berbew | 80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3db

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3dbN.exe
Size

324KB
MD5

1fa44e4c239f4434a5a7b8b291c82230
SHA1

ad91ce60d8ff02a91af96322471b6f3707e14baa
SHA256

80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3db
SHA512

9e0ae763c8bec538a0c0972774433a4f346cf9f26750b0bbd3f047c75afef1652f153bcc9a27a61ee84bf3054be63be142027250b656e915e4c53a72f5e8d9ef
SSDEEP

6144:fuMI8ibucLLeYzd5IF6rfBBcVPINRFYpfZvT6zAWq6JMf3us8ws:TIfdLrp5IFy5BcVPINRFYpfZvTmAWqeZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3dbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2848	Bmpcfdmg.exe
1044	Bfhhoi32.exe
3460	Bnpppgdj.exe
3184	Bmbplc32.exe
4456	Beihma32.exe
3660	Bclhhnca.exe
1752	Bfkedibe.exe
1540	Bjfaeh32.exe
2560	Bmemac32.exe
2840	Bapiabak.exe
4244	Belebq32.exe
2744	Bcoenmao.exe
404	Chjaol32.exe
2920	Cfmajipb.exe
1384	Cjinkg32.exe
1888	Cmgjgcgo.exe
4452	Cabfga32.exe
64	Cenahpha.exe
2568	Cdabcm32.exe
4692	Chmndlge.exe
216	Cfpnph32.exe
4820	Cnffqf32.exe
4860	Cmiflbel.exe
2612	Caebma32.exe
372	Ceqnmpfo.exe
1088	Cdcoim32.exe
2460	Chokikeb.exe
932	Cfbkeh32.exe
116	Cjmgfgdf.exe
3160	Cmlcbbcj.exe
1460	Cagobalc.exe
1576	Ceckcp32.exe
2368	Cdfkolkf.exe
2756	Cfdhkhjj.exe
3864	Cjpckf32.exe
1940	Cnkplejl.exe
1248	Cajlhqjp.exe
1908	Chcddk32.exe
2224	Cffdpghg.exe
3480	Cnnlaehj.exe
4340	Cmqmma32.exe
3092	Calhnpgn.exe
1848	Ddjejl32.exe
4924	Dhfajjoj.exe
4968	Djdmffnn.exe
2628	Dopigd32.exe
3848	Danecp32.exe
4424	Ddmaok32.exe
3628	Dhhnpjmh.exe
4192	Djgjlelk.exe
4272	Dobfld32.exe
2176	Daqbip32.exe
2692	Delnin32.exe
5004	Dhkjej32.exe
1660	Dkifae32.exe
3976	Dodbbdbb.exe
4944	Daconoae.exe
3608	Ddakjkqi.exe
2152	Dhmgki32.exe
4348	Dkkcge32.exe
5148	Dogogcpo.exe
5188	Daekdooc.exe
5228	Dddhpjof.exe
5268	Dhocqigp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe

Program crash 1 IoCs

pid	pid_target	Process
5436	5348	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3dbN.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3dbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3dbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2848	1808	80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3dbN.exe	83
PID 1808 wrote to memory of 2848	1808	80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3dbN.exe	83
PID 1808 wrote to memory of 2848	1808	80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3dbN.exe	83
PID 2848 wrote to memory of 1044	2848	Bmpcfdmg.exe	84
PID 2848 wrote to memory of 1044	2848	Bmpcfdmg.exe	84
PID 2848 wrote to memory of 1044	2848	Bmpcfdmg.exe	84
PID 1044 wrote to memory of 3460	1044	Bfhhoi32.exe	85
PID 1044 wrote to memory of 3460	1044	Bfhhoi32.exe	85
PID 1044 wrote to memory of 3460	1044	Bfhhoi32.exe	85
PID 3460 wrote to memory of 3184	3460	Bnpppgdj.exe	86
PID 3460 wrote to memory of 3184	3460	Bnpppgdj.exe	86
PID 3460 wrote to memory of 3184	3460	Bnpppgdj.exe	86
PID 3184 wrote to memory of 4456	3184	Bmbplc32.exe	87
PID 3184 wrote to memory of 4456	3184	Bmbplc32.exe	87
PID 3184 wrote to memory of 4456	3184	Bmbplc32.exe	87
PID 4456 wrote to memory of 3660	4456	Beihma32.exe	88
PID 4456 wrote to memory of 3660	4456	Beihma32.exe	88
PID 4456 wrote to memory of 3660	4456	Beihma32.exe	88
PID 3660 wrote to memory of 1752	3660	Bclhhnca.exe	89
PID 3660 wrote to memory of 1752	3660	Bclhhnca.exe	89
PID 3660 wrote to memory of 1752	3660	Bclhhnca.exe	89
PID 1752 wrote to memory of 1540	1752	Bfkedibe.exe	90
PID 1752 wrote to memory of 1540	1752	Bfkedibe.exe	90
PID 1752 wrote to memory of 1540	1752	Bfkedibe.exe	90
PID 1540 wrote to memory of 2560	1540	Bjfaeh32.exe	91
PID 1540 wrote to memory of 2560	1540	Bjfaeh32.exe	91
PID 1540 wrote to memory of 2560	1540	Bjfaeh32.exe	91
PID 2560 wrote to memory of 2840	2560	Bmemac32.exe	92
PID 2560 wrote to memory of 2840	2560	Bmemac32.exe	92
PID 2560 wrote to memory of 2840	2560	Bmemac32.exe	92
PID 2840 wrote to memory of 4244	2840	Bapiabak.exe	93
PID 2840 wrote to memory of 4244	2840	Bapiabak.exe	93
PID 2840 wrote to memory of 4244	2840	Bapiabak.exe	93
PID 4244 wrote to memory of 2744	4244	Belebq32.exe	94
PID 4244 wrote to memory of 2744	4244	Belebq32.exe	94
PID 4244 wrote to memory of 2744	4244	Belebq32.exe	94
PID 2744 wrote to memory of 404	2744	Bcoenmao.exe	95
PID 2744 wrote to memory of 404	2744	Bcoenmao.exe	95
PID 2744 wrote to memory of 404	2744	Bcoenmao.exe	95
PID 404 wrote to memory of 2920	404	Chjaol32.exe	96
PID 404 wrote to memory of 2920	404	Chjaol32.exe	96
PID 404 wrote to memory of 2920	404	Chjaol32.exe	96
PID 2920 wrote to memory of 1384	2920	Cfmajipb.exe	97
PID 2920 wrote to memory of 1384	2920	Cfmajipb.exe	97
PID 2920 wrote to memory of 1384	2920	Cfmajipb.exe	97
PID 1384 wrote to memory of 1888	1384	Cjinkg32.exe	98
PID 1384 wrote to memory of 1888	1384	Cjinkg32.exe	98
PID 1384 wrote to memory of 1888	1384	Cjinkg32.exe	98
PID 1888 wrote to memory of 4452	1888	Cmgjgcgo.exe	99
PID 1888 wrote to memory of 4452	1888	Cmgjgcgo.exe	99
PID 1888 wrote to memory of 4452	1888	Cmgjgcgo.exe	99
PID 4452 wrote to memory of 64	4452	Cabfga32.exe	100
PID 4452 wrote to memory of 64	4452	Cabfga32.exe	100
PID 4452 wrote to memory of 64	4452	Cabfga32.exe	100
PID 64 wrote to memory of 2568	64	Cenahpha.exe	101
PID 64 wrote to memory of 2568	64	Cenahpha.exe	101
PID 64 wrote to memory of 2568	64	Cenahpha.exe	101
PID 2568 wrote to memory of 4692	2568	Cdabcm32.exe	102
PID 2568 wrote to memory of 4692	2568	Cdabcm32.exe	102
PID 2568 wrote to memory of 4692	2568	Cdabcm32.exe	102
PID 4692 wrote to memory of 216	4692	Chmndlge.exe	103
PID 4692 wrote to memory of 216	4692	Chmndlge.exe	103
PID 4692 wrote to memory of 216	4692	Chmndlge.exe	103
PID 216 wrote to memory of 4820	216	Cfpnph32.exe	104

C:\Users\Admin\AppData\Local\Temp\80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3dbN.exe
"C:\Users\Admin\AppData\Local\Temp\80f9b41cfdeffc5d3aa10d7e1528572a7cfe65b78f0162de9673bda41172b3dbN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\Bmpcfdmg.exe
  C:\Windows\system32\Bmpcfdmg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\Bfhhoi32.exe
    C:\Windows\system32\Bfhhoi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\SysWOW64\Bnpppgdj.exe
      C:\Windows\system32\Bnpppgdj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3184
      - C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 408
        68⤵
        Program crash
        
        PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5348 -ip 5348
1⤵
PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
324KB

MD5
f1c4bb6d5db4b4270244a987308f76a4

SHA1
f99e7876098e5625cc34009d00aa8bf39c8748ac

SHA256
8725c13908658f5612506ce2931fbff263c354d85a5e0e9e6225713cde859c37

SHA512
fe1229459b08e32aa154915a024d77e77344706cd09bf727cc4e27f14c89ef595c1534c4f9da0ee4172f7c8dc1898be54b700bcd71d7af5f0340636b13745688

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
324KB

MD5
992d223bfa0132b9ba25fc1c82f45d2f

SHA1
8d6e912d35a580dec67d1324adad5dd2b82fa125

SHA256
5bb07a663e4558ef87ed98dd7b32906d8126fbc64c1b75684f53a6d14dae2f9f

SHA512
b1fbcaf6c6bdfd2d48388ec3c1813e6d20160a8b4404be50b1f2df62baabd89ad46d3cad99d400795d16c2315425202f59f913c906f52d1c89f9e8f8634d137f

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
324KB

MD5
5059dc737317df5cdd7c2e8a2d2c1de2

SHA1
aebd0121149321983498b096cdde82a104394f3a

SHA256
cb42be715e0cb7274009cc86ccc1746e586fb7adfb3ba3575d81f9b57bd7d9a8

SHA512
484fae313316e3f872dc107a82cc48de8d9415e3e969b6b91fcdb28eb9d59440a882719605d42e5dee67003e9e8a4eb73877838d76a5abbb4a01bc46f673a8c3

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
324KB

MD5
3c020ff7274bad5c62005cf2ea3c5d15

SHA1
c3f29dcdff46f0e626254bd4990172c5d326d891

SHA256
c846916e9eb9c97cda2494fe2bdcd0a2cb30122e5c0c6a99663560c1b50ab63d

SHA512
f41c234fbce38ed7a1ba78e3b6969947cef3243d52b53ae8f29b25cd25228eea7bc73b493bb0516a4644e4a6295e248b7c745ee6c9dadcde39700b71dc710fc1

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
324KB

MD5
fe0e1c0536fced40aa026fe9101e372f

SHA1
ee5feaff92eb237a6c7f16ce8d52b7ca45711f3f

SHA256
9781a1a0ea8d1be05c05e750a5e6c7b1318dc051103e2a1f969c6b75e4f4bf43

SHA512
59bcdbee7b87aaa3210974eccc2748de54c87fb77dbc84e20c0379b7eab6f8cf15d12a302cf54df1cd41c7138d56227126dbb44e4ab2c6c9bf0570e53b7af440

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
324KB

MD5
86fdb445c4230382cdb27a457aa38e7f

SHA1
627721a9a0fbff09e5f24a2ff254dd4e1d3a7b35

SHA256
218094323e9ae4dc1ddde741a1951cd3a2f81736eb0f699a1757dea44137530f

SHA512
e68fcc5f99f5d8a5a96ed346c93bbaab38140b2ab90ecc6b0dd067b7ca77a9ead4136ece776b28898bbdc6ac2a41245bf0276fb146db61d5dfd2d7a72b78b665

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
324KB

MD5
1122602d1a25dd79169c44e131d95eab

SHA1
d78e9d3ac3f0136a9033691efb0e3d685d153ae4

SHA256
f32e215b2b7dc9067f48387f5e9ce2507bfbb2d18216a26c67f7dc7d55066d29

SHA512
d9c4248a2004cae6fe6696e8d9dd6eafd9fba5e0ece31a3a060cb72bd5d872a922ceab30539a521f4ab88c9ab75168d402d4e50448d8c0318bfee84fb1566827

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
324KB

MD5
e8f5131402bbf69e379dad0ffb96fbdc

SHA1
31f5ff7d3f81b5ad223cd5af4a71edd5546b9553

SHA256
60e8ba69c1508ecdba8ed0c1d54f8954214528334c762f2471539e81974d437f

SHA512
c7c90438c9d13ca7dec1ee29d10d76da2b1a277e95fbf377742c132f162813c597804d50fcaeeea686ac572d278cab89fc15ff504f33e9e7d4f14e20ff332082

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
324KB

MD5
f6f07769fcfb887aeeeaa6f1259b51ee

SHA1
87e127016afdf1ffec6c59c71698695ee13339a4

SHA256
b2aaddc0e489eac31212f86deda4c1855466db52efecd1c195c6c1439df7f9bb

SHA512
f193260ff2e2a7e15867d3ff252d9b423b254862f1b1f652eb848db69c2255ddb7931631b53c0c07e655ac741611280bf149db2c1cb0103d5a3864aaebcb70cc

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
324KB

MD5
6200cf0f80eba37ed9f5fef0dfaf061d

SHA1
032e366b85aaf662b4f25bd006a14506be6d538c

SHA256
88dd3bbd4a5436700c745e4568ecdaf3d04f10a895895882c1a96ec6c14a4dc7

SHA512
5d25549209c42eab6139131adaf21c602f4381b065e5c5df2267783f958481e63422a920aa34cea64f6b740b26416be7a448d7eeb087c9a7b045b99409d40640

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
324KB

MD5
cbae55a349e290650a0d28f8b706e3b9

SHA1
28168b6b8486b006728e9b8aadff5a6707e4a293

SHA256
85d95b6bedd4580ebd588882da37aa0621fd29e4785ca87558c17a1bab939d21

SHA512
259a070d3734de8d18e55582c0a3713a28c4851223d1fe2db11a0423f852f4275d974eb7e3d5fed78fca20b31116b947c55bc57ca926570248cdd57ba3984670

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
324KB

MD5
9a3da4d988d609b7df61f4770f139179

SHA1
0acee85d2978a09129dbaccb640414adf12a53ec

SHA256
517e07d580224cc4736f298971094de6108beb33da0b7bb48e01066ea93fa638

SHA512
fc57f22845ba85200cb989837436cfe2b5b04779aa2d7fd8bfb5d7f419be1f9c63eb1cce8bdedbe0a970da8a275a9ef5fc4be34f1b731a0d7f518556a325dbce

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
324KB

MD5
a61adc3cc714420a4b194f1cdbe48f8f

SHA1
cc37f2a67be2570720febe8a03c7e07f0f875969

SHA256
1d919ee3ff021f4430c0d13de58c49a484678dbbd2df1871177522492adac5fd

SHA512
0858891114085b67532efb29199e578055bdfb42c205e068ad9b01d491bf776911e135b0cf5974da5eaafdd0936ef7e68bbe832fef11f510429e5d5239e6e603

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
324KB

MD5
3d22bc1be62dd3510b91b95d0c7280ae

SHA1
0647da154252207ebde273cdb395f48a78c8c420

SHA256
59797c53b1670d073e970bf8e88df9b471ff30a15fb32397c07ac20898c2ffdc

SHA512
eda3ad0f040a028aa60d47f5d800e32569c9f7af41cd92e6a94d46bd1a590fe445818d7129d669473ffbdb54ab9879183a9d97bea59c4d129c5acb8c75daef84

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
324KB

MD5
75b59337b95552b815ce8b43ab4a7574

SHA1
2ea09744827f87bf735c9c01e0008d3a0474fedd

SHA256
740024f04cc9d5b88ce03f9effa13818208e376b36c870d9ac3f110851bf73be

SHA512
875a9a514f83394e14db9fe0f779330e3bcd5dd6c9fb0c5b7296533181e2847240023a27a2ac244ea8eb0795958d7c2799e6d92e1b45429b8e8e3e321e00951a

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
324KB

MD5
0310533c2fbcbfda4c9062f9cea5b9a1

SHA1
b6d136b2315a7fbbd0190b9c82c6ed32bf4f5416

SHA256
d29c1d7e782ebc93e8a1a5e51dbcd05c002baeb2469afe15fa7312ee8a0b1e6c

SHA512
9d8316bece08a9a539309939b8ea79910cdf1aec0e1f609af04f0e81af576987d222aa69719394fa2bc341c2c28b73cf88a0ba8bfd8aa1bb0c676719c4632230

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
324KB

MD5
7cd907b0f95bb5287774d85f8d1d36ab

SHA1
286718b888ab74c37be2550040c46470ddebe1e3

SHA256
45bc30c22325af111fd2ad5bff7bf443cd9e6acd30358243e1ee2fc60d0c440e

SHA512
06da6afdbf4446e5dcdd14715f1c8b141c5c521f02e42f4f4ad8040c39d60635216a2003b7e1651dd96a2618012de97e186ef1ad2da502abbed5e20464581f61

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
324KB

MD5
3c16705ef95a3cb8368cf5c1cdfe2d37

SHA1
fe01475d3e88c6be75f0580c2c195bab59efc329

SHA256
4b82b5a7b61b24d59f3ec32caf3ea3361cc30abcfc26198548ada9b97e289a0c

SHA512
ad99eaf5a5a899af0c4ef0db23305d1cfe688ba0a2be3c03a9a7b1ced14420cc3d7fd0d85b4135526df77f14189b7f36e665614a133be3c0b238170be9612c3a

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
324KB

MD5
ca95195dedf28bde362b2cb70af30bf6

SHA1
53198325c3cd54d6e40c518dac43fc2a9727d0f9

SHA256
42cf936b0a64d1645cebbaea2133d79a2d662cf1905f173f39f159e2b83eadd1

SHA512
2b7b3be3e93163282a9dba029ab176b7e2a8b63f3d409fa50617909583f8c6306ed4a47a32cef2c898b107b4ec1bd3251d3200d743e7b9e627966d8d60e26042

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
324KB

MD5
c2c385eb1600a7a47c95d6584533c102

SHA1
524093fb97affb0ca4fd17a0463f2e95796b5c46

SHA256
fee80a40cd1ac981a04e1a6cb9ba575a451c783a642809464c3183fe930d6c04

SHA512
733184d1307c9e55ec6600c52e961b754b6cfcc4d28a36448fefc755906159d25392a793a36bd709d08c86aa3bcf006ea1b069d5dbf23afcb6e7da6a5e345b7a

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
324KB

MD5
c5b1dbafd58c20071d0eb6dc617d4572

SHA1
5a0bed1da924b6f0d9c70c945207c6acde96b729

SHA256
7832d754ef0f5d0a926cf6e24c857f92083782d549131a18db5299877fcd87d5

SHA512
1c216787b0d47c8c8643bb54bc15fa826c3a66f0493d53b08393531829b2893e8f29b5f5099c3c25236be2190e61087222674ddcd486a3d537a27aeb494b161d

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
324KB

MD5
4fdc8bfc85fa987f2b99ab8af7067cbd

SHA1
c222ca215fa3a34ad20622bbe4893afa8e256faa

SHA256
a7ce592f251256447fd4feb1d56817c0ff864720d316ea43ca84703dd51ed519

SHA512
6164c98f668c46415564310a4a5eb6ccd93e1058183292018889cc12a1e15f61c9c96fe3b3d86182db69cd9a4ae8d3d0e1c08ba9ca8205bbdc146aa404db7139

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
324KB

MD5
9fc6eba6663dce117da02e74a2a5dbd1

SHA1
2bbb3694801dd90eab7d5d73af371339eee61a60

SHA256
8e086f84d07d985e9331b55eb22ea9ebfa28bafef335d539b894cfacaaefe26d

SHA512
c8db10dd8dd8a17127abe115ebce41f27ec750c19de1fce04a1798f2501d52b24dc7e043f6f58d51873b8b380c26b04eb62080909e0020cd391e9410d72a6d63

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
324KB

MD5
e51fc5bc83a21871d1d8fa98e501e4b8

SHA1
483b973d27bb52506d81c559734daf2591eb1285

SHA256
93f468b970497b6a62b254adab934e90b589992689fa4086a82661b4143693c2

SHA512
1fa9438af48ae07372848b319898cce2ca42192fca162bb87bfe7ddebfa29db6040c1511f0053d03e398753ccc53801c242b519412b698064320fa6740a6d262

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
324KB

MD5
ea9f0f615b3a097116e015976d62167a

SHA1
bd1ffc9ad18d0874207f533dfe2daae699e1587b

SHA256
44d69f66d5d888d0bc0a53362243b7e4dbe5e2b4979655a7fcbb13fdaecef7b1

SHA512
afd2fcaed9aca86bf3e53ab86fce21567c3e5e5d8be86b49f14c2be790cab3e10ad4cf8b243d6d4aab89ff4e668349087c7ab512d47e7b33fc7babfe82f3ba95

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
324KB

MD5
b5a9bed5ec71d3fe1e11ec089cbd887c

SHA1
0fb9bf56772ca735dff6be4e0f5123bb1b430ea9

SHA256
af67c75d5098495556831c288bc601abf70571a26f81ac0565f9d16f1f69bb28

SHA512
0ec2eeb81eebbbfed9092acbba023eb840555de52d1a76050bf140dd9e5f7d91d8c080fa762d5d45044f6989cf7fbaa17ee6d7502778732b73845f41aacfb514

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
324KB

MD5
e9900051938801445139134d600acc77

SHA1
ef18378737c981bb62491ef4f37c6eb332480051

SHA256
fb9c87baf1d8a2516065a55ec8f1bc09e0c47adefa1ed33c09f412ee6387f680

SHA512
669b505077711628742afc33e274ec64e3a7d15153f7ae50b8dfcea9f0753052d6c4d17185621c28e0bdb50ee02138e31bc3282081c8603b41a7b1f3e493aa27

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
324KB

MD5
0d65d922f4ad82175bf4d1baec894673

SHA1
48f30fa4ec9407b7a9c6be8343b798c70d6b8bca

SHA256
8bf73c97b1320d70920e85663d8ce0760ec566e01699fd9bb0144a9735906be8

SHA512
467dd44fae6fa55a0637851b9e14ab32f177553eee9cf5d60ffd1bb8b3f5f40cab5ec0a356cf6ce50c8eab2dd9ce549433785da28b9f711c9fd77fcea1f29a67

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
324KB

MD5
eb1a0fb78a6f527b55cb76aa10a5674b

SHA1
9286e504e695b3237b369c11fe84e94d7aa5a64d

SHA256
36f66b5d237a17c243fbc482e028e374a959a4d3ee73f2dc98763b82e70b78d6

SHA512
3eb2fa087d5ae37f27d9eb39fa0a4e43a5713fb49ad476dbf42856bd9d41e0773c9290e94123b0fe6d190a06f2c71b33393d63971a17ea314c2be9bde374354b

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
324KB

MD5
f546d0c43fafb01033626cc8ea1542a6

SHA1
bbe52304418292b17de7b7ce11baf28026353cc2

SHA256
848567f5fb30d0e42fca487c0949602216cc5fe60311e7897c16b51e5c1e4aec

SHA512
4f4f5d6febf46d77ecd9bd85777aa3a328d5e3e224ae4c95a965556f0292d03fbaefc25d1da266f2bf062e9bc869fb9b946970b5762dd47a61a2681c61125999

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
324KB

MD5
e4293b70b497c28a85dbd7c110efcb7f

SHA1
b4e35b4ead8904e32da1fd553cf45ce6df567f63

SHA256
6905805d510703cad7331ab09e8dc015f4775124753c892d747b4a63a47e56a0

SHA512
7b1a07a9ea209c42ff42cc3487e2dee35667a7f8612888f88d974dcc93038924b78ce5cb197fde453be1508d9754b8453f3328aec826a75d357cc9e52001b370

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
324KB

MD5
05158bc62c43a052fab029fd162befd2

SHA1
79f588baacb8f30a0b566ad3af6fd2fa4d1ea490

SHA256
9d796502b985d6bfeb94ae1a188d681d2e0a5bbd76bbd69ed7c459284135d9fc

SHA512
ae2c2353c5d17c7c2f4674c780293896f6e4ce246b026b32692fb51f8d47a1953cabe8cb6e9d9bd8d0569eb0291d6c1319838e30cd5b064bc9ec5355a0001ae7

Download Submit
C:\Windows\SysWOW64\Gblnkg32.dll

Filesize
7KB

MD5
4171027b04481a246b7b65c70dd37fa7

SHA1
b6eebacb807cda58f66266488781a1b3d87ccc17

SHA256
42f202b637ac6b73108649a1b10c5cc7fa107b6b09d181b19d7a43b61905c414

SHA512
5b5f5f11b6d2ac3325afc36632c9c7a6da0226185b834ea76fb75cc322b0fa4777e6f9b2badb84e41a4e760c652ad564275046775f02a5c29dcb695967540c57

Download Submit
memory/64-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5148-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5188-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5228-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5268-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5308-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5348-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads