berbew | d5ef9ec75cb127cc5c262e9b3295efea762b0355786f69f6ed12dac4ba3acda7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5ef9ec75cb127cc5c262e9b3295efea762b0355786f69f6ed12dac4ba3acda7.exe
Size

85KB
MD5

6d7b1678cc03f42e0555879659a61306
SHA1

fd43859ad39bd064d8a731c3be755d4d32cb5416
SHA256

d5ef9ec75cb127cc5c262e9b3295efea762b0355786f69f6ed12dac4ba3acda7
SHA512

8b699770878927bd46bfc3d0a41329aafe02f56aa2594f1ab477d35b01d72b6b162f37d27aa63369a0995467985488e3ebb8038b743aacd04e465c642d8effd4
SSDEEP

1536:JL6MCryEIjh7OiFwjXYGZk58LpZ2u/xmfB2LHx6MQ262AjCsQ2PCZZrqOlNfVSLA:JzEI97OvjXYyk58LSjaHx6MQH2qC7ZQA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 57 IoCs

pid	Process
2536	Afjlnk32.exe
4568	Aqppkd32.exe
3736	Afmhck32.exe
1648	Andqdh32.exe
3876	Aeniabfd.exe
1440	Aglemn32.exe
232	Aadifclh.exe
4004	Agoabn32.exe
5052	Bjmnoi32.exe
4476	Bcebhoii.exe
2816	Bnkgeg32.exe
4424	Bffkij32.exe
2196	Bnmcjg32.exe
4380	Bmpcfdmg.exe
4668	Bnpppgdj.exe
4980	Bmbplc32.exe
2380	Bcoenmao.exe
3380	Cfpnph32.exe
4832	Ceqnmpfo.exe
4308	Cnicfe32.exe
1872	Chagok32.exe
2104	Cnkplejl.exe
244	Ceehho32.exe
4128	Cffdpghg.exe
4396	Cnnlaehj.exe
1356	Cmqmma32.exe
748	Cegdnopg.exe
4560	Dhfajjoj.exe
1368	Dfiafg32.exe
4684	Djdmffnn.exe
3940	Dmcibama.exe
224	Danecp32.exe
4688	Dejacond.exe
3804	Dhhnpjmh.exe
1208	Dfknkg32.exe
816	Dobfld32.exe
4012	Dmefhako.exe
1304	Daqbip32.exe
1980	Delnin32.exe
1988	Ddonekbl.exe
4216	Dhkjej32.exe
1236	Dfnjafap.exe
1104	Dodbbdbb.exe
3464	Dmgbnq32.exe
1596	Daconoae.exe
4328	Deokon32.exe
2580	Dhmgki32.exe
2372	Dfpgffpm.exe
1856	Dkkcge32.exe
4896	Dmjocp32.exe
1560	Daekdooc.exe
5112	Deagdn32.exe
4904	Dhocqigp.exe
1240	Dgbdlf32.exe
4588	Dknpmdfc.exe
4296	Doilmc32.exe
1384	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	d5ef9ec75cb127cc5c262e9b3295efea762b0355786f69f6ed12dac4ba3acda7.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe

Program crash 1 IoCs

pid	pid_target	Process
1792	1384	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5ef9ec75cb127cc5c262e9b3295efea762b0355786f69f6ed12dac4ba3acda7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2536	1688	d5ef9ec75cb127cc5c262e9b3295efea762b0355786f69f6ed12dac4ba3acda7.exe	83
PID 1688 wrote to memory of 2536	1688	d5ef9ec75cb127cc5c262e9b3295efea762b0355786f69f6ed12dac4ba3acda7.exe	83
PID 1688 wrote to memory of 2536	1688	d5ef9ec75cb127cc5c262e9b3295efea762b0355786f69f6ed12dac4ba3acda7.exe	83
PID 2536 wrote to memory of 4568	2536	Afjlnk32.exe	84
PID 2536 wrote to memory of 4568	2536	Afjlnk32.exe	84
PID 2536 wrote to memory of 4568	2536	Afjlnk32.exe	84
PID 4568 wrote to memory of 3736	4568	Aqppkd32.exe	85
PID 4568 wrote to memory of 3736	4568	Aqppkd32.exe	85
PID 4568 wrote to memory of 3736	4568	Aqppkd32.exe	85
PID 3736 wrote to memory of 1648	3736	Afmhck32.exe	86
PID 3736 wrote to memory of 1648	3736	Afmhck32.exe	86
PID 3736 wrote to memory of 1648	3736	Afmhck32.exe	86
PID 1648 wrote to memory of 3876	1648	Andqdh32.exe	87
PID 1648 wrote to memory of 3876	1648	Andqdh32.exe	87
PID 1648 wrote to memory of 3876	1648	Andqdh32.exe	87
PID 3876 wrote to memory of 1440	3876	Aeniabfd.exe	88
PID 3876 wrote to memory of 1440	3876	Aeniabfd.exe	88
PID 3876 wrote to memory of 1440	3876	Aeniabfd.exe	88
PID 1440 wrote to memory of 232	1440	Aglemn32.exe	89
PID 1440 wrote to memory of 232	1440	Aglemn32.exe	89
PID 1440 wrote to memory of 232	1440	Aglemn32.exe	89
PID 232 wrote to memory of 4004	232	Aadifclh.exe	90
PID 232 wrote to memory of 4004	232	Aadifclh.exe	90
PID 232 wrote to memory of 4004	232	Aadifclh.exe	90
PID 4004 wrote to memory of 5052	4004	Agoabn32.exe	91
PID 4004 wrote to memory of 5052	4004	Agoabn32.exe	91
PID 4004 wrote to memory of 5052	4004	Agoabn32.exe	91
PID 5052 wrote to memory of 4476	5052	Bjmnoi32.exe	92
PID 5052 wrote to memory of 4476	5052	Bjmnoi32.exe	92
PID 5052 wrote to memory of 4476	5052	Bjmnoi32.exe	92
PID 4476 wrote to memory of 2816	4476	Bcebhoii.exe	93
PID 4476 wrote to memory of 2816	4476	Bcebhoii.exe	93
PID 4476 wrote to memory of 2816	4476	Bcebhoii.exe	93
PID 2816 wrote to memory of 4424	2816	Bnkgeg32.exe	94
PID 2816 wrote to memory of 4424	2816	Bnkgeg32.exe	94
PID 2816 wrote to memory of 4424	2816	Bnkgeg32.exe	94
PID 4424 wrote to memory of 2196	4424	Bffkij32.exe	95
PID 4424 wrote to memory of 2196	4424	Bffkij32.exe	95
PID 4424 wrote to memory of 2196	4424	Bffkij32.exe	95
PID 2196 wrote to memory of 4380	2196	Bnmcjg32.exe	96
PID 2196 wrote to memory of 4380	2196	Bnmcjg32.exe	96
PID 2196 wrote to memory of 4380	2196	Bnmcjg32.exe	96
PID 4380 wrote to memory of 4668	4380	Bmpcfdmg.exe	97
PID 4380 wrote to memory of 4668	4380	Bmpcfdmg.exe	97
PID 4380 wrote to memory of 4668	4380	Bmpcfdmg.exe	97
PID 4668 wrote to memory of 4980	4668	Bnpppgdj.exe	98
PID 4668 wrote to memory of 4980	4668	Bnpppgdj.exe	98
PID 4668 wrote to memory of 4980	4668	Bnpppgdj.exe	98
PID 4980 wrote to memory of 2380	4980	Bmbplc32.exe	99
PID 4980 wrote to memory of 2380	4980	Bmbplc32.exe	99
PID 4980 wrote to memory of 2380	4980	Bmbplc32.exe	99
PID 2380 wrote to memory of 3380	2380	Bcoenmao.exe	100
PID 2380 wrote to memory of 3380	2380	Bcoenmao.exe	100
PID 2380 wrote to memory of 3380	2380	Bcoenmao.exe	100
PID 3380 wrote to memory of 4832	3380	Cfpnph32.exe	101
PID 3380 wrote to memory of 4832	3380	Cfpnph32.exe	101
PID 3380 wrote to memory of 4832	3380	Cfpnph32.exe	101
PID 4832 wrote to memory of 4308	4832	Ceqnmpfo.exe	102
PID 4832 wrote to memory of 4308	4832	Ceqnmpfo.exe	102
PID 4832 wrote to memory of 4308	4832	Ceqnmpfo.exe	102
PID 4308 wrote to memory of 1872	4308	Cnicfe32.exe	103
PID 4308 wrote to memory of 1872	4308	Cnicfe32.exe	103
PID 4308 wrote to memory of 1872	4308	Cnicfe32.exe	103
PID 1872 wrote to memory of 2104	1872	Chagok32.exe	104

C:\Users\Admin\AppData\Local\Temp\d5ef9ec75cb127cc5c262e9b3295efea762b0355786f69f6ed12dac4ba3acda7.exe
"C:\Users\Admin\AppData\Local\Temp\d5ef9ec75cb127cc5c262e9b3295efea762b0355786f69f6ed12dac4ba3acda7.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\Afjlnk32.exe
  C:\Windows\system32\Afjlnk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\Aqppkd32.exe
    C:\Windows\system32\Aqppkd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\Afmhck32.exe
      C:\Windows\system32\Afmhck32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:244
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 396
        59⤵
        Program crash
        
        PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1384 -ip 1384
1⤵
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
85KB

MD5
558018bfc2ee4a05add1e6ab92c99f2b

SHA1
7a354bf0e215eb992b6d49fd047e122ef588a9a0

SHA256
b19c905d1e7bdea45e4591fad46052652a73b1a743401551e73c2307f9a75491

SHA512
4bcecf8f5c2893a4b75a5e76ead847e4879cb4b1769af14c1d2ec2577f43cdbd3ae9ccce9c8ef7d6afc53510214e26c372c20483bbef1a66c851f56de6d83dc2

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
85KB

MD5
f8893fc565b0fd12c127175ff2b1128a

SHA1
22f2589104f12e5ff425587a639958b220da7d0d

SHA256
3e49ab2f364130d7e5da6b6e49f752d81ed5274476117bf3de7ed678145160fe

SHA512
cde573b41f7871263f95dd9bf3a456159c04b024b5073b9270404a9942c4a0f98ba80f793ac17c338b528fb6462959dc9913628645c4f1e1976bf9513b146fc9

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
85KB

MD5
94874c7ac2663097f131da235ddee057

SHA1
f9c2afec8698c9b07ffd82c50aa93fb8074710d6

SHA256
8164e7b161a39f1eaced0e2d6a54a82835d76059fc46a3ac2afb19e8d4298980

SHA512
b6c47fb7baa7251b89921f6faa42a21eea7682b9b2d13ebbb9f22cbb078a87d3607ef1db2f8acfb7ebc9e6f16f1d18fff94af82a9f96a9e790c2792beb117ee2

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
85KB

MD5
82f1ce4d9f9ae9f546b9bb7b8919a90d

SHA1
98e0506bc8c647029678049b607968898a6e331d

SHA256
6114f2fba32f2d2cb2cfa03a1117a7e928123a35aefa98ff7abbcd5ac7853607

SHA512
76ec0fcefd13f5545976262b7814565b0e23f2d75e20c0cb448427f31855c71a9dd7194d064f2a26fc488645dd046de25fda9c9563cedef6d23fa312a12a7989

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
85KB

MD5
ec234985b924235c0b5c8f22a8cf5a01

SHA1
977e5ca42aec18fa62e1fca113a2273ad2c9f6e7

SHA256
aae8d6f35e10dcd27115bb82c28b2547e2f744f55f5a7be7184e6418d8fd60ac

SHA512
0ef4501ec131a74bd96f033a05ba5ca68029c946e438d1e35fc153d8ba48102f1fd9a4d2971ae885049841b36ec876439b3b9026acbd8574e3ca8bcc90b344a2

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
85KB

MD5
f48253a19847a89f754ef54a7174368c

SHA1
c2ecb72dc01658754776be636fec5ee44fa95342

SHA256
e0ead5d3c64fe8d8484712369647ea473ce8465a3f22abc7c3bfe1feabf43014

SHA512
5b41933770a7011cd3b3c4f86b187dd60ab5b8fadb7915d72faf319fa10a9250b021902d8af06ed909748f0777953b9ac49dd899a17115c53ce3c2346f8d4d90

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
85KB

MD5
39bd453b210ed47e8c1fcaed336ac6d2

SHA1
ce3eedc1d50fafb0fa0074f6b745a71f68270ff4

SHA256
27e8f042b14e23f90c818845e755ca750cfc1e6375c401fd11dd38021fc7b884

SHA512
6ba87ee683486759db6c407c30e62014b163513aa09a146e8b0b0da8e2d3257e116f7d1e87a80fb1b3420daaa3333e88ef59918f5276605f81569ead09d1d29e

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
85KB

MD5
beb9ba8619c1b45b435fcf36b9f73661

SHA1
06f61cb8cbd3c7f2b9bcbe527b894178a365ef15

SHA256
c6aecdf609da97c7e517c15e4da16219b0257b3d2f50171c96cb928ef0ff6fb1

SHA512
b37a5f18d97fe28bc01c080bed6dd9764b2ef3388143a15fa510a2e166aa5c1eb41431275853260d1894ddd7916f3d5365055932c9c826344e0046d20f907d47

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
64KB

MD5
d2c8f928d87a73779767d6f7da023726

SHA1
03db0db9d3adecc1e9aa32d0d59a9dae1a11243d

SHA256
7b7dae859b31071b8b4418811690c9cbdd4a24fa125465e45f7a1be0f429f860

SHA512
7b448b44ba5ef04b341520ed852da110022be7a1f9cda092b811ac789f53aeef1e77ddaa59770f334ca26f7c0afe82f1822686161a070f4c2e0f7c604cca4824

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
85KB

MD5
223aa7fcc63b8d82e98bc09f3291ecbf

SHA1
0d582d46a2f76fe0c8f24d845652673bab23f6ac

SHA256
a88ffa9aab8dde1b516739610b589005813c5ce03cf786662e08c84eb91b3e8f

SHA512
17c210cb1fccb28f24989f1803643822af18e9498f7cb920f3c149bac137d5bffa04e38fb3b025b7f0c455b2a09b13d437ec9d258a2cf4c7651399ba7e59224b

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
85KB

MD5
68aca7b854cd58d7e3bcaea5c719f8ec

SHA1
f8aa07cc39cfb866d8228d6c7dddcc98deaf750c

SHA256
fbcc9f397a4b527299e7819c573409b4c467b86408a66f16bae9a4cda6e75da3

SHA512
d0c36f8d2262c02baca7b59a15b0ebd0a5a84391981da5ccc736e981d760ba8c6e954457214e9bb2b4abf51112426d9b076787dbac0db855f9a0c352966f74e2

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
85KB

MD5
c00f775a3cb23eda55ae858805533534

SHA1
9c8c4dafd0578fa1df18d695d24cb10a8f502bcb

SHA256
07c2b4324ab7584b39b7166a33508dffd686b735a4a7d54794081535596138eb

SHA512
81ca58061fbb13b18d2e44871e48c6914a63bc4f0d0232c4238f1593ac9c41a0b39a3d4861672a27c3f3353fc5d9e745b5eb987a0d9ec56b057997c4c23a2d8d

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
85KB

MD5
3b360321a836ba35a038a560542213d7

SHA1
2ad37bebd4a811849ace52f0918d37ce0cc72826

SHA256
fe227eb74941e84289b545b40eedd794041dd530f566da7aba7cea2cd12709db

SHA512
12025baed1e5085ff46dbce464bb44a6c9122c70d759c1f6819f8150109bce779c8f3ac4a51b6e81979f22595c462a276b424f85e097ec4e51c79b5d35ac4751

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
85KB

MD5
43b0b609cd927ac2471dcb853f6659e1

SHA1
e2bdc334d3d384d4e3fd5c2abbcbd94455cf99f4

SHA256
3e94d29d492b7dd82ebb68b5f1d2ec498d3a51c1453f65a4a42d82a1f8083a8a

SHA512
1baf188c74d572ed1cc61d4cd2a6d686409060f5db640291e7775b264afa8a79c927ed6b1dc66656681ee81863050922d44981e319b7697d6d60ad9491b35dbd

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
85KB

MD5
6f55135f22702d613eddc246f9bd6001

SHA1
88325f3d782f4e920bebaeac2509e0ac4cee4e8c

SHA256
966a3e407b1be759e4c866aeb4a7f1be7226cf6c559034ca1a1bdbef3b11c40f

SHA512
a037bf28f8870a29f50c263a52fbf13729b9896932177443b9dfc0b948f8aefd2bc600f229c192b84b310988bb4e4f97de39e41b45f8d3d3d0a4f3d635de6e1f

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
85KB

MD5
a44c3115b9827938020d682647aecb96

SHA1
b020bed4fa13d7b5ce30979c0bbeb13c05488948

SHA256
8b2c91eb5d58f8de06829882b08e987a81b63df0e6cba08019b5e9372f118370

SHA512
798d7af1ad57ddb2d25700ea62be1440182bfa492cb5882a8c908ea771433eb94063e21c5f54ab4acfb365c6bdd271fd5dd063aee6a78e8936cfea3d3b71ba2e

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
85KB

MD5
42f8d374284b3609c57476640d774094

SHA1
7bef91fa85cf200baec685f7eaf4b2dd705af6e1

SHA256
f604f459ef638907e994faee89c6dd6211e442827c6605ae7af4bba185d96fd2

SHA512
e552f3c8549658f22db71e912422c226cd077d738920f4e0e4f5677b59991129077116666c2a73951559d8f9c82b4431be3375c6db6ea77b62bc0ee4448eafdc

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
85KB

MD5
239404bb4c23f28b671043c796f9f2ff

SHA1
9ab592204dc28e169267052d5efe72daf611ae37

SHA256
ff894de3f0672c73e235aba61e3d2a0ae9b12a89b1e55ee1a6db2baf7f687266

SHA512
7fffb97cac8292d8856a3371d1a0a62f3fb6b22909a565012879cbb1e6f4eae853e135f99578ef0e7a0771ba338ecc39f48dfeaf98ad94b97f2431e237ee6d46

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
85KB

MD5
4ec64a4fca8ce92980cea167cdf6490b

SHA1
f6c9ad93ed4afbff03bdeda1312619aa38db4753

SHA256
eed37df6378cb234358e914d3b7efc63bd0518745ca5575d190b0f86811ba195

SHA512
cc170f0aae76933b6dc168a9f03f9852847a6b8413808d4bf2dce0a78113bf90cd3b1a86ae83734804c291742e2cf6a3915c84c90df8caeee9b55b4e6e1b8368

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
85KB

MD5
30af155f1560ea13db8a46254212cb85

SHA1
fc8b1117614f36af4f4661bdef0f31387e907c3c

SHA256
f07741b5059f10cdebaad49e2b5189063779403830a17f561182bc33722ed613

SHA512
042499ad3d5fefe79e10d9e17b184390765d1a961b6a0a95162a3682158db4eeca4fca4c2394d7fe0f33a2b489c6c8e5a10d2f30859a3822630d9e44da84544c

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
85KB

MD5
347a8df69734e181f3b1e8964ef6cba6

SHA1
a96acca2df3a80583ff431e07c3cd668adf2acd1

SHA256
89b971333599ebb0011645472dce21d80459cd49b551ffdd6ecb8f682064f345

SHA512
54a4818ac030bfa5305ab8f5c5f7464ec52b19b932c13474492d110fc85c1f98d67921aff2f301a6e60ca26545f3ca222eddfe8c00cf9caff72f782492bd47af

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
85KB

MD5
a96be399bd7bff9e62260da0cf7b8f9e

SHA1
90264d2c57c67482ee6f3b42135c1fa6085fc13e

SHA256
b79356857b6294562e6bc6735a2ef439bfa9c472b023309e1c6be3832c23fab3

SHA512
e34ee6b5a4afe7cd524795f49a13a366e0e7d6c46348b1227dc32c7838fdd879a75836a798b778e9bd2137391fa2d448256d91ce217973b8c222b787dffdd8bb

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
85KB

MD5
b8a1c61872f842686499cd93d2df7388

SHA1
0635a7e1f0ec9d46fb732038b25a26db57ba5fca

SHA256
375506a9dda30ab9dae0479f17035be87dd2a76a99a8a9cf7cf51cea50bf48b7

SHA512
9b0c2fc25e449e75ec53652ace64715b309e21eb20bd8a14d5e9a4290395ecdcb291aabb1c6fb40abf1b52e14d7a5040582602410fb1867ed8813cd1b7e0c4eb

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
85KB

MD5
7541256b3ca6ccbec1adbb7ae27ed6d7

SHA1
70b55e488370558f17525b9e23233f19f54dacc9

SHA256
c41eba14ffae70fd127fd023093ce76386b9f7dd9e466dac669e302fd4da05a6

SHA512
c785149efd72067f8b2fd8997ec81bf6ca3d86f287ef58c30e3a6ffad56ab7a5ffba920e02b01d71256ec9abfd7e254bc887db55b7d0e441adae5e040e7516b2

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
85KB

MD5
09c16d2aadfc2c3cba522ee8ca134e7e

SHA1
c0d6a4be0a292c75ae2ff881b27ea373ef8be8d5

SHA256
4084f7bf17053923941e0eafbbb4d54d65823982938c9f29322edac035cf7a71

SHA512
2ade46473e6e527ee85b07b50b73b9b24b2d2e863c78545a8246717e23ec78d46e09a84e1f5ab8b99de1a714090b4b4ebab7e6ed8c0d6d24f0e62e4076de1b2d

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
85KB

MD5
7512dfcac1e05fb5aef046e197b632b8

SHA1
d30cf05a3e98da2e7c42fe26be4709dd6efdaac8

SHA256
45d3ea4104f13d187ee43d9c8098a87b5007774672055f3c47562c83b0ec51f2

SHA512
8b93733aa6db1852c9fb514ce4fca927487cf118c6b0e44d7557a2d0b116541ca12056cde86ed72ae62a6f78c1996146b2f4183854788910394f4efbf1a2bfc6

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
85KB

MD5
ef749621b942bdf845708a705753cf48

SHA1
44c04458321d0257b11492f37ee43d996ad0c1d4

SHA256
d2862be26c3fda9062da7a5688573a6ef7ab3c590ae6953e063ee6edc2eaed96

SHA512
b1df47e194942bc7cab9bb6fa6c7713f85ce24f08c0ced3eb1777a0c61b6063e78ba5ce5c6d9e642b7e33406f55e1f30b5a3f3231668c14a2a1764923a0b70b6

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
85KB

MD5
494a179e272eaee67c088661d7c74e05

SHA1
c989ff05c167b3a1416a2035c897838f19425b33

SHA256
bd7c6451b0f8d3132ef1bb4a8212969481541911264e9c829b1f5aaf25853d37

SHA512
07f36f9afb08dddea62f295fce990fa029da9a1b673c61aa6c38f6a154b83ebcdfde071a91ddd2d05b152a97bd3e81d80cfbcf21c7518cd1556b5173015576b5

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
85KB

MD5
6f77d766473b1278e28fff9d8affebc7

SHA1
82c37f3d70e85cbbdc05f1aeeb49abda34c654ee

SHA256
9aa4375281519466363b1cd35d6c452151970b2974ebc80033e311a6b9a8c2c4

SHA512
ec0bea753c7321cc26bb49399d0ea422acba742ce18ca0c8824e7bbfbfa0ea4d2cf8d8b8a3b973e48b1fe046e7c8c967ff4e441e3d3374c8a4ee2ccd4b9ef832

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
85KB

MD5
ce75f52b5b12bb18958c0cabc1876232

SHA1
4c3e9776fee9a805e599dd5f00b244d4165dabb4

SHA256
2a2969a4dfe294caebba6af5a9d765eb1c170b557c4c76cd9639c06c983348f3

SHA512
5d51eadabb519d57c873398fcfcc3017e0d37fb7ef5b52dde4c942b31f97d065ddcb3ccc1eb24e7a521787bf440e981c30fc6c799682a098b5c0a64e50e393b8

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
85KB

MD5
65f9448272218e045f2b298de80adc86

SHA1
7fe54f2b83a80c3018901d823d9aee8fc9895a5a

SHA256
de70532859489393336bdb6f991245edde4faa215a3f5af50a524c7d0cf2d074

SHA512
9567fae5cf558517b1c75990145a8fc27821004bf176841eccc0ae6de91d142a3e08955b37ff028748e9370abd89c10c703ccb36a11e69453232f69906e7c275

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
85KB

MD5
782294ed1a085eca92c70ab79a21a18d

SHA1
4b03517a1b7727cda7613ee339b6b15f4ebdd3a2

SHA256
f4c30022627da0866bf2678506af51d11e4eea4f2717d1549cda54c4e5247d02

SHA512
76e528557ff52be6e38612a36a0b9ddcac270dc6d223d653312d37319eb058763c40b8758fea7a53073c44cd5fa36b1d91d168a256f33655a21e7d327b5a33d4

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
85KB

MD5
644c9802ed0657aea388326e5db617ab

SHA1
bd9a84a5a9805f86fc449314fd9104e4804fb4cb

SHA256
422768adfff82ecda75e3abfb87a95ffbcf55f82fde7a2cba8706f1e9579b532

SHA512
3c2b35b702863af17259113d598882f3b94ba441da0928ad9c57177a64a603a1bd7a2dfd7b058e574cadfd733d94792b8925807880765a3fbad7d48570f252a9

Download Submit
memory/224-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/244-203-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/816-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1104-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1208-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1236-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1240-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1304-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-230-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1368-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1384-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1440-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1440-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1648-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1648-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1688-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1856-386-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1872-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1872-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1980-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2104-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2104-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2380-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2380-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3804-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3876-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3876-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3940-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4004-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4004-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4012-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4128-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4328-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4396-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4588-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4668-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4668-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4684-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4688-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads