berbew | 6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284f

Analysis

max time kernel
103s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Size

45KB
MD5

caa520f4634b4976c3a9e8a14c9519d0
SHA1

3533a9145025d4797342a7d3e9c0793ed1e4b8a1
SHA256

6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284f
SHA512

abb4c6cfdba83a1a3035d3e161626e377428b2e429dba0cff028fcf8da279d33843034c6ffef5c41eea996ba08d32c4364ecddb2ba1eba9682a5853c9cfcc75d
SSDEEP

768:cjuUyJ8FGuCykGeMQd+3qKxyFLZO2gA6+dKPiQNvlbpm5Y/1H5xb:cdU8FGfx+6KxyxZO2g/NPiQ1l1Tj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cggimh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caojpaij.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 58 IoCs

pid	Process
5032	Pdjgha32.exe
2888	Pjdpelnc.exe
5012	Pmblagmf.exe
3088	Pdmdnadc.exe
2544	Qjfmkk32.exe
1712	Qaqegecm.exe
3464	Qhjmdp32.exe
2456	Qodeajbg.exe
3320	Qpeahb32.exe
2608	Afpjel32.exe
3904	Amjbbfgo.exe
3412	Adcjop32.exe
4532	Aknbkjfh.exe
4964	Apjkcadp.exe
2540	Aokkahlo.exe
2532	Aggpfkjj.exe
5096	Amqhbe32.exe
1656	Adkqoohc.exe
4740	Akdilipp.exe
2528	Amcehdod.exe
2720	Apaadpng.exe
624	Bgkiaj32.exe
4720	Bmeandma.exe
3748	Bpdnjple.exe
1968	Bkibgh32.exe
1408	Bmhocd32.exe
5008	Bdagpnbk.exe
4788	Bklomh32.exe
1580	Baegibae.exe
3936	Bgbpaipl.exe
4396	Boihcf32.exe
5056	Bahdob32.exe
4568	Bdfpkm32.exe
2100	Bkphhgfc.exe
4824	Bnoddcef.exe
2664	Cpmapodj.exe
2264	Cggimh32.exe
912	Cnaaib32.exe
2096	Cammjakm.exe
4316	Chfegk32.exe
4816	Ckebcg32.exe
1720	Caojpaij.exe
744	Cpbjkn32.exe
2804	Cglbhhga.exe
3176	Cnfkdb32.exe
1340	Cpdgqmnb.exe
2472	Cgnomg32.exe
1612	Cacckp32.exe
1532	Cdbpgl32.exe
4776	Cgqlcg32.exe
992	Cogddd32.exe
1328	Dafppp32.exe
5072	Dddllkbf.exe
700	Dgcihgaj.exe
4200	Dnmaea32.exe
2004	Dpkmal32.exe
2816	Dgeenfog.exe
3028	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pmblagmf.exe	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Ejphhm32.dll	Aknbkjfh.exe
File created	C:\Windows\SysWOW64\Ekbmje32.dll	Aokkahlo.exe
File opened for modification	C:\Windows\SysWOW64\Bgbpaipl.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Pjdpelnc.exe	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Mlcdqdie.dll	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Eehnaq32.dll	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Eekgliip.dll	Cacckp32.exe
File created	C:\Windows\SysWOW64\Iohmnmmb.dll	Akdilipp.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Cglbhhga.exe	Cpbjkn32.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Nmocfo32.dll	Pdmdnadc.exe
File created	C:\Windows\SysWOW64\Caojpaij.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Nflnbh32.dll	Cggimh32.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdbpgl32.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dgeenfog.exe
File opened for modification	C:\Windows\SysWOW64\Pmblagmf.exe	Pjdpelnc.exe
File opened for modification	C:\Windows\SysWOW64\Qjfmkk32.exe	Pdmdnadc.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Chfegk32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Qjfmkk32.exe	Pdmdnadc.exe
File created	C:\Windows\SysWOW64\Qpeahb32.exe	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Lielhgaa.dll	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Akdilipp.exe
File created	C:\Windows\SysWOW64\Bpdnjple.exe	Bmeandma.exe
File opened for modification	C:\Windows\SysWOW64\Bklomh32.exe	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Domdocba.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Jcknij32.dll	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Pjdpelnc.exe	Pdjgha32.exe
File opened for modification	C:\Windows\SysWOW64\Bpdnjple.exe	Bmeandma.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Aamebb32.dll	Cgnomg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Gelfeh32.dll	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Dgeenfog.exe	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Amjbbfgo.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Aknbkjfh.exe
File created	C:\Windows\SysWOW64\Iocedcbl.dll	Amcehdod.exe
File opened for modification	C:\Windows\SysWOW64\Bkibgh32.exe	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Fgijpe32.dll	Baegibae.exe
File created	C:\Windows\SysWOW64\Boihcf32.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Cnfkdb32.exe	Cglbhhga.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Pdjgha32.exe	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
File created	C:\Windows\SysWOW64\Pneall32.dll	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Caojpaij.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
812	3028	WerFault.exe	143

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aknbkjfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkibgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqegecm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklomh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhjmdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgeenfog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpeahb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeandma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjdpelnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcccepbd.dll"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijikdfig.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnflfgji.dll"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cggimh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneall32.dll"	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddjmo32.dll"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll"	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll"	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cggimh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpdgqmnb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 5032	1072	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe	84
PID 1072 wrote to memory of 5032	1072	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe	84
PID 1072 wrote to memory of 5032	1072	6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe	84
PID 5032 wrote to memory of 2888	5032	Pdjgha32.exe	85
PID 5032 wrote to memory of 2888	5032	Pdjgha32.exe	85
PID 5032 wrote to memory of 2888	5032	Pdjgha32.exe	85
PID 2888 wrote to memory of 5012	2888	Pjdpelnc.exe	86
PID 2888 wrote to memory of 5012	2888	Pjdpelnc.exe	86
PID 2888 wrote to memory of 5012	2888	Pjdpelnc.exe	86
PID 5012 wrote to memory of 3088	5012	Pmblagmf.exe	87
PID 5012 wrote to memory of 3088	5012	Pmblagmf.exe	87
PID 5012 wrote to memory of 3088	5012	Pmblagmf.exe	87
PID 3088 wrote to memory of 2544	3088	Pdmdnadc.exe	88
PID 3088 wrote to memory of 2544	3088	Pdmdnadc.exe	88
PID 3088 wrote to memory of 2544	3088	Pdmdnadc.exe	88
PID 2544 wrote to memory of 1712	2544	Qjfmkk32.exe	89
PID 2544 wrote to memory of 1712	2544	Qjfmkk32.exe	89
PID 2544 wrote to memory of 1712	2544	Qjfmkk32.exe	89
PID 1712 wrote to memory of 3464	1712	Qaqegecm.exe	90
PID 1712 wrote to memory of 3464	1712	Qaqegecm.exe	90
PID 1712 wrote to memory of 3464	1712	Qaqegecm.exe	90
PID 3464 wrote to memory of 2456	3464	Qhjmdp32.exe	91
PID 3464 wrote to memory of 2456	3464	Qhjmdp32.exe	91
PID 3464 wrote to memory of 2456	3464	Qhjmdp32.exe	91
PID 2456 wrote to memory of 3320	2456	Qodeajbg.exe	92
PID 2456 wrote to memory of 3320	2456	Qodeajbg.exe	92
PID 2456 wrote to memory of 3320	2456	Qodeajbg.exe	92
PID 3320 wrote to memory of 2608	3320	Qpeahb32.exe	93
PID 3320 wrote to memory of 2608	3320	Qpeahb32.exe	93
PID 3320 wrote to memory of 2608	3320	Qpeahb32.exe	93
PID 2608 wrote to memory of 3904	2608	Afpjel32.exe	94
PID 2608 wrote to memory of 3904	2608	Afpjel32.exe	94
PID 2608 wrote to memory of 3904	2608	Afpjel32.exe	94
PID 3904 wrote to memory of 3412	3904	Amjbbfgo.exe	95
PID 3904 wrote to memory of 3412	3904	Amjbbfgo.exe	95
PID 3904 wrote to memory of 3412	3904	Amjbbfgo.exe	95
PID 3412 wrote to memory of 4532	3412	Adcjop32.exe	97
PID 3412 wrote to memory of 4532	3412	Adcjop32.exe	97
PID 3412 wrote to memory of 4532	3412	Adcjop32.exe	97
PID 4532 wrote to memory of 4964	4532	Aknbkjfh.exe	98
PID 4532 wrote to memory of 4964	4532	Aknbkjfh.exe	98
PID 4532 wrote to memory of 4964	4532	Aknbkjfh.exe	98
PID 4964 wrote to memory of 2540	4964	Apjkcadp.exe	99
PID 4964 wrote to memory of 2540	4964	Apjkcadp.exe	99
PID 4964 wrote to memory of 2540	4964	Apjkcadp.exe	99
PID 2540 wrote to memory of 2532	2540	Aokkahlo.exe	100
PID 2540 wrote to memory of 2532	2540	Aokkahlo.exe	100
PID 2540 wrote to memory of 2532	2540	Aokkahlo.exe	100
PID 2532 wrote to memory of 5096	2532	Aggpfkjj.exe	101
PID 2532 wrote to memory of 5096	2532	Aggpfkjj.exe	101
PID 2532 wrote to memory of 5096	2532	Aggpfkjj.exe	101
PID 5096 wrote to memory of 1656	5096	Amqhbe32.exe	103
PID 5096 wrote to memory of 1656	5096	Amqhbe32.exe	103
PID 5096 wrote to memory of 1656	5096	Amqhbe32.exe	103
PID 1656 wrote to memory of 4740	1656	Adkqoohc.exe	104
PID 1656 wrote to memory of 4740	1656	Adkqoohc.exe	104
PID 1656 wrote to memory of 4740	1656	Adkqoohc.exe	104
PID 4740 wrote to memory of 2528	4740	Akdilipp.exe	105
PID 4740 wrote to memory of 2528	4740	Akdilipp.exe	105
PID 4740 wrote to memory of 2528	4740	Akdilipp.exe	105
PID 2528 wrote to memory of 2720	2528	Amcehdod.exe	106
PID 2528 wrote to memory of 2720	2528	Amcehdod.exe	106
PID 2528 wrote to memory of 2720	2528	Amcehdod.exe	106
PID 2720 wrote to memory of 624	2720	Apaadpng.exe	107

C:\Users\Admin\AppData\Local\Temp\6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe
"C:\Users\Admin\AppData\Local\Temp\6e090a3f1c10763b60ec1d571109dd923e6ac16862bf105700fd55cbe578284fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\Pdjgha32.exe
  C:\Windows\system32\Pdjgha32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\Pjdpelnc.exe
    C:\Windows\system32\Pjdpelnc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\Pmblagmf.exe
      C:\Windows\system32\Pmblagmf.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5012
    - - C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
      - C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 404
        60⤵
        Program crash
        
        PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3028 -ip 3028
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcjop32.exe

Filesize
45KB

MD5
8d0c2bec07f616e340b5a69b4826049a

SHA1
f6b45ffd5acf89600e495e67031635d55c277294

SHA256
4210dafed5ce4b5988f348898a98e35a8d98d90a3522227a11f55e4533c2777c

SHA512
a130a40c52294892a734dc51453de7df214c95c1b09ab67b7afb18159d2eb707e7e05b223c93eeda75612644d654b407451e17d83f6c16bf788bd17f1152cd5c

Download Submit
C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
45KB

MD5
95686efa7048e096bc701a83319a381f

SHA1
75add7066a2d347c63ad8927a759d1c79ed64f27

SHA256
953724d607a4f58b3b93e0606d0d7f74cd5b0c0230ad30dc57f10daf48185716

SHA512
4a3493d39915c7b9435c59c5f9624f000335b20991aabfad641fe545af402eee636def14b310fb30fffe04d970ce99c246dac109c111312f11d31474b9a6b5a2

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
45KB

MD5
7d9a087ff91f9560d6136093d6cb2259

SHA1
a2e99a68234531b13459d8097ee62e6b8cf76900

SHA256
c7bf9194f0dcd1824874a2afdd7c428a5be598deff81faa73788b48fa71fba49

SHA512
35521deeebeec32e961f6b072f7f38d41948801c61726489fe0904b9f1f302d2542d9d882d1801adb7cadce651ba78d73567d6f3492233ba87bf665cefe1e0a1

Download Submit
C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
45KB

MD5
592560529eb43ef89a6ea3963ee3df49

SHA1
7fa62bb8bbcf30d7102eae3a4acffe4c2464c9a8

SHA256
77d1db1c5c662a8f3f09b4dd29e59c26b30b8440e5f06d10a60d22abe7d2a2b8

SHA512
abcf97268a3508226f2d99e17d6349745492a6bccee3f9e6fcaad293bb9f5f79e913633d88f83aae65847f4ac63655f198ae35f0cd0f613233a04a298b50a1f6

Download Submit
C:\Windows\SysWOW64\Akdilipp.exe

Filesize
45KB

MD5
4439efec80ae38b1d24663508de953ef

SHA1
6ef628ca822c7dbc7795174277a7b1550a50f58e

SHA256
4b3b79c41831c9d4ea7be36064a7d4ed644f46e78c7714f69c77bd449bdaf710

SHA512
0261488682b96c551a0e8b94af605efddb62c225d38254a21a928aee712261950454a326fc04a02152f05add67e35f98c793166417f8edc2d386b050f206af94

Download Submit
C:\Windows\SysWOW64\Aknbkjfh.exe

Filesize
45KB

MD5
419b1a0410e53048986e47521431f5f3

SHA1
eb8ddce5d407b966b8eaeb0f51dcb007ab37ebbc

SHA256
df875f28b37e0f01595b89a76510722d2a634c22d26d7cfa348e042668016ad1

SHA512
458d8747b993c30f33578c3baca8183737661a9fda71015524d7ef20621e7dbb8f4a938e86982d6f596637189f1bc5a7e4149f087545a429e9f2dec69b396fce

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
45KB

MD5
993e905bfafeceba1f241a1ce810d315

SHA1
70ac461d8aed4a5b03b9da097e815bd0f508eed9

SHA256
b061819c7dd69eb8a261c6aae4d63d873ef1a8e23a60fcf6c06179e95a2b8c24

SHA512
de1dbfe645f499b1d0c15e4ac36c5b0d76edf9d9031410b530ae6b3f6ac1ed1dd2ca711b9caf6aedd2f32e05fcf5a898828c347e7380c78fa5eee39dd788531c

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
45KB

MD5
28671e59b547e5e7b37f4bf83a075339

SHA1
dd711225b722574231ba6ca6c2f4acf11c513564

SHA256
618e7d26c48ab9277b80b98f5af1e2c93a9f238c82035d5ff182e366bf1acbc5

SHA512
073e43cce7138757305363941ad19634842d226df5c2253abefb93f18696cead13aefc9a6751d9a6d78940f43e69b4d1a24f772edd37ab9ec231f502cc70c0e8

Download Submit
C:\Windows\SysWOW64\Amqhbe32.exe

Filesize
45KB

MD5
bff79b9a0fd574771263730973df5a2a

SHA1
35ab56b805b12492c4cb4e482bb936af104bd67d

SHA256
619c47412b7b8b00930f7fb31b4fde6f6e7ae469e0c9e659c072071499344e18

SHA512
6bfe10585ce4ef8681ebca1593da1bcdcce4d75e69ed5dfcf4f98262691eb347aa362b363be8718bd7d95f1b3cf22155b6821670074fe7801832d68a81d24d33

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
45KB

MD5
d893c116228a2c3dc553a8b9120092b5

SHA1
3f2afc050b19c68615480a254db9a3ee7f6bea0b

SHA256
109a116d0dae3c615a446d1be6591dec42420466c545014b5cf57353915a89ae

SHA512
b8304f97d6150befa7cc3e9b7ad7989a90225d43b02cf905f759af251eecf17c893932c59a03cb0a4c65a51ed03ca9086d4f491bbf1fdf058d3694fc21d57c71

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
45KB

MD5
b92ac0aeb30ceb3ca275f6719008484d

SHA1
9c0fd8115bbed9f3a35b3034e2c7c4cc90da0c15

SHA256
170b687a51535bab57c0a8eb794328454fbfbd1addb71dcfe660548407cd339c

SHA512
6af18663db2dc914c969ef0e53b3a859c8af7ce6035aa990bfa7bae375172bf0e840d6ff7e3e4fd7b9fad1a57f75c3d5781660b89fe78601565b59f61f7c0823

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
45KB

MD5
a9f7a137b206c87fdffddb835665cc9b

SHA1
e9e3b61802039b812d8504ce40f04ddb53f6f98e

SHA256
acee9089d0c38ba2fc56a9ecea73489e200bcb70a25fe9c75173028bd6c3422c

SHA512
1fd0c96a77ef635580c9613471149dd46508c4421be964316c0a11432ed4622452cf786229e73f5fb337cefd91fd1f9e248e1cb21d50c428de2f331a3cb1d553

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
45KB

MD5
c0bd0b00c1a485372672b90f44d2c3b7

SHA1
c96247b94dee6c385de9cdb714b49c81e0120048

SHA256
11c779fd65352b00fc92c63279fbbb5d35b09d4aa537760c7acc7ea15790888f

SHA512
36b59728335d1a59b322a3b07c387d0e35ca903805d08d88b5aeadcdf93c6abea42d94fd61a8433fb01f5f0929289cba7b0c908ab23fef364911797258e41cb3

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
45KB

MD5
171fca2cee229a8a79573f9c49ceca31

SHA1
e2ae9c26b6ce736b5291921908dc0c025c3cbdcc

SHA256
9d2af177a03222ec0a6422f6e5cebb992a4cf5fa957dd74f34c9d61a3df21bfc

SHA512
6ba0c32ce2a82d9e303a54f4c0a91baab3626c4fb3cda28017e069e3223b203e24928a5887bf81b3c5797ed7e52e0c989fcff1e9e5157e51284b34727d0f9e76

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
45KB

MD5
4a0d4e4b1f5e1922b2cd9b69196cb408

SHA1
a76e4142f6f5fdfccbba883ff0a14242425410b7

SHA256
b53314117e627c0a67fbc11b43a7ae31475baa1e1df3c0465f81722abf5ed235

SHA512
2b2af8a61e809c24c6e76fe6a73acfd5f22b94d501f0251c23e766f596feb9aee838a3c8c1c6b793fbdf8e1554844a6b256b5d5f3ec16c73b8efd9c400f88cae

Download Submit
C:\Windows\SysWOW64\Bgbpaipl.exe

Filesize
45KB

MD5
b536aae4ed1c41c9dbe66e07110ebb9a

SHA1
f0366139f2ad749e08f3da40db650d7cfc42db18

SHA256
c0a924eac062a86222fb5c928cedd7c6a64204505d66f34aeca8eb24b037d7e8

SHA512
12fe6f12fbbc3b5207c81b4eb3ac8589538f2338fedc184075b443dc8a88131e0926ab91a3b9f62fc5d526034be312b7754eb75c54f136a66cc54db26a7ef206

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
45KB

MD5
38dda682a44d39ec933b9b7e038346d9

SHA1
4467d488b3eaeb4e46c3c4298ed53131aee43b79

SHA256
583bd149b70b7bef14936a689cc7a6d050cae731185502c1ab3f7b62399e7ed0

SHA512
1afe08d021f78435e805d2944d26bdfc6d80434f7d48e073fd454267db3d1efad27eb601307777187898df5ac67af3ace5e95955bded8044d76feadddc238d96

Download Submit
C:\Windows\SysWOW64\Bkibgh32.exe

Filesize
45KB

MD5
58c03a7234d836f5aa6dc02c10d86363

SHA1
53b06bbd2d1d9fdda01065b79873fed736d95b6f

SHA256
305b3c7cefee710e2c987226109c43783a3f589a1f815bd50ef3adc092562cef

SHA512
2a70da214cff5141d99098bb65d861637835452241469305a5a1604441d2dc18d53bc6f437c85e8c598254c60af54e7f0e01710e928c7a426f5789b29e7ca86f

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
45KB

MD5
46b0ae9d9a1f30b1028d083770261daf

SHA1
cd259189967e4138af8fb869677f32d2d87db025

SHA256
14ae573f5095b44630657698a98d15e98a1ef16153985649a41e6e0f4b08c264

SHA512
1b0634b71403876c710445fb54e76796b05e4506af65ccae897a4c5d9321ae486de0c74c9e077d2153e099a65d79cf760cd4a501631de888a23adb0e3f8f8a69

Download Submit
C:\Windows\SysWOW64\Bmeandma.exe

Filesize
45KB

MD5
cf8faf5dd1290837cb1bd5fdad4088c5

SHA1
af1a8e30550c7dd3b4ba51bcd97417d62b9d9d90

SHA256
40631b41a17311961f6899d3a3edac575ea0bd929e86b9706379daf38d5a7420

SHA512
29c9e38216710e65f0c94000fa312e294dc95aac0ecacc546cf6ba3da6236d10cb872a9340d0bc8781522b1c2b8c86147e39b93ef8cbccfca4ea92eddf5087e4

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
45KB

MD5
7dabda660355ac575bb84f72a024c575

SHA1
86853f8d868d9151e08981b019860a48b4dda71e

SHA256
55a1735e289275966379079bea8944912e319927ac8a64a02cc9443bed103ae9

SHA512
202aabfa4e3d4eed6cd09cb3d44a958d869d0e3ac1d44dfb699c2338291217265c83173613ba21940712052798216517352ada00826288019345b53a892f6194

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
45KB

MD5
eb728fb8e33414d2e37ea58638560861

SHA1
cf118b0b5a133a1b3477143b51c516918e675552

SHA256
7577efa93474df5ed0a6d34b5aaa9fcaddae036af969c62fab131122f30efa48

SHA512
1745e8392e169c573bb35783f6f299f5f887e1891f75fe02f92f27a533619a67358f126c7b2c0a60b59bef2a5b1fb09ae75fe85d8b996cd24aaf20284bbc8289

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
45KB

MD5
e99b577b10497fbdb73292a2df311403

SHA1
77b657eeee34dad94988d6f1814fc637d0dcd83c

SHA256
cad45913f99e6f70185a61f241b195af3632e941b74c5b47e2aa2dee91b1c6c6

SHA512
d01f290edb0229ba2ebd2676aec5f2bfcad3a24eb4afef2eaa37b5d2d32791c216575608bb05b6066c306d39c5fe6567a27bec825b90de59caee8b404d1c71d1

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
45KB

MD5
689fe8dd1ccfc8dc3c558e7657919464

SHA1
63c46be0fbf4c8b2d656f8334e68ade5ba121574

SHA256
6fe1a664883674a9ce9c92360ce4e0ea1b6378a47ba5f941c5e2c35e1434b6ca

SHA512
f1684483c59c021d44b7b323a4457654c4459ef725fd9abcdc238e3833c4371f09fa7880d8846662060e55dd1e396ac61af603069ea18b072da3960d308a1171

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
45KB

MD5
93f3d7e25e114b4adbcbac73261663ce

SHA1
d9480fd8921365f58172001da98aa56beca7f5b4

SHA256
2dd427bdc75fd1f688f02fe6fd3dd531fe996aa471829b0293aaeb9f0c4e4fee

SHA512
ab202fa44537c31022285cff3a98d20ec8d524904b3a92b8760b6300b6425659a342761a16398562d3d585a6805bff3f01be4085131c75002917701523d6da27

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
45KB

MD5
a82876e0e0f5a514e9d0efe85b5a2181

SHA1
c385d1c7efb329bd4f424c9d8a0fd1acb831b8ed

SHA256
9d0a5296f5ee4658d622d085333486878495f5e497a6bc8fa15fdd38829fc638

SHA512
51baeb5a912a551991b0c0497191ec8c8f20283964a1ffd8467cb871f2e1a483390afa5f32655e7e063a8c217268d5cd661cd6a9af48524c1b0c3ffb4fb3631b

Download Submit
C:\Windows\SysWOW64\Pdmdnadc.exe

Filesize
45KB

MD5
2ccfa7bde04c51c2c8c42dfa8c6410c6

SHA1
3278984a2603be2d081ec9541fbdaed91f2d9dc5

SHA256
ce2f6170d8622093b478a50caf56a8141d26155b399b24d661a41eef6aa52bb1

SHA512
f822d72d78ab7e866b0c9020aa90a34390b2714b49c87553968c61deb0d0dbfb4329a2192ea695bf2f0751cc1bcda64b9e1e47c031231b913806eb0b2fb4f891

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
45KB

MD5
c52a285ee7ec33ac9dc1f36f1aebeb0a

SHA1
ecc4d7cd85a0543c04b17fba8ec928f7c2e60eb8

SHA256
bb9f308ed05415fa8541c67042c032f4027e1c2fd24e1a264e5e0dd9ae7e6dd0

SHA512
9432f54834b4f6eb955051e0b8415434b129beb92e7033299d5c255c247450137f30bf8cad1b134c161a3071507a494fe9eeff6c05c80978b6f394aec4155a59

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
45KB

MD5
790575c1f69cc6ce33a7aad12793e11c

SHA1
7c8a23075af3c4aa34e9d95ef12be4b1746cd516

SHA256
c7c20f28ce76cf11f7695d3257907fb4c26d7694fce5f7f83a0fdb381e42c5dd

SHA512
3d274dd0012f90778d6ab7f8e23960b541caf97c8eeb0cdaab7e0580b75f1323e7be2017d381a4ed8679a3646c3eee48172524a088d03f26025698eb7bfbab38

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
45KB

MD5
e064841bb2f95fe5f2022c41596eab4a

SHA1
0e2612b363d01ac32207b11179e82db66ec0123f

SHA256
dfc2cf3f7dba27d3649f699be7b5435afa5e8d57d463e6c866aeb3060714dbaf

SHA512
6be41bd8f455906b4c42f593d0c278ea6da46e8be568ba08accaf888d2bb34c81be8d96d72c02dfdf414a13b03033c9d16742d7dee9f7740ed5b69514ed179ee

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
45KB

MD5
632abf441c8e81aafd75e3499c6565cd

SHA1
f5f7e07fa5541a9220338efc1d3029b8c8464ec3

SHA256
26a1400023ec7f73e0834fd324b53c0fe274e8f1c5c4a26c7927faa7d2f9cafa

SHA512
5b99f3976850cd9e7ca2c6b2038c5a83be08f7c988b469162efb3b34ddb4a50b340b8c509c79fdd54754c20abf1a921369fc8bd9f9f1a82fbd60f86de449600d

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
45KB

MD5
5a995240306678bdba546c6e3af3de83

SHA1
0ee404d410eaa73cfeb74e177bfef65f8d1a2d3c

SHA256
10243c7a2f7742519b9211a4eb49e323329a4f89ba0a88e95471338219ab7d10

SHA512
a0e218fae18e2959f9ff973b5846c7176637bffc0c6e12807abd039bef8fa3f441de993d9957be17190e7f520058b186a4afb9fed68419caa16f90a588b73913

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
45KB

MD5
17de769d8322a2a259494a31c09fb62a

SHA1
00c1f334aac863c1d6a69dd13687b6ef4f4baf5a

SHA256
08f3a05e8780664a33dbf650b9f6370f7e864bd792634b2e5206ba0de638721c

SHA512
6a3b87e986992edb5abd96ad71e0ebae2bed5b4108b0de54e1e9687eb246cbb09d0e25dfeca85ea5652520aa17165e3b081b49a4fe60e9779a571adcbf0deb32

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
45KB

MD5
915b258340868e33ad2054a515a7fede

SHA1
604bf0ce2be3990a08fbc63b9b6e05a30302f515

SHA256
6a6991995dbb2fa77e3ec906181085db6f9f14ae4e547c3a1f5b7a86906e4faf

SHA512
b186872b99857897a4c1b0216b2d62339c236e6bd028064d3317b492e7bd8a33116ec68a04f235909fdb2a2802d61548882b24dda0344754c3f48c9877c51a03

Download Submit
memory/624-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/992-427-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/992-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1340-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1340-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-433-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2456-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-439-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3464-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4964-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads