berbew | f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12

Analysis

max time kernel
93s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe
Size

92KB
MD5

ef718a0457f3a44202f7740b4050c050
SHA1

d5d389c2714335b88016459b58709643def478ba
SHA256

f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12
SHA512

33225ef516ffab64c0010f7f063fe5ac2acd11effefa3e3117d480325d446e30093ae11d6993e72054373a5688b374036805a71c16bfd39ebde3aab5a9d62e82
SSDEEP

1536:mDCIgigmlf+q6cbX3FxI2rk2czgHcwZ529qKQ/9UwFFN3imnunGP+G:MCIf+q6cjVVghScwZ49QUOFVbe4+G

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4788	Pjhlml32.exe
988	Pdmpje32.exe
1544	Pfolbmje.exe
4148	Pmidog32.exe
2376	Pgnilpah.exe
4460	Qnhahj32.exe
4692	Qqfmde32.exe
3788	Qgqeappe.exe
2860	Qnjnnj32.exe
3588	Qcgffqei.exe
4100	Qffbbldm.exe
384	Anmjcieo.exe
2288	Aqkgpedc.exe
4288	Afhohlbj.exe
3584	Aqncedbp.exe
3728	Aclpap32.exe
4624	Anadoi32.exe
3648	Aeklkchg.exe
3168	Ajhddjfn.exe
2292	Amgapeea.exe
1412	Aeniabfd.exe
3512	Afoeiklb.exe
3032	Aminee32.exe
3272	Aepefb32.exe
1956	Bfabnjjp.exe
4556	Bebblb32.exe
2016	Bganhm32.exe
1776	Bnkgeg32.exe
3152	Beeoaapl.exe
4216	Bffkij32.exe
1912	Bnmcjg32.exe
4520	Bcjlcn32.exe
2820	Bnpppgdj.exe
2316	Beihma32.exe
4952	Bfkedibe.exe
2976	Bnbmefbg.exe
2412	Bapiabak.exe
2608	Bcoenmao.exe
376	Cfmajipb.exe
3044	Cmgjgcgo.exe
3116	Cenahpha.exe
4632	Cjkjpgfi.exe
1196	Caebma32.exe
1916	Cdcoim32.exe
1624	Cfbkeh32.exe
2372	Cmlcbbcj.exe
5076	Ceckcp32.exe
3304	Cfdhkhjj.exe
1752	Cmnpgb32.exe
3312	Ceehho32.exe
2688	Cffdpghg.exe
1052	Cmqmma32.exe
1164	Cegdnopg.exe
1904	Dhfajjoj.exe
2916	Dopigd32.exe
4820	Ddmaok32.exe
4284	Dobfld32.exe
4036	Dodbbdbb.exe
2972	Daconoae.exe
4688	Dhmgki32.exe
4408	Dogogcpo.exe
4464	Daekdooc.exe
3280	Dgbdlf32.exe
780	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4136	780	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4788	4668	f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe	83
PID 4668 wrote to memory of 4788	4668	f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe	83
PID 4668 wrote to memory of 4788	4668	f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe	83
PID 4788 wrote to memory of 988	4788	Pjhlml32.exe	84
PID 4788 wrote to memory of 988	4788	Pjhlml32.exe	84
PID 4788 wrote to memory of 988	4788	Pjhlml32.exe	84
PID 988 wrote to memory of 1544	988	Pdmpje32.exe	85
PID 988 wrote to memory of 1544	988	Pdmpje32.exe	85
PID 988 wrote to memory of 1544	988	Pdmpje32.exe	85
PID 1544 wrote to memory of 4148	1544	Pfolbmje.exe	86
PID 1544 wrote to memory of 4148	1544	Pfolbmje.exe	86
PID 1544 wrote to memory of 4148	1544	Pfolbmje.exe	86
PID 4148 wrote to memory of 2376	4148	Pmidog32.exe	87
PID 4148 wrote to memory of 2376	4148	Pmidog32.exe	87
PID 4148 wrote to memory of 2376	4148	Pmidog32.exe	87
PID 2376 wrote to memory of 4460	2376	Pgnilpah.exe	88
PID 2376 wrote to memory of 4460	2376	Pgnilpah.exe	88
PID 2376 wrote to memory of 4460	2376	Pgnilpah.exe	88
PID 4460 wrote to memory of 4692	4460	Qnhahj32.exe	89
PID 4460 wrote to memory of 4692	4460	Qnhahj32.exe	89
PID 4460 wrote to memory of 4692	4460	Qnhahj32.exe	89
PID 4692 wrote to memory of 3788	4692	Qqfmde32.exe	90
PID 4692 wrote to memory of 3788	4692	Qqfmde32.exe	90
PID 4692 wrote to memory of 3788	4692	Qqfmde32.exe	90
PID 3788 wrote to memory of 2860	3788	Qgqeappe.exe	91
PID 3788 wrote to memory of 2860	3788	Qgqeappe.exe	91
PID 3788 wrote to memory of 2860	3788	Qgqeappe.exe	91
PID 2860 wrote to memory of 3588	2860	Qnjnnj32.exe	92
PID 2860 wrote to memory of 3588	2860	Qnjnnj32.exe	92
PID 2860 wrote to memory of 3588	2860	Qnjnnj32.exe	92
PID 3588 wrote to memory of 4100	3588	Qcgffqei.exe	93
PID 3588 wrote to memory of 4100	3588	Qcgffqei.exe	93
PID 3588 wrote to memory of 4100	3588	Qcgffqei.exe	93
PID 4100 wrote to memory of 384	4100	Qffbbldm.exe	94
PID 4100 wrote to memory of 384	4100	Qffbbldm.exe	94
PID 4100 wrote to memory of 384	4100	Qffbbldm.exe	94
PID 384 wrote to memory of 2288	384	Anmjcieo.exe	95
PID 384 wrote to memory of 2288	384	Anmjcieo.exe	95
PID 384 wrote to memory of 2288	384	Anmjcieo.exe	95
PID 2288 wrote to memory of 4288	2288	Aqkgpedc.exe	97
PID 2288 wrote to memory of 4288	2288	Aqkgpedc.exe	97
PID 2288 wrote to memory of 4288	2288	Aqkgpedc.exe	97
PID 4288 wrote to memory of 3584	4288	Afhohlbj.exe	98
PID 4288 wrote to memory of 3584	4288	Afhohlbj.exe	98
PID 4288 wrote to memory of 3584	4288	Afhohlbj.exe	98
PID 3584 wrote to memory of 3728	3584	Aqncedbp.exe	99
PID 3584 wrote to memory of 3728	3584	Aqncedbp.exe	99
PID 3584 wrote to memory of 3728	3584	Aqncedbp.exe	99
PID 3728 wrote to memory of 4624	3728	Aclpap32.exe	100
PID 3728 wrote to memory of 4624	3728	Aclpap32.exe	100
PID 3728 wrote to memory of 4624	3728	Aclpap32.exe	100
PID 4624 wrote to memory of 3648	4624	Anadoi32.exe	101
PID 4624 wrote to memory of 3648	4624	Anadoi32.exe	101
PID 4624 wrote to memory of 3648	4624	Anadoi32.exe	101
PID 3648 wrote to memory of 3168	3648	Aeklkchg.exe	102
PID 3648 wrote to memory of 3168	3648	Aeklkchg.exe	102
PID 3648 wrote to memory of 3168	3648	Aeklkchg.exe	102
PID 3168 wrote to memory of 2292	3168	Ajhddjfn.exe	103
PID 3168 wrote to memory of 2292	3168	Ajhddjfn.exe	103
PID 3168 wrote to memory of 2292	3168	Ajhddjfn.exe	103
PID 2292 wrote to memory of 1412	2292	Amgapeea.exe	104
PID 2292 wrote to memory of 1412	2292	Amgapeea.exe	104
PID 2292 wrote to memory of 1412	2292	Amgapeea.exe	104
PID 1412 wrote to memory of 3512	1412	Aeniabfd.exe	105

C:\Users\Admin\AppData\Local\Temp\f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe
"C:\Users\Admin\AppData\Local\Temp\f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\SysWOW64\Pjhlml32.exe
  C:\Windows\system32\Pjhlml32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\Pdmpje32.exe
    C:\Windows\system32\Pdmpje32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\SysWOW64\Pfolbmje.exe
      C:\Windows\system32\Pfolbmje.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
      - C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 228
        66⤵
        Program crash
        
        PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 780 -ip 780
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
92KB

MD5
0ddbd3e69801938334781c1bbc06faa2

SHA1
5dab154095f8ec28ea6c397e329d16a086fc8bfd

SHA256
b9b1ecf02e7697908f1d76308852335f3098829a6b740c6fa636a1d1d10a88b9

SHA512
5a5496da7960914ef8140b6847c82e126e35753de525157d0ef9ffb8d4d4dea4ff0b36946e8678cdb906f22dd9e91b583bd5b50f667a51e2edf4f4f9921512b1

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
92KB

MD5
1b1e1425f13b44d22952acea0072f7b8

SHA1
812176b069aa3bdd381f68a787c42d20af05718d

SHA256
022eda5a545333aa00a54d62a3fe9271a9884dd462bff41e07fd993844078a29

SHA512
0da60fdbd5a2f2a1aee0898b2984c1817ee34e85a0957d3ff43a1a7c96d0a8cf7c536876244e0f9b524de98e1bd675685f1a17e6db6fe7af2ee05499829c8a6d

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
92KB

MD5
1fbcd055a63dfa8c730394d5bed8bea5

SHA1
a37aa9a851102215423a0a41749fab7443941019

SHA256
ceda3be98fd5d260742fd4f2ee67fee1387806d567965fb878d141bcabfd63a1

SHA512
dc29f56fd39ce78c25b3874adc45dff0bd0f9f7393f3b9b7224852d929b95ec446f2ef4dd9a4a9482bae16c3685a31a747adf2bee9290792c4e07482bc40be62

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
92KB

MD5
cebc7d7d37310c2f132547797b5a5323

SHA1
e81dbafe301f906b0cd8273bfcde63a214b88ab6

SHA256
195ad451ec83a40ed1d45a72bdc43dc49ba27672e682bfaefbc760677c958441

SHA512
d23e5581ffe0f22e6b5f133b4eda8da1c244643691a768628e62854c22f0e6b104dbe63a3fca3a422bd24374265c141655f4afd0d0d470bef57ad94938ef8731

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
92KB

MD5
5d5353c78a9ae2a08c967d8f3b9cc31d

SHA1
02d0896279c2130586d40a7f1b7a6036dadbbe5d

SHA256
452555c691583126723a6fbb90918174e1bb6ed2d1e90bf7591e7f5191ce19ea

SHA512
f197bdd32492ce3db274e09411a6a6c09b99c5913c47c7842c9c3d34416309cafa67de5da876e043d3bc4385d9adce364c8ed084c976715f5fb68dcc2664e365

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
92KB

MD5
02a412cbb4842a7e51efaf0fc1c0d06a

SHA1
9afc09ce602744e4ce73266a3bcbc78d2209acc1

SHA256
58da71cc6df2eaf65cbb6be8a0c11bd800795ba2e5b56e54b49d0148d526edd1

SHA512
11f99829edf4f759b61a66b0503db13e3a152ffb3de11ffaeffcc8bde60a9964a65a5c3546cd9c5c2b08847b174218af7aadc7f0e956656ce9e7d495cd4601c4

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
92KB

MD5
bc45fdd767206b30174478a0a498072a

SHA1
e256efba6f564731ded361b03e5eef24e068c771

SHA256
e09240fb7b47af4a56bbcde8b9d82cff7ef74a94147d1e2991d0c78cd45f2803

SHA512
5918d48c27442d14ec0fcd0c149b228c850b822079829413d065e819448ede0f8d226379bfe44ab0e19c28a0bf66020e95751f7ae97b7ac1297bb5f16a1d8876

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
92KB

MD5
38f7a070c6beb22604c9a2f462dd9983

SHA1
4ddb3adb40d5a2aa13a57ee4994664552315fc2b

SHA256
1577d6ff2db655f449d198def3ede332041c3183cf42294a6ba612a6b1213db7

SHA512
ed89e582566f8575aec78f54dfff57bb4d856a4485413d8018a44369eb2711dc8f02af309517876d570ab506764c50695ef26473a450041a8be49039f272cc9e

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
92KB

MD5
be152a5547e1a15d034291c510a1c393

SHA1
fa0d7b168b1215729b0bc295103b3682354625fb

SHA256
77c17464acbce9e0525243329caf410fd9032caecbd500f739d7fcc77f3e04e7

SHA512
329189b5f04eaffe47c9ad579189588039a9c35d3fc5ac1baf300e8d643c62df6e9c61e5c0cc5e705ff47a536c07c25c29672f68bef9461f7b0b9d5b6ac35f3a

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
92KB

MD5
44ff48d2240a56296378eb87e52a5176

SHA1
e6aa8d8d403aa521fafaf40965703529fd728a7d

SHA256
602925347d01e56cc2239496eb285e94b1cf933f95d22772af160903af8d920a

SHA512
5fc8fa8fb40ca4e27d3ce09066a98f30a2213c110d2e62f9aada1a7f4000fe921d4e7d48b94375b542b4423e63c0c7b87529692e3364981023b790f0100923d3

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
92KB

MD5
ee2e6543415cdc748c9ee15539180cae

SHA1
9c6809768078db9a541ff6ca95860b3d96c586d0

SHA256
15e1ccc3b390b2628080393340f9b2a41b4ed91bc4bb3ebf746eae08c25da497

SHA512
a2af6a6e3b0b6f84fbff14c8896309e09212e935821cfd5d689d5e822a947244e7b988bd4276ca21b28c3a4571606b1661efa754c597163d4e0061f174b489d5

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
92KB

MD5
def7eaf9f823702aa171d7f47282165a

SHA1
638fe4652f9e8c5520499f8f11b41e8caa17460d

SHA256
56275a78339a434ce0b12524464aa7d9186ba7b10a3539ebc43955327bf5da68

SHA512
a1c1b70d83aa5e857b5c914ceaa774ad5ee4764696bda17c6893d62dedc8fe90b75b340bb6518350350ad062c9c2f65ade5fe092e75210f50052d241efc35502

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
92KB

MD5
9e67d91d5a66202571f55ff53bc7212a

SHA1
7921b8d133ed41bbfe7d11c60b71da16d04362cb

SHA256
2822b3ff0ef23ee8349b43ae9a16508fc0834e04833d54c41e6e9b63e61ce6ac

SHA512
fd15915dd4802aa0e4da509634de8e137d10f5e96c4b3c61f411a5b12ae04b3f98156c59080e26c6c9b0da3a63f5d01ce1eb39524c65d1bb4680629bf370ce09

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
92KB

MD5
3371654feb6f40d4667ca88d50c07947

SHA1
332e8fd69b304ff070d39dfd78e565943dc8563a

SHA256
f5fc0dc5f66b34208f017bd2e98b4d8fbd87f36dba37155e415da5d295be1429

SHA512
18c2d1cd6b7bda812eab57614d9d06dfe68df6f060a1fcb27eaca809fd534c9c3593075bc011dda5db48002aed334c860843ab89e2c75e6fc78eba2f36ea5138

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
92KB

MD5
f7c075be4b00ad10c3f09890e67762cb

SHA1
01932c657f39cb99b6d0b30ea68c4bfdb37f5200

SHA256
7923d58a51ebfff6004ea3d3aa444c4ce2ddbaf244bcfe67045a5d3c3efb0ba1

SHA512
2d2726a94ed0b2bc271871d19157757072ea572b71ba15ba390754de85449872d699e47b73c0f45dc5b7c0468a1e42059f6796d4b2083deb88aee4a2e00e88bb

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
92KB

MD5
544b4e22e8c5c3a821f83b35876767ee

SHA1
9e377e3da74aff934eaddc2c8aeed423d8692b3c

SHA256
47afdc60c731b42501d98e250e1bd8ffb2c742c92c7356419a7423f21069c0bb

SHA512
16114a47b80fb0a8c1efbd9957892b649b467b492462128a50f0067d70039b58e3ab1e621e8f791ed4460f8d26c17a554145aaabf9a4e9089cd26b915f21bacd

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
92KB

MD5
6f98c423857f91945a47a3740e94ad92

SHA1
de535c400d7fec8b22e6dd09c56d0192da599737

SHA256
7b2aac7da34c3913bb60a73efa8958c3614133ed35e90e6b96acc4fd66e129b5

SHA512
ca29a77e1ea64ba067c77a9c85ed453639198935f9627583634eb49a37ef122aa8906de56f9a4ea7cc5839b67f121b10c43520bb3b9790fdf6cd39e91943c9e5

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
92KB

MD5
e7978999fccd40f7ea4750a31c779dec

SHA1
15104b5f0d969daaab8c90727910609dbbcb23c0

SHA256
daacde855b0b9846539ee6b5987946bf2fe08e19683705bf88d5a7a375aaa61d

SHA512
c55b250ce613f2e37f27964c491c624ec71ab365846c22a97b4ebcf719cd32bf5b91e97315faa436021a378fcb4dc14c565add1a4f5a4260fc43495e6e2521a6

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
92KB

MD5
466a773baabd505747cde4d400fac7b2

SHA1
c029431cb7f6f4220e9d4818f3c74a50ee510970

SHA256
d6d80cea2f1efd71672aa99389ff8aefb5f70d1f8abef0c47281fa7e710c822e

SHA512
48bc445c5330ec22ab0d8e0dc2b0d572a31b6fced029dab8ed3dcb31ccb2f8ad3d9bb913c8006020e63f10e7fe0619bcba442c58c8e768cf05cf8dfad3f01a71

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
92KB

MD5
10ae9e831d12fc8ccaabc5c9ee35fe6a

SHA1
9b67c14d9eb20030ea4d8ac4dd31ee92a8d39402

SHA256
7bac44a1ca61d20337efb49a9f951f2ac6228e3ac056318213c7524dc061f2ab

SHA512
e10476b2918d4ca73dc7d821f656b0ef7ce7664401b5fb38164ff3df96d1def5b2bdd7ea1214986df4be181dd8d057b4a1406f0973693f0accb08cd9f5e4785b

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
92KB

MD5
5078dece586daf7022dcf3f9d4c2d1b0

SHA1
dcddb08d102c728ced9c72381ac17a5494e38745

SHA256
dbf0138fce8583e438a6be3aa1fd47e42cb8fc7e244387b1c5f0971a7c773280

SHA512
18187b36591124db3260552eb50aa884fce20fac7ba28cf19c8877798b2e4d459e45760031414660752b7bda79b1ad2582e143b1c0a20564c15a436b9afb6374

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
92KB

MD5
40af4acff3518d7515de7aaa0260b31e

SHA1
f23f96c299622136cfb72e6eeffa5ae5d6a66086

SHA256
8329a7f44bf3499bf2c4bb2d47b86cd227eb6609b6cb596b5d639bf9fad1eb7d

SHA512
dc4bfea0de24e119a279dd6a5225feab70b5e3375dd79d3900502b4b232ca890d8ec91298e3b3e6911f24eec25f9c243cca4d0ef6da219824ffce0cfc71803d6

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
92KB

MD5
7cf424ba28a15be10668c1e78e23d368

SHA1
784cd8012ab84d3ba3c962537838424a1767be20

SHA256
9937fe412754b2e5240202f0cdaef06d7af2d26e0f2afb885ce57b38a90ed43b

SHA512
2c079281af291ee67b813e36efbe04714142543a595a276f665fa547b9ee394397811dc9a5be1a2fe35db19024c3539643ce20611c9c4a91c7f23d6b26ed82c0

Download Submit
C:\Windows\SysWOW64\Ccdlci32.dll

Filesize
7KB

MD5
fba9d6302a8fc3b368cf8998a0eb6e49

SHA1
80a0772f71a1d3a1ac6beb9b2a1c52da775f5aab

SHA256
a909606db9522c58a0122d69491f694cc43eaf74e3a17ca089c58864fbde461b

SHA512
c066c94e02a9a1ad2d1f2d88ab0ce965228c4d4243e31d6814f4eace0c56f107db9e8358b441def1c995c2ca335b3dd67c53ed233659aad630aad8a00efd68a4

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
92KB

MD5
5ef3a57fce738ba2fae1f4ac25e9b496

SHA1
a323d2f5b7ff06e83c3033cc7386b26e2536ea11

SHA256
23c5ba7860e69be82afe91f349366d864a51220ff61f91a89c43b81bbd7fb76f

SHA512
733c5c1bea28d0bf7a62dbd06e148bf326de48712b9c121c5792afe2f74d23350d5ec2ba181cb2cfa334b9395f1fa3279e34d309eb11680e9d675c25dd43f9a5

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
92KB

MD5
071e3d8908517717a86386aece6d8f32

SHA1
d011e295a47c9b6fa31d96551bab071cd5f1aa7e

SHA256
603802e37ec1e26b323ab1d06414332e8181441ad3ba9390a20a0f5960c47920

SHA512
1c449c26374d5cf6f34a6e43210d6877da80274eeb924c85bec2a7e188dea2b3abea0bb8e7450a2e640c292b7dd1930bc48b3072e7e6bcd06a78ff0844673562

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
92KB

MD5
4cceb42bd76cbfb3bcbd8103be2fbe32

SHA1
420480d7e211fc71a9073293e2e440c8b158dfaf

SHA256
a51aa0bf1dc7a4d8e3f16853f39f1b0cd9ea0a1996e811450918331e4c9fc688

SHA512
8069f88f9f0268325b0c5382f41886cef31526cdc054e1d9cc5d533b4b9f378720426e4afce1161048713932f48952111ecc92b70ca71356747efc0266a2880b

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
92KB

MD5
e4a2f77d276c42ad25d9d271085524f8

SHA1
3f54e0436de15460413ddddbc9dfeed8472b1963

SHA256
0da6662ba6973ffa22dde6af4a24c8ff436eece53be0b4445ea763f96ca2b76e

SHA512
686f7e164e6f7aa518ba53215ddfc9f14ef691881a30836ac16b420a439ef791d6638a409c2ed1bd42a976030a62351a1274d671a9b8c1edda79d3deb98712a2

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
92KB

MD5
25b4da04ffcace6cc49f507162da6c2a

SHA1
d836123145b4a0138ca2437b08737f6b0fcbcc94

SHA256
aa0062a0d52cc1702b9cc6d5af4865084bdeb8cdd4e378130662b708c1457902

SHA512
64e920c857dc5e47152e45df21cd7fe10dec67971f0020495f4b1841bde2c4ff581aa7849d4cb4fa77ac236674b742a4d0ce8cf562cfc0cc755dc672f33bc867

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
92KB

MD5
a18f0ae828f8dec4caefec7da4aa5b98

SHA1
8168d0a409b3b4575c91561ac6efc6a599c9228b

SHA256
e5d4534e0c07ac281a821af539326096ef3105a880bffcec477c1745f065a550

SHA512
cbeaa8e36668c1993767a551fa0d8fa00c8584157827bf9599464cb09a87aff59a30d927e7a8fd620a91fd7f1719b63a9e81f51c82433e8a733544dd8dc49b8f

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
92KB

MD5
3a26d1d14bbbcba791c2a0a059edc78f

SHA1
d1c9ba538a60d4d539955e13c1f876c8cada4dd5

SHA256
9937288538dfedf6063a21f4a2ad62ebc20db8a657831cf83d46089ce64db570

SHA512
012bf2b81dded46bd9fe41f46a674e48166bdd53ed960e6bee4c617b06efa26ecf53aaf00dea7cdbfad6b7c8d7364b1f33c7b5a8270293e460ac4d6e1b487912

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
92KB

MD5
54975aec9061cbf9a1f90a3964630894

SHA1
698d3ac17ac3d0bfad3f1d668400babd233077fb

SHA256
a81496d5c7cd0415ddc20372e740af0a3ebac495e8ae0d50318d4a14173517ff

SHA512
32fcf148cf4b3f380abd89fcf7b72ed77b6f37e8d03c9ae2dcb0fc9ef994901ce880a7c3ee2e61a633d3f6a5dc814b8b6cca22d6d88da3b1ea5389091101353a

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
92KB

MD5
246f60b25458612806e5f361b48427f9

SHA1
5fa95ce77830f5c701a5b048afeddab908cd03c9

SHA256
ddc3e5ac5c6d507be3474f3121bebf6cdf3a63e8b454b5d64740605344c57fe1

SHA512
6dee146c8be956d609021fe58168ead69df87b3b5d37d6963a12b9ca72657fb3f03da35e8f559c4772fe1afea6ebd56de6ab007fd47908b881dc65630649db05

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
92KB

MD5
3e585cf99fd2296333ad10215da23bd6

SHA1
bc2eab1e0c552ecdeeacaaca589301b72bafc364

SHA256
77d34669c1ca93c5bd8ffb19c32b0ac9cfe7262550f80f7bc2907f7a193cdba2

SHA512
0cfe23037f2f14fd6d06794e5796172c22acb0de26039940114c49b4890704768f7878fe0ff5f994759094462d60e16f2ecbed3a5b7fe878fe9d327012303776

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
92KB

MD5
29c821505612af5fcd119710cd8a1950

SHA1
7f6be2351b9b145150b2d112dc69a100a3437886

SHA256
b601f4c039c24e38b6ca0b21fc67b49d936ca9f8b6dbbf2a544d427ae7a822fb

SHA512
f8ea666dd9d845b5f0f30a0297790c5934b6f623019c84aaec5cd2c01b29cc3310dbb23e637f1bd0ba796c9aeb220da867f637b79a59e687adaf3082d4ec6fef

Download Submit
memory/376-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/376-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/384-476-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/384-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/780-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/780-450-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/988-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1164-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1164-456-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1196-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1412-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1544-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1624-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1752-360-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1776-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1776-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1904-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1912-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1916-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1916-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-455-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2016-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2016-474-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2288-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2372-468-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2372-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2376-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2412-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2608-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-469-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-457-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2860-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2860-465-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2916-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2916-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-459-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3032-461-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3032-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3116-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3152-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3168-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3168-471-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3272-462-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3272-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3280-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3280-449-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3304-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3312-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3512-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3584-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3584-477-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3588-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3588-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3648-463-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3648-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3728-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3728-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3788-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4036-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4100-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4148-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4216-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4284-470-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4284-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4288-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4288-475-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4408-452-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4408-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4460-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4464-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4464-451-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4520-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4520-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4556-473-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4556-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4624-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4632-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4668-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4688-453-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4688-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4692-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4788-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4820-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4820-467-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4952-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5076-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads