d80c0a9c8dcfe9b99379ad9f2c931e8069a74a6029f88bf36978c27979d462686d924d68355e3c

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
163KB

MD5
faf60c9e65160169299dd62d88b4a562

SHA1
66c5bf2330fac5f6e07cc2a0f5abd25ca3dd353c

SHA256
bdb39574042a2dcd2e45d30afb7c437fbdb5b9edbf1577ccfd1d52302e140115

SHA512
1aec7134067d6399572629315b9f61330c7df07d7e0fcffdbc2cd1ecd8fe6dde7eda246211117f99b60666df5b703318a4b2afe010f5df6431550e14fa1d0a99

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
163KB

MD5
48c76772b9b452f40b8b3134e689fb80

SHA1
1c2a8434eb04a5facece1d10a8d8799e5ddbcb15

SHA256
b6740fd212984f24ab19266d1b2a29f4de0c0b47ce5f3c9da91cebbb47878670

SHA512
54280d86013bc5e0cf1a06e4792499bee0148835ead93b60a43632a1abed2a8cfc98c9f4c1cc25f52fdb3c5476ddc798f4216a6ec796d4a2825476e4729cff9e

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
163KB

MD5
1a3db08ff59c77b5eeebc0549756977a

SHA1
16595a1e0c8de185c65434c330553655b475334c

SHA256
43c62b7442254a68a3b91dd427a3ff44df497cb353305c8ef9c44bdd6bc4b452

SHA512
73d78b8ce5ab065d43c55832cfdfadb1cb2f06df258b84d1d710a4b103042cd4739d1263dcdf67acf430670aae400579379fb28d898b1bed7d7ab699dc2d3aba

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
163KB

MD5
f94c4aee478689dd11a5e378489432b8

SHA1
8447e5d9b05c069db949b9eba2e7edbccb0d0ebe

SHA256
3e631249c1ad0f8848bfc4430fc1b233ad977059474020ec1f86722103b61793

SHA512
0ceffb75c8a5b38f72f96b03115f24d47ea8f19569493d35be245fd4e48252cd47c531eb86fe83db8f80bc933e709790ba4ce7214c7fb0d05721f7feac5b294b

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
163KB

MD5
564c1408fd1e25f454631323d4a1d312

SHA1
978ff2e3d26200988778189ece10aafff8d6ebe2

SHA256
568dfc6eac94a734ef0ed5add6188a4d08819f0a3935a18d653a8c6ec157160b

SHA512
4e3021a08b5a98db0ed81e2809dfa8228860aa4d403c45c259352469ea718ddef9236c3bee7345afe12259f5f7efb0fbf7fbbbf21826cfbda2dc6090653ffa6e

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
163KB

MD5
f184e36f86f0eea8efa6f79efe93d4ac

SHA1
66eb54665cb207617768376f1438714bc7f95121

SHA256
5c3ab33b7cfa9136bf63bad6ca6f49bbdfb2089a36f1d4ec55d03f69a79734ee

SHA512
1f5e85024b3ce8d3be43c9a946da8cfab7b661ccbc939f47f40b7e74db985afc084083a66d3cdee7fb909d2dda4ea91129c93be0ba73244e125468ec84a9fc74

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
163KB

MD5
3c2db04385c0129084495d047d932cc0

SHA1
6242ceaad7dd8797cfd99efda8e454fb0d596aba

SHA256
fe53123d59594d82d101c62451873601b49e45e21db25d855d1241c3d7333fee

SHA512
71962a7cfcaa245a2f580645319baac7eca35494d37808e1216a37c5bfb7e43b818c2ae31eacf93cf7b94c85a0ac5c4f4b4fcace32649725b2c7e6b3d8172ba4

Download Submit
memory/8-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/396-455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/396-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/860-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/860-471-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1020-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1020-441-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1092-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1092-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1148-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1800-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1840-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1840-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1972-439-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1972-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2016-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2016-427-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2056-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2056-475-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2148-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2148-411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2180-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2180-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2336-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2436-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2472-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2472-459-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2484-457-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2484-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2496-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2496-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2620-433-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2620-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2656-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-451-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2792-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2844-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2844-421-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3040-423-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3040-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3188-222-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3188-461-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3196-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3196-435-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3232-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3232-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3456-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3456-447-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3472-415-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3472-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3532-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3552-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3552-417-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3596-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3596-469-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3688-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3736-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3736-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3744-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3812-406-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3812-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3816-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3816-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3864-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3864-463-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3868-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3868-453-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3972-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4024-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4232-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4280-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4360-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4360-410-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4364-403-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4364-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4376-473-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4376-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4464-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4528-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4528-429-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4568-445-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4568-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4696-467-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4696-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4836-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4836-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4872-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4872-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4960-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5012-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-477-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5108-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5108-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads