berbew | 4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471.exe
Size

96KB
MD5

721d384b2c1d5ce8aca5738cf73754ed
SHA1

8cad436cf11afc1a4a961d98919f950d2159a343
SHA256

4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471
SHA512

7814bc754487e46da0af7be70e27aeed33826c403accbe8c8ddeb22019a8fca7a846de0befafa3372ef718aaad397b7793436bdbc60d0ad20084adcd703c3206
SSDEEP

1536:7Wtb69sYhfSHmOZ+LGYhkFxt8WCq5kB21U7N1/BOmoCMy0QiLiizHNQNd6:6ASGOoGZxtkbB2en5OmoCMyELiAHONd6

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 57 IoCs

pid	Process
4700	Beihma32.exe
4536	Bfkedibe.exe
2032	Bmemac32.exe
2308	Chjaol32.exe
1724	Cjinkg32.exe
1184	Cenahpha.exe
3304	Cfpnph32.exe
1112	Cnffqf32.exe
3296	Caebma32.exe
3548	Chokikeb.exe
2680	Cjmgfgdf.exe
4516	Cmlcbbcj.exe
3892	Cagobalc.exe
4704	Ceckcp32.exe
4896	Chagok32.exe
1632	Cfdhkhjj.exe
3200	Cjpckf32.exe
452	Cnkplejl.exe
2544	Cajlhqjp.exe
1804	Ceehho32.exe
1996	Chcddk32.exe
1800	Cffdpghg.exe
352	Cnnlaehj.exe
2388	Cmqmma32.exe
1904	Calhnpgn.exe
3232	Cegdnopg.exe
4024	Dhfajjoj.exe
1676	Dfiafg32.exe
4980	Djdmffnn.exe
2204	Dopigd32.exe
4156	Dmcibama.exe
1516	Danecp32.exe
4192	Ddmaok32.exe
4844	Dhhnpjmh.exe
2092	Dfknkg32.exe
3208	Djgjlelk.exe
4664	Dobfld32.exe
1964	Daqbip32.exe
1444	Delnin32.exe
4636	Ddonekbl.exe
3312	Dhkjej32.exe
3956	Dkifae32.exe
4368	Dodbbdbb.exe
3624	Dmgbnq32.exe
232	Daconoae.exe
4408	Deokon32.exe
1172	Dhmgki32.exe
2340	Dfpgffpm.exe
5004	Dkkcge32.exe
1020	Dogogcpo.exe
4132	Daekdooc.exe
468	Deagdn32.exe
2044	Dddhpjof.exe
4380	Dhocqigp.exe
2148	Dknpmdfc.exe
3676	Doilmc32.exe
936	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1592	936	WerFault.exe	139

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4700	3652	4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471.exe	83
PID 3652 wrote to memory of 4700	3652	4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471.exe	83
PID 3652 wrote to memory of 4700	3652	4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471.exe	83
PID 4700 wrote to memory of 4536	4700	Beihma32.exe	84
PID 4700 wrote to memory of 4536	4700	Beihma32.exe	84
PID 4700 wrote to memory of 4536	4700	Beihma32.exe	84
PID 4536 wrote to memory of 2032	4536	Bfkedibe.exe	85
PID 4536 wrote to memory of 2032	4536	Bfkedibe.exe	85
PID 4536 wrote to memory of 2032	4536	Bfkedibe.exe	85
PID 2032 wrote to memory of 2308	2032	Bmemac32.exe	86
PID 2032 wrote to memory of 2308	2032	Bmemac32.exe	86
PID 2032 wrote to memory of 2308	2032	Bmemac32.exe	86
PID 2308 wrote to memory of 1724	2308	Chjaol32.exe	87
PID 2308 wrote to memory of 1724	2308	Chjaol32.exe	87
PID 2308 wrote to memory of 1724	2308	Chjaol32.exe	87
PID 1724 wrote to memory of 1184	1724	Cjinkg32.exe	88
PID 1724 wrote to memory of 1184	1724	Cjinkg32.exe	88
PID 1724 wrote to memory of 1184	1724	Cjinkg32.exe	88
PID 1184 wrote to memory of 3304	1184	Cenahpha.exe	89
PID 1184 wrote to memory of 3304	1184	Cenahpha.exe	89
PID 1184 wrote to memory of 3304	1184	Cenahpha.exe	89
PID 3304 wrote to memory of 1112	3304	Cfpnph32.exe	90
PID 3304 wrote to memory of 1112	3304	Cfpnph32.exe	90
PID 3304 wrote to memory of 1112	3304	Cfpnph32.exe	90
PID 1112 wrote to memory of 3296	1112	Cnffqf32.exe	91
PID 1112 wrote to memory of 3296	1112	Cnffqf32.exe	91
PID 1112 wrote to memory of 3296	1112	Cnffqf32.exe	91
PID 3296 wrote to memory of 3548	3296	Caebma32.exe	92
PID 3296 wrote to memory of 3548	3296	Caebma32.exe	92
PID 3296 wrote to memory of 3548	3296	Caebma32.exe	92
PID 3548 wrote to memory of 2680	3548	Chokikeb.exe	93
PID 3548 wrote to memory of 2680	3548	Chokikeb.exe	93
PID 3548 wrote to memory of 2680	3548	Chokikeb.exe	93
PID 2680 wrote to memory of 4516	2680	Cjmgfgdf.exe	94
PID 2680 wrote to memory of 4516	2680	Cjmgfgdf.exe	94
PID 2680 wrote to memory of 4516	2680	Cjmgfgdf.exe	94
PID 4516 wrote to memory of 3892	4516	Cmlcbbcj.exe	95
PID 4516 wrote to memory of 3892	4516	Cmlcbbcj.exe	95
PID 4516 wrote to memory of 3892	4516	Cmlcbbcj.exe	95
PID 3892 wrote to memory of 4704	3892	Cagobalc.exe	96
PID 3892 wrote to memory of 4704	3892	Cagobalc.exe	96
PID 3892 wrote to memory of 4704	3892	Cagobalc.exe	96
PID 4704 wrote to memory of 4896	4704	Ceckcp32.exe	97
PID 4704 wrote to memory of 4896	4704	Ceckcp32.exe	97
PID 4704 wrote to memory of 4896	4704	Ceckcp32.exe	97
PID 4896 wrote to memory of 1632	4896	Chagok32.exe	98
PID 4896 wrote to memory of 1632	4896	Chagok32.exe	98
PID 4896 wrote to memory of 1632	4896	Chagok32.exe	98
PID 1632 wrote to memory of 3200	1632	Cfdhkhjj.exe	99
PID 1632 wrote to memory of 3200	1632	Cfdhkhjj.exe	99
PID 1632 wrote to memory of 3200	1632	Cfdhkhjj.exe	99
PID 3200 wrote to memory of 452	3200	Cjpckf32.exe	100
PID 3200 wrote to memory of 452	3200	Cjpckf32.exe	100
PID 3200 wrote to memory of 452	3200	Cjpckf32.exe	100
PID 452 wrote to memory of 2544	452	Cnkplejl.exe	101
PID 452 wrote to memory of 2544	452	Cnkplejl.exe	101
PID 452 wrote to memory of 2544	452	Cnkplejl.exe	101
PID 2544 wrote to memory of 1804	2544	Cajlhqjp.exe	102
PID 2544 wrote to memory of 1804	2544	Cajlhqjp.exe	102
PID 2544 wrote to memory of 1804	2544	Cajlhqjp.exe	102
PID 1804 wrote to memory of 1996	1804	Ceehho32.exe	103
PID 1804 wrote to memory of 1996	1804	Ceehho32.exe	103
PID 1804 wrote to memory of 1996	1804	Ceehho32.exe	103
PID 1996 wrote to memory of 1800	1996	Chcddk32.exe	104

C:\Users\Admin\AppData\Local\Temp\4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471.exe
"C:\Users\Admin\AppData\Local\Temp\4f9c72ef2a9f64086fb4118a323b475088a3b135e318cf1f7beb00f547489471.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\Beihma32.exe
  C:\Windows\system32\Beihma32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\Bfkedibe.exe
    C:\Windows\system32\Bfkedibe.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\SysWOW64\Bmemac32.exe
      C:\Windows\system32\Bmemac32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:352
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 408
        59⤵
        Program crash
        
        PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 936 -ip 936
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beihma32.exe

Filesize
96KB

MD5
90f07dbad7f3dedd7bbf8c0514cc55f8

SHA1
dc06224fe7d2733cea41191604e5692d3d9a3874

SHA256
f3ab8fbf6c3c706e781bef2d126eb092e0f35ca2d5a48b4c50094d9e019188f0

SHA512
4388c68cf303f55831371c78da9ad6b01a9fd992a653fcd0790917a3d9937d3c7976aca5071ba78ddd19063807989a06db62128a03fd01dc420c6d1cb817023a

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
96KB

MD5
c48ef2fe3fcc4463234f17e51a3b4f6a

SHA1
c19305aab188410b7a4d69d4e8c7e793b7bef2a5

SHA256
54a4bad5c3507d0242e241194ed140989630a9b02f6c9926c34b85e21907ad13

SHA512
ce8935c995dcad7ee4dd139ae87ccb9f27dae5c5afcb302bf212ee776e35caa0ef85b92447bab24ad4d824ac9c8d914b26fe1cc4b06251c1360969ebe4937c68

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
96KB

MD5
317cdff35fdc88806593f1042f921c3e

SHA1
1d7ea68525f463cef7bbc0eca77ce22a0a89fb9a

SHA256
55f740bcc0ea2a3740ad2ec4d8f9d7ae433414f0977154adab16b4831b2b1a4e

SHA512
20615ae10c43666cd990f4dccdc63187abedb0bf8ee496a91d134194496bb6b2e9877e21cd2ae6aa04a58a19b5aa9c9159d4ab4c7320b0120b337f00426c7438

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
96KB

MD5
f0edbe2bf8ecb2d4f88272489ea357bf

SHA1
3ceb4105f1e1ed9dc7adb09f31dad419eabfead4

SHA256
fadbc113226182af1d85b71e25477bbe53b2ba52132561ce8fae91f1cc5a6c53

SHA512
750709f612106985f01cb6a1bd4af70ad6832da035f04af141133ff62ea339aa82ceed32d8f550afd1482b2e73361c1f7c577ed03cffe53e027ea5e263b9009e

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
f93ba5123ef0d8fbfcee8e3ce8b120eb

SHA1
2718d74646069f9fdd60fee88417a91b5e5ced1f

SHA256
a6dd20128bd4e2a5f9f63c407a8d2746ea50ffe59420cfe6910c154e28309f0f

SHA512
60ae31315b749819ae03cc58be6a46e94b6d0b112937386dc36dc078e2476f6a78415c6668f49c021cb5da9e54106a597d59dce20ff9e47a8bc89ae5acc14907

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
38e64244ef4c2eb32903747f4382285b

SHA1
3e63bb4fe44acf54ec88d12f0ea86e540101c012

SHA256
4e2a54221a7a7a778ae20a9aa1160edf62f109b805ee6fd2db68778eb9b3c893

SHA512
5b0004564b876bf8dd34f54b64e11fcc46d3ce15a3f893b8920fda4368d8c9eabed6adec1cb9112ff5dd8f98b9dfe7f1391150db35a7515b5a551510f3dc7d52

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
973bd70e8070ce3ad54cce1c278e2358

SHA1
c5c9963e7c4c6acb74da333cacc62464a81dce43

SHA256
58cf00070c9f7e0507339f8689c926ff515d914d3b33972a5828f688f4304b47

SHA512
7d2f2beabae33914678b2c7e6b976fa33c3d15d5c8fae5f72336dae963c7e7f38b5326939cb32b7ae8990afeefd71f70625c16f95a1ca711a6e2a6a5968f1aec

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
ee6a277bd5372cb05e9e1fd4792e6e24

SHA1
c5413131676382b19643c28e52e6104c96b2834b

SHA256
c27428a86ed71a3a566fbfa95296f4ea7f87c9d519226f923418c21e2fa0a354

SHA512
fac3d7a55eeb9b57ca7e9475a77e75ea0f4649cef3fbeb21127c60c632c9ff88b1c5c59371fc53c69bb65ddc0baa5d3c14960dc3f0ae2dcaca42d564e3fe196c

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
e5ae2b2b00e0960106ff3d68ea55bfcf

SHA1
de4cb35aab7ba52fc69293f74dd41ee97431c360

SHA256
ce4af93e340f7611f7e03cec995b7ad45d9de54efb1d74d094fa2d003cf101a3

SHA512
cd302b216f8833c4d738981f070b8153d0e266dff74cab5d708462020829e87f0c8005f8c429cec386627c2867e9beddd357c2396a86b88f3d6f10e089ef3f0d

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
5da67c05fbf0dc6682e572b33351ae4a

SHA1
2bce126957637dcdb0bd4e464aecea77c9345878

SHA256
7997b310935bb9c7a59d9e11b6536d82cfdc473b9107ea51b5f7fd3e6fd52293

SHA512
cfcb24a4d7871a6cb9667080e23cab807a48ca51d12a606a76b79533d80db2c3b2603559917b51789db04099e11319f56afe15cab5b939faa9df3e13957cf8bd

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
96KB

MD5
62e0444b5676967b685c678d94e905f9

SHA1
2c68db92b433584f04c44fb8ad43675721408dad

SHA256
ff368805470304735d00b3ed8371e5bde6675a6930d50aa393335fd16216818b

SHA512
22e7bc5dfe537feb86245475bbcd1522a82393938c05463617048955c68e699affdac445c2bfadb8e764d55faa133fe553bac325e2f52d4202a82d7e96f7d6f3

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
96KB

MD5
a300402c6cdcbcb2d2328ec26a8248ef

SHA1
937e68448fcd4c79ba8f5bfd23cd113942a9a7fd

SHA256
b6016d7ae9c33f1648cd6bac3d754e2b3699d50285b27b8b01d2be7949b472e8

SHA512
e24bd7a45b4d24cd9f8064f52419f80de4b1a8f30cbee942b9cd2b0a49bacbc3a16f7786b89893c15792fcd37a93eb85c95a763524daeb38a2917dc94a7f3ddb

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
96KB

MD5
0a95d3833b3b239fd2ef150b7e20a044

SHA1
e5ab75ba4439a1adb699ac6e405b507a08cd4093

SHA256
b6b4e75ad934c052355e88434fec9ffd0628f02569c8fa01c96686396fa29434

SHA512
cd13ffe3a383277dc6269fbf4204e39f693784d3dbdfe249e79ef2497686ee060be252c4dca8c21a8bd41b41f38093fd84516dec84b2f00287dced3ed96a3e3e

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
e7d4837c8626cad60c3490f049725ef1

SHA1
3efc0b5b3cfd03dc167d5b5a4cb8ce1f243ba3a2

SHA256
20557846784774bbca9d21157df3af71c577082883dcba4b019f6881a021b5ab

SHA512
5d04978d2c4d569e31163b599a70fcc03149627dd66c682b947bc368b0fd1d4a286fdf94a3c594b7bdbd8d543a112b64a4d2c58cc58c93c956857dcae1d24666

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
03c3425bce3f9438373d84fb2762eacc

SHA1
32930c56541cc00f14fe080a0678de33544ce8c8

SHA256
47c06b6295fe3d3b4263aff0f77526672587a74eb0ac6504046698496f3b84b6

SHA512
5aa7919bcf29c08c19e0d664852ae99ffd6a5ee306acaf19fcbb7daba0316cbfa707523b0625192e7717a7519d1030559aacfbffabb58446f9d096894c1f49bb

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
6025a0dc99f48a38ec5b330421fd753e

SHA1
6a321d446bba07c17b4795beee621ccfebd31833

SHA256
86a59a4ced50234789401d5238cbdb735d5a6f9893493bc3451891269e4a89dd

SHA512
4c79099b16c5390bbb388b3c8c40c6c89e678cc3d3d4090f4bb465298824fba52b9386a05717ffd0924cc7f448f2f687baac462edf34df3372398892cb92e4ab

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
f5e7271ad95122c4c4a5cb6f021437d1

SHA1
70da96b764e947991e1fe2902e0a1caa3d46198a

SHA256
aba039f8feb2c56e0df8520fe5609bcecd7882d8ee07e27e9fea0445c9e3c47f

SHA512
331de5bb32fd14ea934a09112e5e75c2fc6102a24d8dd57e323b10b056f5af4c42bdb4fba28d614abf43fbf424c53ad067a272f9fa3fd2ec01aba349ad4baa50

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
ca2e6c8b075d6e0af3c9244b64b070f5

SHA1
8ba20b65509328956eaa0185fb5dc19ef7400e07

SHA256
76eb7b66f1a0862aeaa2d8749ed3ae1663e151a1f518df93d2dbd1215f3d5f14

SHA512
12f114bd99be2ac6704e425fc3a1af79cc3f68c7a66d69403a9fd372703b412dfcaa50b4375d0303292d45bae6a3caff7bb0bbb0c2f6460dbe74f086e7bbbe03

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
bd3660800aed6e3a11cbfad58a82a620

SHA1
26036625ed85a6b35235128a8d577f929037bfea

SHA256
9f01f69fee8f99a3d894e67457723b5e6ece2588455d3f947b8f1be030718dd2

SHA512
736effbb54a409dc3c6e2445f72db9be9000994e26cd176b63c1fa4b68b8262b4f7cbdba693ef524d34f82dce6ed1df0c42985ebe313ef92cc77123948d0eebd

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
96KB

MD5
9a2057f9b9e4804203bc05d09fa44173

SHA1
6c425ea2e2b869822db48618cdc43939b68c0930

SHA256
1951687620d1f952112201596db82d6ba66701995238e74471d3966eb506b80d

SHA512
721cc0626950b301cb416d26744bfeed34b4364ab18e5982d691d709d882517c544460e6208aed17e2346d10292a4230639a5926dc66e2b6686d71806e434c87

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
96KB

MD5
d93e6e9a678c108ffa787a575509ee99

SHA1
528b3017ba1ce5c910f48d2d55cce914dd4e8460

SHA256
eef8b3b52724759bde1f3b87a07274e27fd0805758ed011b23c9707acc4fee61

SHA512
fd2599da4bbf5b6303a55fe04642297f3d3b4b539190c46e81e8a61870ffff694f0fe1b823e1816bddc7d32b8f474a9135b2d14c00663f0f421a69fb4f6e0935

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
370319bd256cd2195a85a510ceaed2b0

SHA1
46db076262b26162c5f9432dba595c8c157a22e3

SHA256
5bb5ffaff006075eed58e3b9aefd4d9b48516403bc4036d78117d6029c3b690a

SHA512
956b8a32f5844994f6bd657d2dd5673ca861b07cd014b459e962622a1fc411fd9fb3d1d006c502ababfd3df437836b9e6307d034da2d2d40d00dfd0cd797133d

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
60cf5d8c432558625e4301d43d8d7119

SHA1
cd7097b6ade44d7c1770a33ae023b2bb92f17a9e

SHA256
13f2f88775dec03b6779eb43f412b518e777e68fd6029b1151d8602fe420ab6a

SHA512
f99d897b346bc56b0e4233ec4e3fd805cd3a551e80e368b32f2b3035061a97386460e90fa300468f63604149ca9f7b163684c99136ab23a8481dcbf6171dc532

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
342f561a01df10f9dd4d6f56a5865b02

SHA1
3466f03dd49ded2718add9fc6af300d08bee30b1

SHA256
4f76bca25144b0df8ff2421cfdc63c84494446e92861bf14807f134d0abdebdc

SHA512
b15978b98a5837a1a88100ce502a85949e26ea01f216789c9061c41213aaead125d1769ef571f248710ad75279ae80ae1447f31acfbdeb65fabf63dcc88b240c

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
a225ae0a6596f57ecb716120a74db273

SHA1
ce37a031f5a09c561cbce449b346e4da798e6be9

SHA256
63b471f9aab41106309118220b5ce4857d9b62912c71189196b49619105d4800

SHA512
32e558ee240f4ce2f5e0de9652567656ef6aa693a832370260ba0467f1a7574ca5fd57ead641fadec919eb9a7c773350408477ed8aa5b9124f19a7a1254929c6

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
20ddc8a96862616090d2dd4610021c89

SHA1
5d416c1f418426cbe56878fc08a1c53b4bcf4a4b

SHA256
ba63d3d65c13faf747dff2a5def214b09b4a867175e8a7a09b96d8f732ecb70e

SHA512
d81993d0326367659eb88860d622a8e7816e2a61cfefe9a89a12de6fff2b9c0536cbf9b5f8b579abe228974bf54a2ee8e1d52e58dbb45686b28fa3c8ff274f11

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
96KB

MD5
1bfe5e74124b1b9fe37700d8d50bbcf4

SHA1
7cc21fd46824cb7be23a9f484801a6df36f70c9f

SHA256
e0515a6ded565d509be6140851951c1288d171645eba7c38d4131249edd45b08

SHA512
b664867b3ad085ce3b972f5941249af395174180c5f6c6b60badd9dd3ab245216d3089300abc1abd9c70ab2eab920bb21ab7a76b42aadfbafc889a1edaed2dad

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
03fe5c916373b0855a7e150cab492ca1

SHA1
81c43547b05fb49bf4082c478edcee547657b413

SHA256
68c5ec63a361e58ddee7699a6e29d989a2d68763932b90e183124071680d19b9

SHA512
200306778cdf44dd7743f370fcccedfdb6e54025d2c009f3c095575c817efbcc427f2f582b327c3c33e883315a4fb9b16e5edeaf75f7f768234a27233103b542

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
c64fd09ce68ef6c843d002f525248199

SHA1
aa91ee69068be3daa6b31699f0cd59f240257072

SHA256
d80d660d3aa15289e8836191f5f8f2e7aacd53148f2cb4061338ea9a5790204b

SHA512
5dede0068be48bfdccca3db49337f9a4b999f184e5b25fc7141580f077e852531905e25e5bc079f41bc574eeecc612d8c8c008f7d9d18d3e36040e1d9bba1a78

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
4f1d5923c8961c41a11b1df3c1b17445

SHA1
1412213fcde01aa76573dac92aa2a8b3808d598f

SHA256
d5a1cc61ffcf5e63f8313735847832b375ad3a44d152b7ff2d64a48d0a322a85

SHA512
0cd0c1bbf2f1e2fe293e30e536d8e1b08c8a680abd88010b7258beb3d165acfc7c2af9d228ffcf76625bd73dade65da83029c7608d24f4e2d7e1f50ff3b9f760

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
87791a6409e0dd94ad2aef20aa8970d5

SHA1
45b6d0747071e958d079b81ad00aeed8b22dcede

SHA256
75995bafb5d8696021a7319917ca40526b20ef21f9367c8106288f64a79f5c60

SHA512
753021df431181b739c82d2b2912e9a19b24e6688065893155af700ed5b225df096f5aca148eee82278d40d251db04801a22a51acb3bd20a09bf0ddb73fcb9a1

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
4cd62a6aa7dd26ceeb0ef1a5ec9a5abb

SHA1
0baa75448c743ee60cbc84a16aa52fe2262eb73c

SHA256
0f9e93477cbfcf339b72440a030710af846ad016fad9b09edece88e3d44e97bc

SHA512
931a339b890207c26d56ac6bff9b13a0c259ef71e86ee104e69af4a831fe9c41300bb7181ef91c3bf257822f27b593fb2bb722354e65477a79191a846a8a05c5

Download Submit
C:\Windows\SysWOW64\Ogfilp32.dll

Filesize
7KB

MD5
4cf2632729e912c095a2327c6723afac

SHA1
8cd6b8cbb8351af1a3076a5b72d01383fc43c15e

SHA256
e15319822c60c2a1f4963c7890a929efc3700b3ec5c31d740d7064c68d41cea8

SHA512
2d7189c6137b748aecabe4f61efaa5296b38edadf85230f9129989750b983d374ba5275ff30341bae56541a760adf304db905e3c4264a1e1bbfc14ba5020b2a4

Download Submit
memory/232-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/352-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/468-393-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/936-419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1020-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1112-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1112-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1444-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1676-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-217-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1964-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2032-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2032-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2044-399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2204-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2308-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2308-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2340-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-209-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2544-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3200-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3208-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-225-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3296-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3296-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3304-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3304-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3312-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3548-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3548-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3624-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3676-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3892-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3956-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4132-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-265-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4192-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4368-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4380-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-102-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4636-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4664-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4700-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4700-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4704-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4704-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4844-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4980-249-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5004-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads