berbew | b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
Size

96KB
MD5

fcc56bc3ccb6826683ff9b06e6836be0
SHA1

a4df070bd32b81e5d141b79b773b4dd8144e45be
SHA256

b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa
SHA512

cd3b164eee1dd0bcdef52b7afee59b41a3cceb429aaf6b957e1f6f17360f514e50fddf3c60bb8ef34dae8b36638954dc9d18bc043b82ced61f125672134de1d3
SSDEEP

1536:OAS1OqY36IknNNynDrUJtaCmnfl0mxiqTgX41qeto/YtMiBkWjaAjWbjtKBvU:5SCKIknNNynDrSUCmnfCm04AetXSqkww

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
5060	Aadifclh.exe
624	Agoabn32.exe
2896	Bnhjohkb.exe
2164	Bmkjkd32.exe
3064	Bganhm32.exe
2356	Bmngqdpj.exe
2364	Beeoaapl.exe
2648	Bffkij32.exe
3584	Bnmcjg32.exe
2928	Beglgani.exe
2660	Bfhhoi32.exe
336	Bnpppgdj.exe
1452	Bfkedibe.exe
3820	Bnbmefbg.exe
2144	Belebq32.exe
3412	Cjinkg32.exe
3656	Cmgjgcgo.exe
4024	Cdabcm32.exe
5084	Chmndlge.exe
4076	Cjkjpgfi.exe
5004	Cnffqf32.exe
2100	Cmiflbel.exe
3056	Ceqnmpfo.exe
3076	Cdcoim32.exe
3408	Chokikeb.exe
3304	Cjmgfgdf.exe
4308	Cnicfe32.exe
2188	Cmlcbbcj.exe
3904	Ceckcp32.exe
3388	Cdfkolkf.exe
508	Chagok32.exe
4336	Cjpckf32.exe
4392	Cnkplejl.exe
4868	Cmnpgb32.exe
2912	Ceehho32.exe
1528	Cdhhdlid.exe
4176	Chcddk32.exe
2412	Cjbpaf32.exe
5080	Cnnlaehj.exe
1604	Cmqmma32.exe
2096	Cegdnopg.exe
2332	Ddjejl32.exe
4456	Dhfajjoj.exe
2004	Dfiafg32.exe
3532	Dopigd32.exe
2668	Dmcibama.exe
3980	Danecp32.exe
5068	Ddmaok32.exe
2684	Dhhnpjmh.exe
4276	Dfknkg32.exe
316	Djgjlelk.exe
1640	Dmefhako.exe
3368	Daqbip32.exe
3492	Delnin32.exe
3808	Ddonekbl.exe
4968	Dfnjafap.exe
2168	Dkifae32.exe
3620	Dodbbdbb.exe
216	Dmgbnq32.exe
4836	Daconoae.exe
4152	Ddakjkqi.exe
4172	Dhmgki32.exe
3676	Dfpgffpm.exe
4976	Dogogcpo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe

Program crash 1 IoCs

pid	pid_target	Process
1540	3288	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 5060	3616	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe	82
PID 3616 wrote to memory of 5060	3616	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe	82
PID 3616 wrote to memory of 5060	3616	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe	82
PID 5060 wrote to memory of 624	5060	Aadifclh.exe	83
PID 5060 wrote to memory of 624	5060	Aadifclh.exe	83
PID 5060 wrote to memory of 624	5060	Aadifclh.exe	83
PID 624 wrote to memory of 2896	624	Agoabn32.exe	84
PID 624 wrote to memory of 2896	624	Agoabn32.exe	84
PID 624 wrote to memory of 2896	624	Agoabn32.exe	84
PID 2896 wrote to memory of 2164	2896	Bnhjohkb.exe	85
PID 2896 wrote to memory of 2164	2896	Bnhjohkb.exe	85
PID 2896 wrote to memory of 2164	2896	Bnhjohkb.exe	85
PID 2164 wrote to memory of 3064	2164	Bmkjkd32.exe	86
PID 2164 wrote to memory of 3064	2164	Bmkjkd32.exe	86
PID 2164 wrote to memory of 3064	2164	Bmkjkd32.exe	86
PID 3064 wrote to memory of 2356	3064	Bganhm32.exe	87
PID 3064 wrote to memory of 2356	3064	Bganhm32.exe	87
PID 3064 wrote to memory of 2356	3064	Bganhm32.exe	87
PID 2356 wrote to memory of 2364	2356	Bmngqdpj.exe	88
PID 2356 wrote to memory of 2364	2356	Bmngqdpj.exe	88
PID 2356 wrote to memory of 2364	2356	Bmngqdpj.exe	88
PID 2364 wrote to memory of 2648	2364	Beeoaapl.exe	89
PID 2364 wrote to memory of 2648	2364	Beeoaapl.exe	89
PID 2364 wrote to memory of 2648	2364	Beeoaapl.exe	89
PID 2648 wrote to memory of 3584	2648	Bffkij32.exe	90
PID 2648 wrote to memory of 3584	2648	Bffkij32.exe	90
PID 2648 wrote to memory of 3584	2648	Bffkij32.exe	90
PID 3584 wrote to memory of 2928	3584	Bnmcjg32.exe	91
PID 3584 wrote to memory of 2928	3584	Bnmcjg32.exe	91
PID 3584 wrote to memory of 2928	3584	Bnmcjg32.exe	91
PID 2928 wrote to memory of 2660	2928	Beglgani.exe	92
PID 2928 wrote to memory of 2660	2928	Beglgani.exe	92
PID 2928 wrote to memory of 2660	2928	Beglgani.exe	92
PID 2660 wrote to memory of 336	2660	Bfhhoi32.exe	93
PID 2660 wrote to memory of 336	2660	Bfhhoi32.exe	93
PID 2660 wrote to memory of 336	2660	Bfhhoi32.exe	93
PID 336 wrote to memory of 1452	336	Bnpppgdj.exe	94
PID 336 wrote to memory of 1452	336	Bnpppgdj.exe	94
PID 336 wrote to memory of 1452	336	Bnpppgdj.exe	94
PID 1452 wrote to memory of 3820	1452	Bfkedibe.exe	95
PID 1452 wrote to memory of 3820	1452	Bfkedibe.exe	95
PID 1452 wrote to memory of 3820	1452	Bfkedibe.exe	95
PID 3820 wrote to memory of 2144	3820	Bnbmefbg.exe	96
PID 3820 wrote to memory of 2144	3820	Bnbmefbg.exe	96
PID 3820 wrote to memory of 2144	3820	Bnbmefbg.exe	96
PID 2144 wrote to memory of 3412	2144	Belebq32.exe	97
PID 2144 wrote to memory of 3412	2144	Belebq32.exe	97
PID 2144 wrote to memory of 3412	2144	Belebq32.exe	97
PID 3412 wrote to memory of 3656	3412	Cjinkg32.exe	98
PID 3412 wrote to memory of 3656	3412	Cjinkg32.exe	98
PID 3412 wrote to memory of 3656	3412	Cjinkg32.exe	98
PID 3656 wrote to memory of 4024	3656	Cmgjgcgo.exe	99
PID 3656 wrote to memory of 4024	3656	Cmgjgcgo.exe	99
PID 3656 wrote to memory of 4024	3656	Cmgjgcgo.exe	99
PID 4024 wrote to memory of 5084	4024	Cdabcm32.exe	100
PID 4024 wrote to memory of 5084	4024	Cdabcm32.exe	100
PID 4024 wrote to memory of 5084	4024	Cdabcm32.exe	100
PID 5084 wrote to memory of 4076	5084	Chmndlge.exe	101
PID 5084 wrote to memory of 4076	5084	Chmndlge.exe	101
PID 5084 wrote to memory of 4076	5084	Chmndlge.exe	101
PID 4076 wrote to memory of 5004	4076	Cjkjpgfi.exe	102
PID 4076 wrote to memory of 5004	4076	Cjkjpgfi.exe	102
PID 4076 wrote to memory of 5004	4076	Cjkjpgfi.exe	102
PID 5004 wrote to memory of 2100	5004	Cnffqf32.exe	103

C:\Users\Admin\AppData\Local\Temp\b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
"C:\Users\Admin\AppData\Local\Temp\b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\SysWOW64\Aadifclh.exe
  C:\Windows\system32\Aadifclh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\Agoabn32.exe
    C:\Windows\system32\Agoabn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\SysWOW64\Bnhjohkb.exe
      C:\Windows\system32\Bnhjohkb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        67⤵
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 408
        73⤵
        Program crash
        
        PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3288 -ip 3288
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
96KB

MD5
4e5b32c506975ed0145968e0467b1913

SHA1
3729d61d3a402c6873ccd43e529f644258554373

SHA256
de094d50463ff5053cfa0e38da7058a348b7753e6e9334d5bed617c2e58a72fe

SHA512
3a577d934dfc9495d0bd58e7ee0ee5d47aaaff1dfe8eb7b441eb09f30bdffae729e2546433c4895cf3e98e4895d8430277fc1d0e0988e57b150f9a4b7020e9eb

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
96KB

MD5
b2cb5ef694f127f5040d4d63a0507200

SHA1
ea96ca96e0e5e5ff2e15b0fa7d3fe4bd59e32fb7

SHA256
7002addb6ceb640c21d79685d81b508bed849867a22e9e272540f90c53c708be

SHA512
0662fd1d2dbcaf3b31c9e5972be023f872429287e5e0ab4f373bfb42ea1cc8a5bc29658f6a5804482e7b0ec1ea19b807da001c2947cf5b05156e7182a9692b64

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
69b94e9840b3ca613bd3ec5aab8539b8

SHA1
170cc68816941bca1e43c8720b0988f3c034f6a5

SHA256
dc2d945ae90caac8bc15101cdb129f9e3a103bd662bb506791fa22c00c93bc13

SHA512
47479c97c526ede2c4b328ec81e0b6748417c437f2d63fdae6a66e6ce2acf7b0b531d338cb01a5416185574c222bd955916471217a7f064efc0249b4a92aa858

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
96KB

MD5
023bb18f5c36eae1c510f77949f9132c

SHA1
a07a3a5fdb7dc3af78e24cfcae940eada8f9c473

SHA256
70c2b53dac40b4006c54cac6ca4e9d48a4c4286830978ea6e8a9b494f50266ea

SHA512
d3d1ae7ddeec239d02957aa28f9c2bb8751590725dbb2d03ef75564c6d9ce122004942dab60c4acbcb39a0d9ee18d970ad5e22d282c391af6f4374d9738580d5

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
c32f5abc1a4056b8a0af13b9767becce

SHA1
526258a825ad8d8a95dde3a102887c8453f80c7f

SHA256
fbdd885e753592fac0a662a7d9688db3ea9d80fb47499af0f334c735457414d0

SHA512
03360c6a9914983a0890be12d3b169a75a8955ba25152d3c4ab7312ea40602e6a817954289bcc0dd425f871e507468cee161f65c4703dafe62e8a7cd762452ea

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
f22ecb4e2bfd1f10170a4635a02dc899

SHA1
b68707e74b521c4e7452c2eb7b9158ce0fd107f8

SHA256
f905d094ec817d9a92ff9f7094bf62e9db4abffde08796c91bd5a5983f5d8c05

SHA512
cb2437fd9c1dfccb65bb37669bc8f6f54b92834a6cc4d66edd5360cb41b84275c52a238ca41b4f6ed65b49cae0c1f8ad8d2ec71a14d1b8e50dc43b71c9e04b65

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
a04f5b76e6a0b15e6b1dbfffa01ec81d

SHA1
99ec43516c0cf59e75965ae5bf18192226ea1578

SHA256
68a172d9f97fd77dc6cf1152b2532c32ae34934e97e1a18d3403e0c7605f0a32

SHA512
b09f46f84917b90a350dbc59f8bee5c7c3a2ddc1cc4d3ddb111a7924b85abb884246e9b8890643a6b8f3d32bc49c447890c9b5618fc9ad49940273150022b5c2

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
96KB

MD5
825ae563750a55465210888f344eb0ff

SHA1
95a976e3372735779b3d828af36c596de6948b91

SHA256
6308fa7d34c1cc86aab33a4d15ea94ac27b79b89a85a4db757e692b46c39797f

SHA512
1783b291393775729e6f0ddcb934ea5106b781ce3c7f6c7ec07008db2eb519f9b62e6c9fd76cce29e1035df28a2f705a62c40a232162b72525dcba8eb9fb546c

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
96KB

MD5
6b9ce834eb67232e68925ca3d3b6767c

SHA1
b7ff4da596975eed9f870121d19f46ddf4967b8d

SHA256
fc7cb49491027446d653008a16a58029ba2232a697cdaa4a2925d0f040d30ad6

SHA512
9dc6bec6930dfa323a4e7f367f46075c61daa517856a4d145accca578cb3e527efba17133479b809d4be287e074b5d3a7c0f18e56f57ea058d82df512a154612

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
96KB

MD5
29a6e960ad7c9206645c1f04570b099b

SHA1
a6b8cfb3a9a8e654791aae591926a41992a49e03

SHA256
709fac8600816a4b4c946a7c1c07f9a793b2bbba9f7473d653ca68e3a758791d

SHA512
17bad5bd68debc285ea97545c73e3579e584a559466d513efecff784d3204ae15a40740a0870c3ff3874835bf9e85fface2fda1008a8805c88fdca1bfe75d06e

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
31223ed83704581c6b43a7d1b6c4d1cc

SHA1
b0d3d2eb21a1fdd44251e07b74f7e82b92589018

SHA256
6af49be7508393af7089375cdc76958e0493a822e169d135c12b4f26fbcb1fe9

SHA512
57d7a8f5b0ebc12eea79dcd79822032016b5af15b1e9c40abf2968defb92d87478c08583ced8e082ebdfc13073170a305cbab03c9305ef2dc3d30bf9af28ee34

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
96KB

MD5
495b1f1d8b92c2970a27646ee56e3b2b

SHA1
79fc5c33b38bdb140dcb805c71c21290ac4b505e

SHA256
427fed92c916a391c5df48f9bb90bad4bfd0a6501e3b7b8334dfc187bea20525

SHA512
bc6d83eb9125ab42d5b7f9fdd435da8302f32fc3aea2a321457fed7b2242e136b925bb39c4d780a4ffbcb90e98bc4071aafe600faed9f2aeb2b5f4f194ae711b

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
96KB

MD5
b15d4a8c785e6b3b066fe04b7982a9c9

SHA1
0a9d8f874f9a4e86c392c70252e9b1aea55fa4b4

SHA256
3b65929d5bc8317d427cb61574b43d2dba03d045e35f6c9ccf5997ee649f297c

SHA512
bf52a38e5ccd192be696df0e57d5ab542e674fda227ab1ffb99e9d326afebe4c6a0792c06d85d0a1cf534aef211cd3f7df4edd16d8897311177a44a0a634ffff

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
d46990a2e2e0003b21c3d814be51eca8

SHA1
3c9c37021fb92369050ee1802d5daf42bd699106

SHA256
82b2cbfd0e950b1ba2820db0d5ee6901ee2829bb06acbe470c06501637acd7b1

SHA512
99a618a3a7f449a206b8e8c23e18a9aa906aa193f43ceb0ed591ac5190b1fff3a90e80cf932fb06c413a3076987c3df2e9fd54abb1750ad8f8176228f32feb85

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
c96486373eb0756bd6b9bcca14953988

SHA1
b3007286d538844cb8cc68c941275c3df1729a5b

SHA256
86d2b1b15e97233ab7d980a0982b4229b5f77d7e3ce8941eff7b2a250dcf9143

SHA512
0789e11d61e255eb78e00ed3f946ac90d65e315e1fbe5581bbdcb54b408a8404a627b3818668259cf192bff2418252a5aa6f95b834b49ea95c10baf5a0c57d7f

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
601e0d29367770eb0d2f34003b120521

SHA1
7a43b3a75b2505d04d4740a25d629cfecd9408e4

SHA256
1522cf2f749557782c911aef405b132d789c34f28b6b994adc8b99815d5344af

SHA512
12e447031827b083c0316214195d7d0897eb34c7f394ea55388840f26b10f3c20f684b5b6e91842c576dc8eb8af6b715e3adf0b24ba6191e48c1209b2d9da846

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
96KB

MD5
26a744a389dcfd50f9648b389a63424f

SHA1
b8539f7fef0e83a1669104808d5f8fcdd171d3d1

SHA256
2ca271f2b445057923ff915e736baf44cd55b63b81c7e190dbb2f148839356ce

SHA512
ba22a8fa15a4330625ceb917f35beed12c13842cb1ff98a7a8f21af3668342ec74d92ed42ff356c4daebbfca0c4d3079ca9ab4f953ef0b59c277b5be37bcc5e9

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
3655bae91b51606f89a45bb62e1228da

SHA1
9e6956108cbae54bcbfb6057cab6dbb101bfa650

SHA256
7ce8defcf445609925328f0b8231c5185c1c65350fe5484774e0ab124a7adacf

SHA512
bf823355f404e1bf4f28a71ab995564b427fd2b43fb5ad7fe9d19b4f8041ffae4e8d63b09055fb8b58dd97549d2dec4d110feac7f273dc7cea69338824952410

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
5b75db252f6fa14689aecf202d1a87a8

SHA1
d641fa00e570f173968912b55f1494b94caaccf7

SHA256
c903414a02de3257f1ff8e92f28cbe75e938dc29174639d1d7906e371a98cbb6

SHA512
fed17ba448a68afc0e5f6a7137e128fb53c4809d933b0ced72d33b589eb8e84e3780cd518bc5228f430ed9f3b0ef07fa5e5826435043ede45761a4ab599ed9f4

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
b75fb433f7ba07fe009f494b0756f6a6

SHA1
714730f15d6d566c67a14c083d3f5626f59f4e6f

SHA256
1c264dc591dca5fd6d54eb16a33f8cd3fe97d28c62243ab7dc7a9d27cb474fd9

SHA512
de526a2932ce5279d26c9a4b4a68c10918629f146e8f2d76cdec0c1d2fe6241a1b6580e2bb96554870db936c6c82fa283d1c14997cd0a2ea8bb71d71b2922e66

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
bf282f64b1dfe7b0763ad706b42c7cc2

SHA1
adabe2e1aaa3d2fdb7b3dd95ea0a43a5595236e0

SHA256
13017bb85952e7e8d25c0c052249c9fca444b8d3266962394017b6f8812462b3

SHA512
9b6590937d58fea12b91bcdaf62b1e23bd5d7548229b87b72d7f9bdebf9bb6ef76bc3b8d74beea52ae3e72878bda54587c2116abc0e29348975b33a823350cac

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
536500eb0e93145a29bab2ba1b6200f2

SHA1
d8217db2278a0fb14c1a535b823e86eff197d9f0

SHA256
b10e225d82cfdd64dc0c1822595c768b6dd2911aac1b9c582d8f96e7c2788ba8

SHA512
c62be643a847742cf5887010c1c268e362b872011463c4035b23ff84df8f9f5b053ffc00caf1a8763924946c4058ee8ab36c06f089bc7bc240220c31147ea6fe

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
5f5702fbf303a97d523851aa5e0add01

SHA1
cc70298b9e743759982d39b9328d4ca9a0e03988

SHA256
eab17c65481493f0572b2ea08a98d80b498d5106139237dee7148ca1c16f4625

SHA512
9d6a9c371de863d38d54cc44988a952a52ca484d09f32694d0b7929e22d3029d42ab3487aad0a6decf34b0108d9318fa93763e3ee15d5797b64eecb89f32bfc7

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
570984acde12fa90cec1c9f64f7b0a13

SHA1
5369f9009e4db7dda2af159c6f62aa49adebf62f

SHA256
11527ebf821332e5a3fcb3b6c1b84a7ea909bff2b829e8b1b511a6cb366c4659

SHA512
2c48511abff90a5882d5c3d2ecd833379251960c103708b447184e26d57f555ea5ecd171fd0918b79fe16984097395ad41b88365bc8b9e6bb078ee6506d82d1e

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
96KB

MD5
48c662783ae1c429a047c8f9aec8383a

SHA1
171058efb8e42a16cb76cc7cfa9d13c51cc42600

SHA256
9e9bb25ba3c7b372af1eb3fefcc7fc261a5964374603dedef25851332b3bc5b4

SHA512
ac6f96934a26c96e5539c2b6ebde44166fa481a09bddfb65308ef532bb4f5e80fd7d05522ee7ea40614e7448b92bf44e0a61d5de7ced586b9ed2d13624909369

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
96KB

MD5
412e1b40d912a62925b1fe88beea30e5

SHA1
54471f886383c252b9e8837c0b3371ba2ef0f1ef

SHA256
84c572aa2587da8a406682ed3e6d55ceff12f3e43ff06fc9563a5dd8b1b81e12

SHA512
c9c5ef3085784cb3980a1f3fc2a7c52370970c3b755208c46c4eefac492274156725c0fe1af87b0812e823f03ec3a3b82674538f25fb409ab0eeb82d7ce3dda6

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
96KB

MD5
3ba9439834136878fdbc0eda04ad5f58

SHA1
ebce73949f5935066d070992b0ead1d9a11caa72

SHA256
ee4239e0a9bbe3dc01aa63bed8e9f7a1bb11d752790174f144a97da7a6cda96f

SHA512
d175a44bd7493241e30e26293aeb5c5110cfa244a358bf9c70bb65085435329862f913c0d7193c7e980acb92e5fa1b406978235276dcc852ee95e08294b64f3b

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
96KB

MD5
f0d45b76319b8effbbe756e41cda442f

SHA1
d18bdc2dc8161a9cd5849ff970e218716b656462

SHA256
b119f36d8de3c1d50f38756b1e882d392256c42cc4e2ce827f219a24c31eeba3

SHA512
da2cf3fb39e90b80c9d4da835f8d86275b760a32ca6aa9a9dac7079fca7f902122fba3434889c78e6ee266c2165116a081b178ce1c10f2910dc24c627d6c154b

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
85bc0742c07018366ec9fc895a50e4e9

SHA1
f6107b74de58e7ee5bfc0eb25595b860f4cca51a

SHA256
f80ded37fb60fd407220929d73ae2f6b487ed63b59041368a0a87b22045537b8

SHA512
8fa56d86ce8a7dec424fe6009f5bf1ea80183d94c71f5dc6e8a2da708a8ac3624df9609b68a75a25ff2dd4cfb055f396db109c44948af86c5e5117ed769e7508

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
2a7cdc9efcfeb38a71cd334544105c48

SHA1
ed81f8ef62850166baa44a7f66b8afca22e06b81

SHA256
d4c4654b7ecbf9b5042f1b29f84b032adbcf36c79e1eb77aab7c70b5962a9e2e

SHA512
376e44f94a5f4e8289d858ee1808e374559f8bde1d81e69b246ba130c7daa3fc9f725919f9796f69148ab7436d5df2af2dae7c00950809b2a07c15d3fdbd28df

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
62e4d13ce113d6c40930f932552f3023

SHA1
fb37f3acb5755318fd9ce5f586ef87892ea24946

SHA256
862199987ada36fc8b99d9c58f9baa24903372b2b72636f3c86d6364621e837f

SHA512
bff85bd9ea67a08165cd22269ba858bbb19b818465768fb1bf0d2107d1e6a6cecdd91eb4c6986326824f65325f3e2d7a5f25ab63647b7148a0e58a8144e84b9f

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
96KB

MD5
2e62b402e964136d6cc8674542efe3c5

SHA1
199d5b9c7b93f21c84561852227d261ea6014e2b

SHA256
f47fd31af83bcb5a389b23d40c2e21393c6f32be4938e234e24a523f125e3665

SHA512
552a0e4d598ec049eb71c730c0a073a5727dc8c1871b7f94078291e4e9c911507314b1cb803ba84c9075e9a318e6629a334bfe7f9ff7a7f7a0e22f77079e1bd3

Download Submit
C:\Windows\SysWOW64\Qopkop32.dll

Filesize
7KB

MD5
3f34330c98654c40dcd2d975cbff0ba0

SHA1
b389cfb98ccd0c69979f07d84c82c2a1c9735e73

SHA256
8e8526a4f59101d5dedb5ac0c3539144c4ffcdc3bf979810c7d9e829f5d9e06f

SHA512
abdbfbed492d29574869f8662cdea33cd40342537235a9610ec90baeb45bcb1884c5c61bbc8662a3456311541e8d8ed95a5ecbe4b708272ba67381ed7a8ae477

Download Submit
memory/216-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/316-392-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/336-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/336-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/508-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/764-482-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1012-499-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1040-487-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1452-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1452-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1604-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1640-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2004-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2096-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-194-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2164-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2164-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2168-428-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-246-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2332-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2412-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2648-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2648-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2684-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2896-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2896-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2912-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3056-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3076-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3288-507-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3304-229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3368-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3388-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3408-221-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3412-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3492-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3532-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-434-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3656-149-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3656-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3676-464-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3808-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3820-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3820-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3904-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3980-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4152-451-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4172-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4176-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4276-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4308-237-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4336-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4456-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4572-476-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4720-493-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4836-446-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4868-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4976-469-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5004-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-506-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5060-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5060-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5068-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5080-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads