berbew | a4f6f23440ca440446c6fcef8911bdedaca7560e36df3da84181a9a532ac7a92

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f6f23440ca440446c6fcef8911bdedaca7560e36df3da84181a9a532ac7a92.exe
Size

74KB
MD5

c1a3c826d3cdb7d46835bda6f3144074
SHA1

1d94c4f53bce36bcd88c0698030b07ff31f51de6
SHA256

a4f6f23440ca440446c6fcef8911bdedaca7560e36df3da84181a9a532ac7a92
SHA512

a403748276fab45d2e592a6199341272440953fb023e6ca3e55989434e9718b6fbc7f99c5557c295a27a97a2ae3fb9a17b39f6ae4cdbab86720ce1917fbfbb2f
SSDEEP

1536:aplBqkq1+m1R87XslvsaGdRnf856cl/qgvqisRDf2K43Cl:ap+z1+m1R878lvrGdKwFKqfDff43Cl

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 59 IoCs

pid	Process
2368	Pqdqof32.exe
2132	Pgnilpah.exe
740	Qnhahj32.exe
312	Qdbiedpa.exe
1612	Qjoankoi.exe
1996	Qddfkd32.exe
2632	Qffbbldm.exe
4428	Ampkof32.exe
2800	Acjclpcf.exe
2164	Ajckij32.exe
1352	Aqncedbp.exe
1844	Ajfhnjhq.exe
4928	Aqppkd32.exe
1224	Afmhck32.exe
3208	Amgapeea.exe
404	Afoeiklb.exe
3196	Aminee32.exe
2964	Agoabn32.exe
1192	Bnhjohkb.exe
1672	Bagflcje.exe
2540	Bfdodjhm.exe
4732	Bnkgeg32.exe
3932	Beeoaapl.exe
1540	Bgcknmop.exe
4596	Bnmcjg32.exe
3712	Balpgb32.exe
208	Bgehcmmm.exe
2636	Bnpppgdj.exe
2364	Beihma32.exe
4528	Bfkedibe.exe
3840	Bmemac32.exe
4300	Bcoenmao.exe
3212	Cjinkg32.exe
1488	Cmgjgcgo.exe
1772	Cenahpha.exe
2644	Cfpnph32.exe
4872	Caebma32.exe
2620	Chokikeb.exe
2820	Cjmgfgdf.exe
1972	Cmlcbbcj.exe
4680	Cdfkolkf.exe
4116	Cmnpgb32.exe
2388	Ceehho32.exe
4192	Cffdpghg.exe
5064	Cmqmma32.exe
3632	Ddjejl32.exe
4088	Dfiafg32.exe
392	Dmcibama.exe
1680	Ddmaok32.exe
3156	Djgjlelk.exe
776	Dmefhako.exe
2912	Delnin32.exe
2124	Dkifae32.exe
1368	Ddakjkqi.exe
3060	Dfpgffpm.exe
4164	Dmjocp32.exe
1108	Dddhpjof.exe
1548	Dgbdlf32.exe
1076	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4920	1076	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4f6f23440ca440446c6fcef8911bdedaca7560e36df3da84181a9a532ac7a92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a4f6f23440ca440446c6fcef8911bdedaca7560e36df3da84181a9a532ac7a92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a4f6f23440ca440446c6fcef8911bdedaca7560e36df3da84181a9a532ac7a92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 2368	832	a4f6f23440ca440446c6fcef8911bdedaca7560e36df3da84181a9a532ac7a92.exe	83
PID 832 wrote to memory of 2368	832	a4f6f23440ca440446c6fcef8911bdedaca7560e36df3da84181a9a532ac7a92.exe	83
PID 832 wrote to memory of 2368	832	a4f6f23440ca440446c6fcef8911bdedaca7560e36df3da84181a9a532ac7a92.exe	83
PID 2368 wrote to memory of 2132	2368	Pqdqof32.exe	84
PID 2368 wrote to memory of 2132	2368	Pqdqof32.exe	84
PID 2368 wrote to memory of 2132	2368	Pqdqof32.exe	84
PID 2132 wrote to memory of 740	2132	Pgnilpah.exe	85
PID 2132 wrote to memory of 740	2132	Pgnilpah.exe	85
PID 2132 wrote to memory of 740	2132	Pgnilpah.exe	85
PID 740 wrote to memory of 312	740	Qnhahj32.exe	86
PID 740 wrote to memory of 312	740	Qnhahj32.exe	86
PID 740 wrote to memory of 312	740	Qnhahj32.exe	86
PID 312 wrote to memory of 1612	312	Qdbiedpa.exe	87
PID 312 wrote to memory of 1612	312	Qdbiedpa.exe	87
PID 312 wrote to memory of 1612	312	Qdbiedpa.exe	87
PID 1612 wrote to memory of 1996	1612	Qjoankoi.exe	88
PID 1612 wrote to memory of 1996	1612	Qjoankoi.exe	88
PID 1612 wrote to memory of 1996	1612	Qjoankoi.exe	88
PID 1996 wrote to memory of 2632	1996	Qddfkd32.exe	89
PID 1996 wrote to memory of 2632	1996	Qddfkd32.exe	89
PID 1996 wrote to memory of 2632	1996	Qddfkd32.exe	89
PID 2632 wrote to memory of 4428	2632	Qffbbldm.exe	90
PID 2632 wrote to memory of 4428	2632	Qffbbldm.exe	90
PID 2632 wrote to memory of 4428	2632	Qffbbldm.exe	90
PID 4428 wrote to memory of 2800	4428	Ampkof32.exe	91
PID 4428 wrote to memory of 2800	4428	Ampkof32.exe	91
PID 4428 wrote to memory of 2800	4428	Ampkof32.exe	91
PID 2800 wrote to memory of 2164	2800	Acjclpcf.exe	92
PID 2800 wrote to memory of 2164	2800	Acjclpcf.exe	92
PID 2800 wrote to memory of 2164	2800	Acjclpcf.exe	92
PID 2164 wrote to memory of 1352	2164	Ajckij32.exe	93
PID 2164 wrote to memory of 1352	2164	Ajckij32.exe	93
PID 2164 wrote to memory of 1352	2164	Ajckij32.exe	93
PID 1352 wrote to memory of 1844	1352	Aqncedbp.exe	95
PID 1352 wrote to memory of 1844	1352	Aqncedbp.exe	95
PID 1352 wrote to memory of 1844	1352	Aqncedbp.exe	95
PID 1844 wrote to memory of 4928	1844	Ajfhnjhq.exe	96
PID 1844 wrote to memory of 4928	1844	Ajfhnjhq.exe	96
PID 1844 wrote to memory of 4928	1844	Ajfhnjhq.exe	96
PID 4928 wrote to memory of 1224	4928	Aqppkd32.exe	97
PID 4928 wrote to memory of 1224	4928	Aqppkd32.exe	97
PID 4928 wrote to memory of 1224	4928	Aqppkd32.exe	97
PID 1224 wrote to memory of 3208	1224	Afmhck32.exe	98
PID 1224 wrote to memory of 3208	1224	Afmhck32.exe	98
PID 1224 wrote to memory of 3208	1224	Afmhck32.exe	98
PID 3208 wrote to memory of 404	3208	Amgapeea.exe	100
PID 3208 wrote to memory of 404	3208	Amgapeea.exe	100
PID 3208 wrote to memory of 404	3208	Amgapeea.exe	100
PID 404 wrote to memory of 3196	404	Afoeiklb.exe	101
PID 404 wrote to memory of 3196	404	Afoeiklb.exe	101
PID 404 wrote to memory of 3196	404	Afoeiklb.exe	101
PID 3196 wrote to memory of 2964	3196	Aminee32.exe	102
PID 3196 wrote to memory of 2964	3196	Aminee32.exe	102
PID 3196 wrote to memory of 2964	3196	Aminee32.exe	102
PID 2964 wrote to memory of 1192	2964	Agoabn32.exe	103
PID 2964 wrote to memory of 1192	2964	Agoabn32.exe	103
PID 2964 wrote to memory of 1192	2964	Agoabn32.exe	103
PID 1192 wrote to memory of 1672	1192	Bnhjohkb.exe	104
PID 1192 wrote to memory of 1672	1192	Bnhjohkb.exe	104
PID 1192 wrote to memory of 1672	1192	Bnhjohkb.exe	104
PID 1672 wrote to memory of 2540	1672	Bagflcje.exe	105
PID 1672 wrote to memory of 2540	1672	Bagflcje.exe	105
PID 1672 wrote to memory of 2540	1672	Bagflcje.exe	105
PID 2540 wrote to memory of 4732	2540	Bfdodjhm.exe	106

C:\Users\Admin\AppData\Local\Temp\a4f6f23440ca440446c6fcef8911bdedaca7560e36df3da84181a9a532ac7a92.exe
"C:\Users\Admin\AppData\Local\Temp\a4f6f23440ca440446c6fcef8911bdedaca7560e36df3da84181a9a532ac7a92.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\Pqdqof32.exe
  C:\Windows\system32\Pqdqof32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\Pgnilpah.exe
    C:\Windows\system32\Pgnilpah.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\Qnhahj32.exe
      C:\Windows\system32\Qnhahj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:312
      - C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 424
        62⤵
        Program crash
        
        PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1076 -ip 1076
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
74KB

MD5
cf0915898af0cfe4ff3bbd7ebb1c59e6

SHA1
dba34ac84d126350984d7fa81e7d6ffad7c3798c

SHA256
7c71d8c3de6851275f678a88d89492f349b0b6c9044c21975c0ba8d9eb14a698

SHA512
23b8d024061c4a9fbbcd6c9c4a6900fcc6e76c6b6881a5fbb5f4dbff841cfeafd74e95f997dfaa076b4dea3251ddcf4d415bfaa745cd411ffb7e5eea0fc76883

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
74KB

MD5
6a1848bce5048c170a58f69869915d3e

SHA1
668eaaf0896d95aeafb411044b1d07d206f5e6c9

SHA256
f5d4124b8bb7a303f7a8a4a951283e0f8a2ca1fdd5e503ab5e9c4c816d1fd76e

SHA512
dd06b7497dae58da2f693e670dce4a8d13663b0cf30c54d11fe362b62b151aafae3490b56ebd8e725d263f1fa07e4779c030f2bd3c7419b71e8a44ae350c0c2c

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
74KB

MD5
752a66981dd7a07a7945eeda205f3309

SHA1
e619972ec50b93ed11a45fe649153576a2287481

SHA256
015f79e41a339dc111f78944f254a016a86bfa44d85f53b7bb8828eb623937d8

SHA512
86a436468cb97ae82446d0a3cf881322d55f419c2ba30a8a5259189f909d0f12388adf1221a484adf9551f17db1666ae4adb09441d5cfd34965007c25099e535

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
74KB

MD5
8dc63349dfeb33dfd84d43e6071b6992

SHA1
3b7162d37e7e4b399683893b3495d5e95c19852b

SHA256
ca5f5d8430f62f40c84b90756c16ea542d3125c12a509b570f41e0afd9e6d170

SHA512
51d97fb538948f532a314e9e0640bc13db53ceb516a0cd27dab9fbab908c83de161a92d0eadad9764bb528002d735ab262f4dcd059ea54c1bee524cfd709e360

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
74KB

MD5
ce6271a50dbef12b46d54ebe5c433aec

SHA1
ad5174c2bf55ac1469367078241665963a5c1102

SHA256
7025d22fdd61adfa26c18f268b8e27fc3662fbce2ab19f17762c7ecedd2ff864

SHA512
709a08f5e4f5dc27a07ce97d9d9d55032bb1ae42120c489a67eefd5107861b7e20fec20d6b1a2fb5ea33e463ed7e64d740410702b03cfe3263eb1592c44ae285

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
74KB

MD5
3b24efc1efcfa40f76ec30792282dc1f

SHA1
cd7b6ad1ef1a116360e63d3bcec52cf5ab198aca

SHA256
0cefc88d455417e3e010201dca9948cfc2803502f338397d90defcb5039ba90a

SHA512
2d08ac44bc1392e1591e75c9651d2a99ecc83ca1cb30f1dc9b3631f9f3e2d03c32c04abc5b3bc9fd55cd2624665a97a60b1bf9ef664d30d18074a499c6eb40ca

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
74KB

MD5
4a766cf718d28a8282d723995705c698

SHA1
646b25773a865b020ddd2bce37b9b0e9b936aa63

SHA256
2c9bbf6187b976d99b37892c3df2911809be0014d992c3daf4836baccd11ae4a

SHA512
d07fbd9f3d82f125188740288261421979fcacdcaaa8394ef4ebfa5d41d208edec8cdb11f27db6cf1286b506ad47fd7ea2bc09e6969f1e7c17144e0a0cc55cac

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
74KB

MD5
725cc511b700b405c0f14c6cfcfccc33

SHA1
1543ad5217b7c489261d89219aa02b5240991454

SHA256
14b6ca4a58cb8029dcabb31b5ed559f136d26d1fc12e8f301d4537d3d1fd4b95

SHA512
987cd7af3768ce00f60f152ef3de779bc082c562bfe1c64518e3b8119c600871df4bdf2f1d46cff3f04b01f6f6378ee62e4a4a95176367d382b5fcb89cf948c1

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
74KB

MD5
7ee82c46fd597274aaabc5175b15f05a

SHA1
918649f5c599fef00dc25670f088720fb52ac439

SHA256
23d6307dd3d239a571276acdaf700e3f195aeb19a28ad87cd451832ece0ed4a7

SHA512
517d4349b2067360aa336e0d4cb60d6bdba6bd8dc97582d98a902f307775c6d98b9f3047dbd601c72184f4a3d645297fa6708e8007e4e95c42e6c5ac1c852051

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
74KB

MD5
2c9a1cffb30eef8d7f64f991ac7732af

SHA1
b0ba53bfccc8d7bc1f0b907b4d59ef5e77b0d10f

SHA256
6465d5b6baa8fd79a77f55bc48d72d093cc5143e4a8abea0009abe08b2c4460e

SHA512
35b1386d9420ab6fdf3315c4c19c287cadc57a716d0e325575c6c2cfed576e7e9852ee607c19706dcc787be1cf8874a2d84490a510a42e555d92e171f8e1d95d

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
74KB

MD5
fc43a2fe4110fc2704d0dd524dcb8293

SHA1
2dfba906cdefb41d6b223ed1f1b612428c2ef333

SHA256
952f96e0245e719b9d41e1d3577098951d34f68b88427ce5880e7444be1b6329

SHA512
4663ad309b4ded248af235618bbcdeb9d453ae83f33664d94d98a3a8de14255df648a3d829a8be0bce1190153b96e712097109d4771a36077f037140eb5df138

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
74KB

MD5
7618e01ada9f4d37b7b0d19ee79571e0

SHA1
de3e301c70e25fb1d33bdec2d6857e5ad9241857

SHA256
2d47f2d512130cf0e066320c00110551ba7e56f41125933f47cbb6ff63b30e29

SHA512
7c347018e93246218ace9edce666d03a887c5766d4cd3d3b3914ea64233f7ce307fc244dcddb8e558d656c9bc3ee36d63deecb9cdf264eb2f13d753fd2e0bac8

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
74KB

MD5
2807f980e719fbfcf2941e59d5d5a9d0

SHA1
67bd193bac44742309b0b49d295ed172f88ff27b

SHA256
b7358d2c0c307e45b860b633337a262ebda6ecc91abac4e38d615ad252a4427f

SHA512
7def8b3e20ead54ba2d7364d8bfaef922d835b1e3bec3613331c75af108829ce1c102fdb1a0e7bed6566318ae5248f71a47b3ec08589704bb73ffe843bb7125a

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
74KB

MD5
39d4b72bfe979f1ed1df00835b16f379

SHA1
52e1116477e1ae34364472f241be4ec7042b97cf

SHA256
9a881c15f78f97c2c686165613457c0cc3a8a9599ae3286c88479eb53d0fe5ca

SHA512
1f0c6d7b8d995d1d28b49ddc18e21f6907127592147d5de71ef355bcf1610b5e0a934888b29e4a19e9f9409b145a6103ec2fa02bc070e390d09525869defabd6

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
74KB

MD5
764a794394cb5d730588d82f3b2b5514

SHA1
a6d4ac6e19270bf55176890690ffecf58ca26e3e

SHA256
8d7ab901750459c85d3c56715d7373f529e46f6e1aeac2fc5e5b341317083913

SHA512
6ed400a3363942bf95bb412f475470834279d106c94f60bd75f5108f660b1ee5f5bdc327963da147fc92e0b46ea8d750742d5ab4747b00c54b5bb5847110648e

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
74KB

MD5
3d6c1995ae5de2ca11b87d865e295028

SHA1
05b81ccd98cebe532f30b0a79f8c6621dff8223e

SHA256
4790889148012ade32435d7cad70c166721ff68b00fe658a42ac29c920fd34da

SHA512
685a12f4fb0f6202466335a46296c33e59d9d171e1928991a6b99daec24ef5df1f5bb5fef149718d8c5e87b8ef362512953c468122605ed84896fd26c4735849

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
74KB

MD5
ad88d02d4fdc573901873a81168806c7

SHA1
df3e431b03c34d26efb3a3b42f39abfea41c71b4

SHA256
5ecfdd238e2d69b87065e746f3ecf5e5db426d0628f7df9faced23170ecf41dc

SHA512
39f937a37834bc0b11639024c111227d584bef9224a2a19e281b9ac47956dd8ce5d41a677c3f08d6235924b5143eca19b21242634f4968d3dbcb94d9eeb3f5b5

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
74KB

MD5
e375ef860ca44f5d14c528ca8f3f8247

SHA1
c3e058655a0ce5bafaa5b61e14537de2cebbfa8b

SHA256
e88d2692f1313f9618be1c72dd0253952468a1e750822d61226eaff0897c5abb

SHA512
d9a6711bc676269c9bbc47ab14a316c253537b429629487fb9a76d39dc654f6542a7d59e9d74b3cba32db7a8395d3b4e2d109a74320e9bd7ac00da67bd78364f

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
74KB

MD5
4c8999f4df6d3e0c27e004d54ecd7080

SHA1
e5476ab575109381d8d7021963d7eff938133fbf

SHA256
7f61fe8bcf3827f78c26609b9bc0d3ce397a59979c91dcc9a72b0254cb80e234

SHA512
1b6c34abbd767f55646c015b758d1dd96e5f7086d803d54909a5db0dc83688340b07b374f61e9fabd6790176cf63e9a60d0e4e8fd6b9159cc88c9dcb9f2fafff

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
74KB

MD5
b4f9e10058aa73913dba074a15067554

SHA1
1c788acc506c460aafdc49ad1632da8493568226

SHA256
da1debcaad680bd657b5f67190ed609ca36504868304ce89e4e4492f753b0f9c

SHA512
085c8ca04f4fa146afa6ca6748f176b6ea084e2d763c9772f39bac9fabc5b689d06686cb593d007c356cd282ded5007c0ef15cc48d89c065ce350f3b96e4fa26

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
74KB

MD5
abcc60c90f4c08fe1939498a54d4a759

SHA1
4eb2eaf09ca8c6e03acca3b61ae794de347090fe

SHA256
0c995d5ef52946463defba39645234504c61ea0eab3693cd906a4dbc67d49778

SHA512
3ed7e742d4023e96f2dcf6778020c6fb89a489168c3150f830e7d1e1b92ec58b852377060823e034333f62ec39dfb32f479773b2f0bcd955aeb2a4d7677306e9

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
74KB

MD5
98f6a0cc17c539c09e7369bb9d457d9d

SHA1
da1c92968e5d881945d6783574a3eb42d264482b

SHA256
27325288e2af208d1e5276032ff88f0e4cff21cb0d4338e28a330a0f94254bb0

SHA512
d0121fae3a4daa77f47e030de767a715c72944e05201ad0045b4bc1731549a48d185dff6bd71622ce85be1dd0d85d6916f3011ecc5fade93fe03e88c6eade37b

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
74KB

MD5
ef60b94e8083bbad70b2083ed4f881f7

SHA1
2f815765758fbf5056eb4b7164935c7eb5bec910

SHA256
abb93dd3a689ccdedc1b489ca14ecb96bc3883a16273c4fde7cb7b099ec10d93

SHA512
64b2f8efef4fe441cae1c26fe87945cb0bf2646fd0c4d581e9510695777f6c9bf73c230a03d3a3ecc9f49c39f4da91bc4bb7683ed9d0889c083d30124fc57da0

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
74KB

MD5
86a3526c11554b708989d0ae8d20cdd3

SHA1
86211d29d4aa0ec7db15b666ad05812887a0171b

SHA256
2f84e2de1feb1122fc96d93e6a999be4b7c5d54f47ff848de20e0379cb9ead5c

SHA512
dfd3905b2e5e799a960934809c55a28dead73817684f47a3f6e28cb22b73b38663f020d564bd4bdcdc1a88554b212cbff453cf7ca337cdb835599421a3e6c062

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
74KB

MD5
2eeb623447ddba69ba675f4da1ed220f

SHA1
dc230c5ebd3dde209f00e77fa44fa3443c899c2b

SHA256
4d6ff7738b5d381e6ae29c72fa0bf8a7b5ed77a4c5e9ffaac6acd70c6d564420

SHA512
663b91315b4dd6f8ef095a856a7e1de0b232b81dd9b0975a65898d2239e25119b7981a944ba757d677dd7bb1f4ab32577d0aaccedb7ab9fc236db424d9ddd4f4

Download Submit
C:\Windows\SysWOW64\Chempj32.dll

Filesize
7KB

MD5
9afe3357fb830bdb3e5069db021975ee

SHA1
299f100764442dcaab57b8cc27407e911f2a4e49

SHA256
9186a51e898ee8e41e4e3bed939ed3e1d41049325b15a62bd0b202edc19a92da

SHA512
834ea5cba4583b0f42b4a6851956c332a675e76484fd5d11b1c97385e2ef4adfb8a9f3c60cc198cdb445ee2daa34674e5b39246bdc28225daecbc343fa627fc6

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
74KB

MD5
30e8667aee3e176f1dedc948661eccac

SHA1
ce5b6b515298d82a83c6d798bc0a51c0317b1356

SHA256
3237bf692873af115c0aa847d3f098b0a7a3aef19c0bee46bfcdb5ddf817d069

SHA512
1cb06b8047cf0bb381c64fdba722d0dbae6b0731982ea8718a25e915d7ef2f846e2789250bb45fdef782f4811bfeaf2a187c872c9d3c0735eb0468a2a14440a3

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
74KB

MD5
c303d74e475e251623779132b227f9d3

SHA1
aab8beca4e184c10e9549e1243575c9ec2ad754f

SHA256
6fd10b8947c4a96879b384666e47ffc79d98b86aa262636e27fe0a88713f59f7

SHA512
28f97d1dc9c93001f74176c25242177c77b458e0b4fe89d5de1318ac0a36815a5d30e618d3cec366ade4a2a811a5f83ca3a7d534e3dfeb7121109b5e8049f0b6

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
74KB

MD5
9bad303e645b5232d2d2f076e99d00e3

SHA1
d6e602a2298b442bceb246a87c86761d1ccb4de6

SHA256
90771bb49639d1ff4ae3b1205f3f1fd5f64637542826c8ae16e20a77a724f9dd

SHA512
541750fa3afcf56fe79bc0c00ef4a28716d3f19e47ea847c8b7f0433e4b59993a8187e4163760f982a804733469ef97903202bf9a5be971a58d86e19b327df07

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
74KB

MD5
8ade8faf8fb7051e76b85928976d93f7

SHA1
35ef96461b14da8acf0a9dfdb53c91ef4e2cef86

SHA256
b81be5eac06f40cf5ba62177d020704ca284b7e319051d5d7e2d86f5720c5692

SHA512
8810729a36e49b77d46ebfc2554d9667f7ff65f987e8a252a08a64ee0f7903c1463289842984b4d224d97d8b560781922378329c3240b31e7f3af6740e7f4d88

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
74KB

MD5
75f49cbf88b71a05fe333151a0d44c43

SHA1
328fbeb35ee829b7a162a084187f76ea49fcfb4b

SHA256
cb4833afe295af2da37a40228472fc7dc2f7410c78d3079bff77c6de3b042c4b

SHA512
004852ae45c34317a2255e88f539b5cfb71a57ece608a40c9f8e0b9988b995709c31bd7efa26119a8603148ac59473e7e0fecf4e65c8804f6c284c7a1592f111

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
74KB

MD5
f29622c452f8eb1ed62252ce9224c892

SHA1
8ba61aef948b9acddff3733f9304ca722a9f97b6

SHA256
88fad2de54c50da5e2e94e92fa2d266a6a1e82c3611b751555b02baeba466172

SHA512
42f7a59ac89eb9d0b6e8d099acdfe2ae83c536342d782ca09d5821fe645e46eb6c3f722d5831e822a4a71b734dcd21c4b2aeaa3c4b3a0403d36ea4bb3d5663a1

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
74KB

MD5
6f8036fa4bab6a1d5e7fb1497b0c6c51

SHA1
99a4dbe39fe349ca0128d7c56523c4600f267db7

SHA256
681370150e4fa3758f8e6e6da388478cb4bbfee2c093a2745241bf6b9ea615d6

SHA512
8f6cdf2d3ab05d6e453cf44c57058bee4bf054870860d1290c55317c93469f5ae97583e823de36caa2083e4de57d2b99ffeb6b84e073037226ec6b4d76860a31

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
74KB

MD5
0d68daceb1c945f5a21af16bde42aa1f

SHA1
d1bfc67b1e3ad7e57f634b1f6804927c76937b33

SHA256
2de2f6f12fe8b5e85f73df8b0f6fb3353d9dec60bbb493153d7a5d34a6e3f3dd

SHA512
99bc1021dc6274c7ebb8f190c0233350d6ef4001a18591bec5f4c8771e9a7615d8a84da839489cd768d650c889fb0309b659ad8577871ec404102dc05c4ad6d8

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
74KB

MD5
89e52e5152952194f3ca876f6c938438

SHA1
f0895418dc820197b39e04ce2fae5aeb74d3a108

SHA256
51778922c2404e206978bd9a43392e6d990a6b615e6df5f30309cab970153ca7

SHA512
aeef34a6f71ffcb02c560cc3956baf7a0c516a3d5d346b2b79b2329b016a03170ab22543760066e8de487018da04346a57684015425fa49e619b6ca0313d9bac

Download Submit
memory/208-451-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/208-216-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/312-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/392-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/392-431-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/404-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/740-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/776-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/776-428-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/832-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1076-420-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1076-419-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1108-422-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1108-407-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1192-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1192-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1224-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1352-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1368-389-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1368-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1488-272-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1488-444-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1540-453-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1540-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1548-421-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1548-413-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1612-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1672-164-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1680-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1680-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1772-443-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1772-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1844-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1972-439-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1972-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1996-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2124-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2124-427-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2132-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2164-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2352-426-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2352-383-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2364-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2364-449-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2368-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2388-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2388-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2540-172-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2620-440-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2620-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2632-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2636-450-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2636-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2644-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2644-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2800-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2820-302-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2912-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2964-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3060-395-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3060-425-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3156-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3156-429-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3196-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3208-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3212-445-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3212-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3632-433-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3632-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3712-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3712-452-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3840-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3840-447-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3932-188-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4088-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4088-432-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4116-437-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4116-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4164-423-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4164-401-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4192-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4192-435-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4300-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4300-446-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4428-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4528-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4528-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4596-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4680-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4680-438-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4732-180-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4872-441-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4872-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4928-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5064-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5064-434-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads