berbew | 3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Size

96KB
MD5

f49246913336342c7600e974f7a7527d
SHA1

79ae9062f628b9f36edeb2e18a48b37871d23e0e
SHA256

3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00
SHA512

f7217cd291a5af721c96f885870f759af07e41403d7aade2e85df14078d289e542ad50769d6743f3645c32a0a6c82f9146ab7f05036de94ea9e08bdcb2e1b54c
SSDEEP

1536:s0dOQK8drd+lMtdhfGFE6DOM1/So853EatOy/BOmg1CMy0QiLiizHNQNdq:S6rdbhfwDfQo85vt95Omg1CMyELiAHOi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 59 IoCs

pid	Process
2196	Bjddphlq.exe
1000	Bmbplc32.exe
3096	Bclhhnca.exe
592	Bhhdil32.exe
4372	Bnbmefbg.exe
1656	Belebq32.exe
2560	Cfmajipb.exe
1760	Cmgjgcgo.exe
2172	Cdabcm32.exe
3232	Chmndlge.exe
2676	Cmiflbel.exe
5000	Chokikeb.exe
1536	Cagobalc.exe
4424	Ceckcp32.exe
2204	Cjpckf32.exe
5052	Cmnpgb32.exe
2868	Cajlhqjp.exe
4636	Ceehho32.exe
3028	Cdhhdlid.exe
1416	Chcddk32.exe
4092	Cjbpaf32.exe
2572	Cmqmma32.exe
4188	Calhnpgn.exe
1844	Cegdnopg.exe
4740	Ddjejl32.exe
3504	Dhfajjoj.exe
4760	Dfiafg32.exe
3156	Djdmffnn.exe
4012	Dopigd32.exe
1620	Dmcibama.exe
4704	Danecp32.exe
3252	Dejacond.exe
316	Ddmaok32.exe
4880	Dhhnpjmh.exe
5064	Dfknkg32.exe
1124	Djgjlelk.exe
852	Dobfld32.exe
3008	Dmefhako.exe
2352	Daqbip32.exe
3980	Delnin32.exe
4500	Ddonekbl.exe
2988	Dfnjafap.exe
2888	Dkifae32.exe
5012	Dodbbdbb.exe
464	Dmgbnq32.exe
4156	Daconoae.exe
2348	Deokon32.exe
3740	Dhmgki32.exe
2688	Dfpgffpm.exe
2380	Dkkcge32.exe
4856	Dogogcpo.exe
2832	Dmjocp32.exe
2008	Daekdooc.exe
1056	Deagdn32.exe
2084	Dddhpjof.exe
4456	Dhocqigp.exe
772	Dgbdlf32.exe
4848	Doilmc32.exe
4212	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe

Program crash 1 IoCs

pid	pid_target	Process
1432	4212	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2196	2856	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe	83
PID 2856 wrote to memory of 2196	2856	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe	83
PID 2856 wrote to memory of 2196	2856	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe	83
PID 2196 wrote to memory of 1000	2196	Bjddphlq.exe	84
PID 2196 wrote to memory of 1000	2196	Bjddphlq.exe	84
PID 2196 wrote to memory of 1000	2196	Bjddphlq.exe	84
PID 1000 wrote to memory of 3096	1000	Bmbplc32.exe	85
PID 1000 wrote to memory of 3096	1000	Bmbplc32.exe	85
PID 1000 wrote to memory of 3096	1000	Bmbplc32.exe	85
PID 3096 wrote to memory of 592	3096	Bclhhnca.exe	86
PID 3096 wrote to memory of 592	3096	Bclhhnca.exe	86
PID 3096 wrote to memory of 592	3096	Bclhhnca.exe	86
PID 592 wrote to memory of 4372	592	Bhhdil32.exe	87
PID 592 wrote to memory of 4372	592	Bhhdil32.exe	87
PID 592 wrote to memory of 4372	592	Bhhdil32.exe	87
PID 4372 wrote to memory of 1656	4372	Bnbmefbg.exe	88
PID 4372 wrote to memory of 1656	4372	Bnbmefbg.exe	88
PID 4372 wrote to memory of 1656	4372	Bnbmefbg.exe	88
PID 1656 wrote to memory of 2560	1656	Belebq32.exe	89
PID 1656 wrote to memory of 2560	1656	Belebq32.exe	89
PID 1656 wrote to memory of 2560	1656	Belebq32.exe	89
PID 2560 wrote to memory of 1760	2560	Cfmajipb.exe	90
PID 2560 wrote to memory of 1760	2560	Cfmajipb.exe	90
PID 2560 wrote to memory of 1760	2560	Cfmajipb.exe	90
PID 1760 wrote to memory of 2172	1760	Cmgjgcgo.exe	91
PID 1760 wrote to memory of 2172	1760	Cmgjgcgo.exe	91
PID 1760 wrote to memory of 2172	1760	Cmgjgcgo.exe	91
PID 2172 wrote to memory of 3232	2172	Cdabcm32.exe	92
PID 2172 wrote to memory of 3232	2172	Cdabcm32.exe	92
PID 2172 wrote to memory of 3232	2172	Cdabcm32.exe	92
PID 3232 wrote to memory of 2676	3232	Chmndlge.exe	93
PID 3232 wrote to memory of 2676	3232	Chmndlge.exe	93
PID 3232 wrote to memory of 2676	3232	Chmndlge.exe	93
PID 2676 wrote to memory of 5000	2676	Cmiflbel.exe	94
PID 2676 wrote to memory of 5000	2676	Cmiflbel.exe	94
PID 2676 wrote to memory of 5000	2676	Cmiflbel.exe	94
PID 5000 wrote to memory of 1536	5000	Chokikeb.exe	95
PID 5000 wrote to memory of 1536	5000	Chokikeb.exe	95
PID 5000 wrote to memory of 1536	5000	Chokikeb.exe	95
PID 1536 wrote to memory of 4424	1536	Cagobalc.exe	96
PID 1536 wrote to memory of 4424	1536	Cagobalc.exe	96
PID 1536 wrote to memory of 4424	1536	Cagobalc.exe	96
PID 4424 wrote to memory of 2204	4424	Ceckcp32.exe	97
PID 4424 wrote to memory of 2204	4424	Ceckcp32.exe	97
PID 4424 wrote to memory of 2204	4424	Ceckcp32.exe	97
PID 2204 wrote to memory of 5052	2204	Cjpckf32.exe	98
PID 2204 wrote to memory of 5052	2204	Cjpckf32.exe	98
PID 2204 wrote to memory of 5052	2204	Cjpckf32.exe	98
PID 5052 wrote to memory of 2868	5052	Cmnpgb32.exe	99
PID 5052 wrote to memory of 2868	5052	Cmnpgb32.exe	99
PID 5052 wrote to memory of 2868	5052	Cmnpgb32.exe	99
PID 2868 wrote to memory of 4636	2868	Cajlhqjp.exe	100
PID 2868 wrote to memory of 4636	2868	Cajlhqjp.exe	100
PID 2868 wrote to memory of 4636	2868	Cajlhqjp.exe	100
PID 4636 wrote to memory of 3028	4636	Ceehho32.exe	101
PID 4636 wrote to memory of 3028	4636	Ceehho32.exe	101
PID 4636 wrote to memory of 3028	4636	Ceehho32.exe	101
PID 3028 wrote to memory of 1416	3028	Cdhhdlid.exe	102
PID 3028 wrote to memory of 1416	3028	Cdhhdlid.exe	102
PID 3028 wrote to memory of 1416	3028	Cdhhdlid.exe	102
PID 1416 wrote to memory of 4092	1416	Chcddk32.exe	103
PID 1416 wrote to memory of 4092	1416	Chcddk32.exe	103
PID 1416 wrote to memory of 4092	1416	Chcddk32.exe	103
PID 4092 wrote to memory of 2572	4092	Cjbpaf32.exe	104

C:\Users\Admin\AppData\Local\Temp\3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
"C:\Users\Admin\AppData\Local\Temp\3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Bjddphlq.exe
  C:\Windows\system32\Bjddphlq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\Bmbplc32.exe
    C:\Windows\system32\Bmbplc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\SysWOW64\Bclhhnca.exe
      C:\Windows\system32\Bclhhnca.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
      - C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 408
        61⤵
        Program crash
        
        PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4212 -ip 4212
1⤵
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
a5d4e021a8d259f35d62064506fa7a92

SHA1
b7e268cfa51f9197e32574217121c3cf5543a8e8

SHA256
a38939894d555e90e6cc401ee50ab964d1257bc053c2a5e701d29fe5b5c5db4c

SHA512
1cc1d4b1338284cb92b46a11feec0850395123cdd05d27806bc232bf70ed288c5f45d45147d730c51216a208db20442d88aa98e5b0520a2c0cec259574b1ab34

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
7718474d5530695890f6cb14b08d5e01

SHA1
1ae9c6e075cc687aecc175c6318a70fa83f9451a

SHA256
7d83abb8ad9c797d4e9efb6a49dbec1d6b30de9cd9d67c57530f97f927aedacd

SHA512
faf60e7d016e0154ee048d162ee950eb7fc19481a9e91d14b2a517f24a137821809308ae23872a8bdec5a80be7d95f0039c4f49f2c8b48ff3dbc8af659b5b7e1

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
96KB

MD5
ca8309ec2cf3f28883999764f9c91f66

SHA1
814177cbd448cc80363f26ba0221a1594f759357

SHA256
fe0a182b6549d0cc013b917e2423b285f05094880133f1629f1829e30d52b058

SHA512
8fbca00773db7af9a4b1aa4576f05a6f62142a833bbdfa92f69632e39d90739b351f2812986dea363dbd57fdf7fc7022f4927149747b0151c8f11d319f0bc6fd

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
96KB

MD5
c7cf8f64ab5475050cba573b884e490f

SHA1
0702173a2266df01e84d2ae0258029f4c9a577ad

SHA256
b7a600f15b31b6a61fa4fb623876753c8f8266c7149906a3c7c6de8fe237e177

SHA512
96bbf2bd9b592c1529f42898e4ab4058db76d170ae9c95fa9a7bce6072495ada9d9aabdf306b281501e3d4e7f03230ed278355cfb9dca017389167c3ae9f58c8

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
96KB

MD5
1ec1dafd2d903df1d8f25e08bbb2b340

SHA1
47ec9d88c33d3b8214dbedceba5912548a9eb1df

SHA256
dbaf1fb4be6086e1cbc0fb68ccae33cd968adb8975d53b8435968a8d3de2fc45

SHA512
9b067559979c384013975247ee78651131fdc024068e139c339a6e63e288ba6731fe5fe15b6718c9a191e2418307cc5725e3a83006f054f0913c1c02e05171f9

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
96KB

MD5
e1c43e5e61215cf6c34dc68f9c6a9b86

SHA1
636a9f0c5687acca4ffb191f3c1180074c309ad6

SHA256
74e5d481b6dfc4ab13d982bc4becdf1bdd62fc6f21cd72d79323d36be7be59f0

SHA512
9879018a7934f04f25bc3e7d8349c71918df12273fa80fbee9a3b97d448ae1358887bfc66bb6008da4e9ee4ca0f34effcf6b5d2563b19abeb4d62d6e239bdc27

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
db3d3d9f1384e7a097ff71f8e8e2a540

SHA1
a835763e31c4faae3fd2d39fd7757c2bf362ed2f

SHA256
26b193ff9f30a672b617c1edc324264f48bf643f1aa789e2544de3c1aff10d48

SHA512
6e08fac965b495ca2233c54d05cffe1378eab930093f71d48b38a4ac91ad67fd1a8a1cd0d6a708b77530089204dc825c294ccbeb76f5f3c7a18c554fab11ba85

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
638cefba2f8213ddaa9fd56409b532de

SHA1
7504e33557c67ef02b68cfe4b8b9c9520129b2e6

SHA256
14754b7a5e021457852b952fe0da6c13b606f60a03e4c95c33da92fe9e6d2986

SHA512
392eaa60129bbd85a245a6123b56219db46bea77840edbf8aa25637321ac8f9e27a6a558dd0213fe7763554ef298ead49364635d9be53f111b9727a18c07d11b

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
bf1353197965e5d0292abab7a1775be4

SHA1
e8b69b1284a5d27af9aec1ce4bf6759d977657f5

SHA256
f7389f92e4531c101444142b3fe89e285e7c8eee403034a78f8dfbc7b36d0944

SHA512
b8f58f4b6ece7c35488f0690c4dce02e00774a2d51f49007746444bfb0c8ec903d0bcedea130864492bfe5d208974d3b1b1606f8b23b2df2156e52800397eb46

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
252c10134bf2753386cff60675a5dd51

SHA1
e3fe9e676eb5e61645bb815567f87113fbaf8301

SHA256
852429f0f2651048480e7dad7bc08b3890407aef27ee2cac378f80c2ad034c11

SHA512
fe4ec3fc7388d70aa711e6f7eba667d5a6d3d91554aa66ca8d88f38ce8b889421e08ed3fe199ef9ff9a0a06c2681487d89c6164d105248f2118c184ac1fdd3af

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
d7057c72eb05eea94e3e5c01e4ae3dc5

SHA1
b65909a6961452187e3f4855000036f5ccb45831

SHA256
2e8b819b4c21107af7335b1e32a20bb22e2bf66befc300148783b7db89398d65

SHA512
577bb0e359985b8cd83732ef7fcedc8eb338960bf11c0f89f40369027e9fa2bf26c7f359590cd28876ecb379ad5b819b6f1a3dece3c46daeaaff2d68d9d3045b

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
85786c22809c3e2e60839a8513ac3ca7

SHA1
2edd3f2011bda2cf48a18f5af1f6eea5483dcdfd

SHA256
153f382ac4b7153f9c6b18203bf45878360d9b51e0473adfe9a9f0bf2aed031e

SHA512
3d4ba0e35e064b454b0c92aea64b3c6cc05c99f16ab6474bb18a8180df42828f0d2a59bd8249a54762ea0f5a3078ebaa219dc63ce2fd856c44c718a5b82f043b

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
620016285fa1ba3bacd4eb2c958f0b59

SHA1
5cc9762bfcb9d223ebe5d8e3c1c7ba7c0ee79945

SHA256
d8e731faac64d061c48f3d69289057ca580710eb83c511566289e5e63712e750

SHA512
4e52937e540e1e7dd275e0747b8da959e4e71816c95eb68626415aba55f8abeba48ec61a82c4f2103de94b9ff69e3f9ff3a26357af8ed459ab25da0dca2ecd5c

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
0b03531f4c56dae505c9f6c71ca3cc21

SHA1
1e4fa89cab67e095e94d7a6bc3a176f016fa8f13

SHA256
e47b1d909467ff98749b729a773b8d2b2962325d1c0f649c034bd24600707fad

SHA512
ed4ec5504e6d4b2b0159876ca26b1741b1c0c9487196a5c1da10f8dee08d95f8b5c10a70b705968cb3b62bb3a6be5e86c1a7ff43ca1046843a73a7d23c82bad0

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
96KB

MD5
a8c1133cc0d96518b422cae2065b774a

SHA1
ac10f988a531c2100a898d625a1fea16e70285b4

SHA256
8b0f164ce5d9e332214b2efece6fd8cff5c1bdeadc4fadf962f69e1271407412

SHA512
00e34e821266476cfdc27e92d4c1e333e90cfb8718e47812563bb7c04d1363e3e0f2b07cd779a6a0d8648fceddd045b84cb5967ad79353c80b04d35629ad16af

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
3c4f0e29ceb47a0d2dba71ed4d07875e

SHA1
9e6876cd847149505416ca8145b75a350056881d

SHA256
02c9221f3edc01207d3af5695708c71d81219562e91af90e05a0bf6b92a7bf7a

SHA512
201ee43457098bc92f237b148129af31459c6081af4ec34f9842ee356e61f0d991646aede97834e46f28c798a1527dc5a5cfaf1fa2a2b6d74a9f493ed9f27522

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
aef570291365454eeacf78c2287f8496

SHA1
6c91c29006b0f05453f28707f34d973c2681d623

SHA256
d2cf3fc8c0bdc0b7744ad8d6ee60060f6a86626502c125958731d58f184df79a

SHA512
9318ec831b9ac8b1aabc0990c9e6dacff94eeeba74fa6ba526e31346d43020f3643929be0e02b47f063fe113cc38bf653c80012bd9ac472fe90877dc22daebf1

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
3b96be264ae97099fe03eb10fd749c19

SHA1
ec55e68d5ab78f94fde1a8f2085e0a6dbe764b6f

SHA256
0e2ba43000c55c721a97f35d16b8ef144526376fbadb75eed18ea717dc5a4eb3

SHA512
b64cd1b2774a81a940559734181b7a9e92ed3e331cd38bf1f9289ab88ba345b0d3f67b90bc2c64e687d8384b3797e8a444880186019201860d40a9c8ef9cc35c

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
96KB

MD5
64801bba2019ab4b0dc69057c0db2d66

SHA1
305bd4839e5b2f47c9c6ce5f264719c0fa9f332f

SHA256
e1b0de9c232e1eedf0eb0f25291b27efeeb8a01ce82613fcde2dab6fae67ffce

SHA512
14f75543ef5e5c082f875b12fd5d37d179130693484155923b140fe32d00feb5efc2c75670ce0603a7b5dbedefebdaf4ac85a193b0502cffc768a7b104619e30

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
96KB

MD5
166b8fd888cf9dcf49bd04dcc254a990

SHA1
baafb7f42b60355746d678d6001e933147231b7c

SHA256
7e2a8624367d0abc7eab55f1b612a22d07bb2f2098dcd26ffa13900a4c8ee285

SHA512
f03538925eec33809f309d54fa82b788a11d1496859a9b9c891a6021168c7bf847ae0a50224c4ac1ac7ddbb47e545ff582afb388af66fdf943062357b0831c8f

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
96KB

MD5
8124abb4cd7a6d909a97ec3bfbc2e4bc

SHA1
52407ac3a5eb290f881fde80ff14b85490d875d4

SHA256
50ade7a83e804e91fdbda94af8cd2d2eb14b1e8eea13a2c74da3b6fbfe189f21

SHA512
9899cbc1fdb8cc4f85cd365ca45592baf84ea569e57e5db8f855a9197bdfafd0a6d0cb623795ff9a38282ded2af00f34da54d155d1c2375b2dc52a488521ac69

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
b4e8355ae785ebfe0d037056667e489d

SHA1
109ce2d249b68cd885d6ed3d176fde6100793e1a

SHA256
98aa6ed13c64b984ba2027d100f8e28e676188a43423878527bd2600a3805d52

SHA512
c383ea9303a197254ed8761966a38d85f3aab1983a82c0726c4c5e2c35c22dfe0f7a82def779041b543067d15803b81368f4152250e2d7e34032e807df6ff20c

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
96KB

MD5
ff338ff67ebf6e4b628dd4137fad0ab0

SHA1
6140c8b327122ad264f37c7ca993ec3c172599fd

SHA256
5097ba36bdb07a7011466b99a4d57003188f2365c7fc207a447e27ff81072cb7

SHA512
5e909d45d7865d85ce2858abd89fd194c4b7aea60451c8783d6a076f1e965411a8a58845d0172285b28e8656c48695d72408b72a42e08a600184ad07cf1f4e8d

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
5c35f5ef1a67b9039fd557727a2e45c4

SHA1
111a25cb522eb9dcb9d0501044cbc05fa245f1fe

SHA256
bf7ffc019b0eceb5aaf7fe8597b01c03b7f664fdb37c1c01864eedb2abede8d8

SHA512
75f5a8123822929ec6bdf8fe22dbdfa3d161d92ce417cdff549e94ea3aa2328bae3bbc75ace1c02d15dcb5456e03bb3cc6fc1e11c6e917165e97477ec5a5e454

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
96KB

MD5
617ab26d09237df33f8584ddeeed9685

SHA1
13ba3725f5c0d0303539a783909737c72442ed96

SHA256
ee1cfea06e467e6cc6ad9c40af30161abd8fd6147a6e32531e1bdb10cad011bb

SHA512
6d169c97dd0706b29f09455117ff35a43116a277bd2523e22c84857f38e97966815157cc972f9a8c129952f381762e52f085bb421316f78a881f01830795826f

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
96KB

MD5
015b26f1bce145e41937028917e64171

SHA1
15a57173544ba153e855b92c44b34b0f0754181e

SHA256
1072500dbc3118cefd1e87d98f321554c5974253b02c4c01a6b12eb74dc41bac

SHA512
09785f1de6b2227c639d0dcc990bf2c9bbee6ccfffcd9d03e1b39228941c387cc2befc73257b18057918d30ecc1c37f0f4a9f4674a40e95638c3449415bb62ab

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
96KB

MD5
7e331a8236a2535c8ad68e5b725a1757

SHA1
ae1e903a657b25960fafbe8aa2a14f2b31162497

SHA256
ac6db4e718d302ff482388f031bd8237d8783f298ee28397ea907a9d5ae2c886

SHA512
faed80a4d3705f7bde7a708eb0514ca935001e41554f803057ba66e5da4f04f1b3ca4945ac2f0e118039e6e71f96372e5ea1ad72e464d3e56dd06208a45a88b2

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
d35064436d44ec62464daf50d2bc5ec0

SHA1
e66ccaa41835a8969afa345b948c810e902a34d8

SHA256
09b78f5f1ab1d138b5819572f8a783c6fb1ad8321772893693cec6cd4f7c29ad

SHA512
f0a6e0829924ac4a7e0ab6be3a2a6e9b8d528e196a34981f2aa0e09bf61d5f7b5907d0f0365a26372a11cdb17df9400d821f7c2996eb5b6bf51506626227546f

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
cac8687838d8fb8ca03a2c709e428c88

SHA1
a41cf07e19353b1588ea4cce5cf0e87636c98b86

SHA256
17647c11f59ef56987aa52c90c11c06c3fb1371f5439948e5cb561f41ad5a40b

SHA512
7a7025e2db8a7c2ed940fe9a92eb0fae9d441e24730551137f8b887c6392c0b6b48d6f08ea0025dab3c3d579e5d140bc5442856be39d1d892cb907f8c87b27ed

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
17086d527ca8cb64bf371d155edf3fe1

SHA1
35cfd863c1ee4724aa8f18a2e859a92bb1282367

SHA256
ca361be1213f18a5bb312a6933eab06471441eab78943057a589cc73439f3246

SHA512
489b612777f0b5116373652c7828348c20bb501b8572415455724694caf55e8edb82b076ca71fde0db79fa9eac373fa605bc576fa889c56f6efbb7367f1716b0

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
3def01d57e0f3920d2f044cb69d1310b

SHA1
9091c4fdbe7ffd705bc0223af828e3d54d0ff460

SHA256
b91d7d52133db3f3c90273ee87676d22d1baa93fa9ae5c941c14f16fc8e64fe6

SHA512
00f9b4a7288b6f628f55124e82b1ad7547cef01077c523f9a98c80df7d73ff9e0541b878af02a08852519b3d8518948b4452fe235c391376005bcb6f0f41d37f

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
ee846c601375258252ded9eab81bd1cc

SHA1
e548e4bdfdf9c64902b92039c3a573826cc574d9

SHA256
46be9aa96626148fecb445f1dd7f8fa206e78301418d14ea808ca9c1b9c6ed31

SHA512
d8505ad4fd3976ba48bddb231cb7593afecbcfed5d24f8a96d7609bbe61ba1e410fb478e384d3f8dc05add8603353f654eb271985a37fa8275ee18cf7203912c

Download Submit
C:\Windows\SysWOW64\Mkfdhbpg.dll

Filesize
7KB

MD5
475e6b4b1177511ebfb4a340485d85f3

SHA1
a74ea7bd384decbb0197ea8c6d0d7d29e0db7115

SHA256
53871936e6a0b159bbab1a937e7464cbec479bbc3d10a041936fc766a838f4b7

SHA512
8af4698cdec8d110400c651491cb2a27f355041231a0609d7894639222c6b8c29a891aaef7ef6ee87c92fd9a1dba71ca6125ff57f352a406d607fb27f693bbc2

Download Submit
memory/316-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/464-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/592-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/592-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/772-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/852-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1000-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1000-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-413-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1124-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1416-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1536-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1536-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-263-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1760-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1760-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1844-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2084-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2204-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2204-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2348-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2560-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2560-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2832-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2856-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2856-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2868-149-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2888-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2988-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3096-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3096-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3156-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3252-281-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3504-229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3740-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3980-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4012-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4092-271-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4092-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4212-438-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4456-425-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4500-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4636-245-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4636-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4704-272-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4740-221-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4760-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4848-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4880-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5012-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5052-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5052-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads