berbew | 4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe
Size

96KB
MD5

1594681883e8478283243275cb5b0b22
SHA1

61e71d40fc051654dbf14d0b5b31ed4f88710c31
SHA256

4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043
SHA512

2c5dae275299b3e87f1ff7623f44e6cecec2629ceacd646a66c68663e18156cd107095ae7e5418ba1212998569e5839d57d1de251f9f5bb61dbe83b1f0cccc6f
SSDEEP

1536:PQOflbP7pSnqL4Vfc4d02zHAdAp/kbeX2tJQ74S7V+5pUMv84WMRw8Dkqq:PQSlbDpSnqLOceGSp/kbeXie4Sp+7H7c

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 62 IoCs

pid	Process
2144	Pqdqof32.exe
4132	Pgnilpah.exe
3788	Pjmehkqk.exe
4760	Qdbiedpa.exe
2916	Qfcfml32.exe
3600	Qnjnnj32.exe
4432	Qqijje32.exe
3184	Qgcbgo32.exe
3176	Ajanck32.exe
1952	Anmjcieo.exe
4320	Aqkgpedc.exe
2208	Ageolo32.exe
2092	Anogiicl.exe
1352	Aeiofcji.exe
1724	Agglboim.exe
2512	Amddjegd.exe
316	Acnlgp32.exe
4072	Agjhgngj.exe
1908	Amgapeea.exe
4588	Aeniabfd.exe
4500	Aglemn32.exe
2436	Aminee32.exe
3444	Accfbokl.exe
1708	Bmkjkd32.exe
4012	Bganhm32.exe
1560	Beeoaapl.exe
4488	Bjagjhnc.exe
3712	Balpgb32.exe
1216	Bcjlcn32.exe
4600	Bjddphlq.exe
4764	Bclhhnca.exe
5084	Bjfaeh32.exe
2036	Bapiabak.exe
3180	Bcoenmao.exe
1016	Cjinkg32.exe
4812	Cmgjgcgo.exe
2824	Cenahpha.exe
4604	Cfpnph32.exe
3368	Cmiflbel.exe
1052	Cdcoim32.exe
3688	Cjmgfgdf.exe
3200	Cnicfe32.exe
668	Ceckcp32.exe
544	Cfdhkhjj.exe
3172	Cnkplejl.exe
4608	Cajlhqjp.exe
4080	Chcddk32.exe
4492	Cjbpaf32.exe
4716	Calhnpgn.exe
3196	Ddjejl32.exe
4900	Dfiafg32.exe
2284	Dopigd32.exe
3144	Dejacond.exe
4984	Djgjlelk.exe
2884	Delnin32.exe
2292	Dfnjafap.exe
2100	Dmgbnq32.exe
4844	Ddakjkqi.exe
2648	Dkkcge32.exe
3860	Dddhpjof.exe
4064	Dknpmdfc.exe
8	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5088	8	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2144	448	4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe	83
PID 448 wrote to memory of 2144	448	4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe	83
PID 448 wrote to memory of 2144	448	4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe	83
PID 2144 wrote to memory of 4132	2144	Pqdqof32.exe	84
PID 2144 wrote to memory of 4132	2144	Pqdqof32.exe	84
PID 2144 wrote to memory of 4132	2144	Pqdqof32.exe	84
PID 4132 wrote to memory of 3788	4132	Pgnilpah.exe	85
PID 4132 wrote to memory of 3788	4132	Pgnilpah.exe	85
PID 4132 wrote to memory of 3788	4132	Pgnilpah.exe	85
PID 3788 wrote to memory of 4760	3788	Pjmehkqk.exe	86
PID 3788 wrote to memory of 4760	3788	Pjmehkqk.exe	86
PID 3788 wrote to memory of 4760	3788	Pjmehkqk.exe	86
PID 4760 wrote to memory of 2916	4760	Qdbiedpa.exe	88
PID 4760 wrote to memory of 2916	4760	Qdbiedpa.exe	88
PID 4760 wrote to memory of 2916	4760	Qdbiedpa.exe	88
PID 2916 wrote to memory of 3600	2916	Qfcfml32.exe	89
PID 2916 wrote to memory of 3600	2916	Qfcfml32.exe	89
PID 2916 wrote to memory of 3600	2916	Qfcfml32.exe	89
PID 3600 wrote to memory of 4432	3600	Qnjnnj32.exe	90
PID 3600 wrote to memory of 4432	3600	Qnjnnj32.exe	90
PID 3600 wrote to memory of 4432	3600	Qnjnnj32.exe	90
PID 4432 wrote to memory of 3184	4432	Qqijje32.exe	91
PID 4432 wrote to memory of 3184	4432	Qqijje32.exe	91
PID 4432 wrote to memory of 3184	4432	Qqijje32.exe	91
PID 3184 wrote to memory of 3176	3184	Qgcbgo32.exe	93
PID 3184 wrote to memory of 3176	3184	Qgcbgo32.exe	93
PID 3184 wrote to memory of 3176	3184	Qgcbgo32.exe	93
PID 3176 wrote to memory of 1952	3176	Ajanck32.exe	94
PID 3176 wrote to memory of 1952	3176	Ajanck32.exe	94
PID 3176 wrote to memory of 1952	3176	Ajanck32.exe	94
PID 1952 wrote to memory of 4320	1952	Anmjcieo.exe	95
PID 1952 wrote to memory of 4320	1952	Anmjcieo.exe	95
PID 1952 wrote to memory of 4320	1952	Anmjcieo.exe	95
PID 4320 wrote to memory of 2208	4320	Aqkgpedc.exe	96
PID 4320 wrote to memory of 2208	4320	Aqkgpedc.exe	96
PID 4320 wrote to memory of 2208	4320	Aqkgpedc.exe	96
PID 2208 wrote to memory of 2092	2208	Ageolo32.exe	97
PID 2208 wrote to memory of 2092	2208	Ageolo32.exe	97
PID 2208 wrote to memory of 2092	2208	Ageolo32.exe	97
PID 2092 wrote to memory of 1352	2092	Anogiicl.exe	98
PID 2092 wrote to memory of 1352	2092	Anogiicl.exe	98
PID 2092 wrote to memory of 1352	2092	Anogiicl.exe	98
PID 1352 wrote to memory of 1724	1352	Aeiofcji.exe	100
PID 1352 wrote to memory of 1724	1352	Aeiofcji.exe	100
PID 1352 wrote to memory of 1724	1352	Aeiofcji.exe	100
PID 1724 wrote to memory of 2512	1724	Agglboim.exe	101
PID 1724 wrote to memory of 2512	1724	Agglboim.exe	101
PID 1724 wrote to memory of 2512	1724	Agglboim.exe	101
PID 2512 wrote to memory of 316	2512	Amddjegd.exe	102
PID 2512 wrote to memory of 316	2512	Amddjegd.exe	102
PID 2512 wrote to memory of 316	2512	Amddjegd.exe	102
PID 316 wrote to memory of 4072	316	Acnlgp32.exe	103
PID 316 wrote to memory of 4072	316	Acnlgp32.exe	103
PID 316 wrote to memory of 4072	316	Acnlgp32.exe	103
PID 4072 wrote to memory of 1908	4072	Agjhgngj.exe	104
PID 4072 wrote to memory of 1908	4072	Agjhgngj.exe	104
PID 4072 wrote to memory of 1908	4072	Agjhgngj.exe	104
PID 1908 wrote to memory of 4588	1908	Amgapeea.exe	105
PID 1908 wrote to memory of 4588	1908	Amgapeea.exe	105
PID 1908 wrote to memory of 4588	1908	Amgapeea.exe	105
PID 4588 wrote to memory of 4500	4588	Aeniabfd.exe	106
PID 4588 wrote to memory of 4500	4588	Aeniabfd.exe	106
PID 4588 wrote to memory of 4500	4588	Aeniabfd.exe	106
PID 4500 wrote to memory of 2436	4500	Aglemn32.exe	107

C:\Users\Admin\AppData\Local\Temp\4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe
"C:\Users\Admin\AppData\Local\Temp\4d4b31b500281124976df0b108b137c3e59dd8835386c22e26803fa299a0b043.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\SysWOW64\Pqdqof32.exe
  C:\Windows\system32\Pqdqof32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\Pgnilpah.exe
    C:\Windows\system32\Pgnilpah.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\Pjmehkqk.exe
      C:\Windows\system32\Pjmehkqk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
      - C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 436
        64⤵
        Program crash
        
        PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 8 -ip 8
1⤵
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
96KB

MD5
526add36706001fd13e6f66da38a7742

SHA1
c9aacdae7fe064c5629cea3935ba03ae95140083

SHA256
7d7aafa8b38072122f5ab6e4b731e870169c182a78e0e686acdbb40ee5a13cda

SHA512
18c2437de6fd0f409c6023785b6b8af4bf9210ec22b8a74dcb7c8b350ccce40a0a3054df3de08a6576822411274f0f58a72f9cd8bd2a98aab0698e490309264b

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
96KB

MD5
fc9e6c43b6120a8cf73eaf8c02792680

SHA1
cc8aa6838d324bfa8683764fb6b0105c1eb4176f

SHA256
bf56760adbba345d660d20d89b70da11c3a71f5ad7e8081a6c233fa53286f8ce

SHA512
095e7aede0f7fabd8fb5503c480a8465029051bde34bd103118dc82868341e018ad7aeab2a6ef3e230a7ff916765bb1ef664bf48ff5b667def94b51170c20c20

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
5aa2636f909ba1a58ce3749739097774

SHA1
0cbfe120eb460189d106cb2456c2040e6ee9fce8

SHA256
f6347eb8c5b45fc673056fe51a709a656f50712aa1e3edb553f0e96256e30644

SHA512
efed59c6df2419dd603e7d16f2232c4233506bd68bac2d6bab3fee95e010907abe5e803ecc8b5febc036f185de1a169fe29bedd199676ab16b7de4ee79aed5b0

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
96KB

MD5
38299dc0ba74b65ee19794f25d474c70

SHA1
e7ae2b82ecf4d898b8adb22d10f0d03453f74923

SHA256
36f45af47abcfb0d97f8591151a7e06680a53c760213cefa8d99141a896ab6fc

SHA512
856735ea1df6d3fa984dce0605d6e1f7917cefa1974c506e9c8fd06118a033cbd8ed397b00f63798ac464224c90f76710e3187dbb88cfb83fa81f72d64bdd3d1

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
96KB

MD5
5b3666e33402cacf4e8dab485809fc9b

SHA1
d3a7b98d09c25c47a3798d8db0bbd7ff7a2f36d4

SHA256
60e5651f22dcfe62380fbeec7a2d6d8fa736a2f77209b5297521ee6f61c12e2b

SHA512
398e7d8a2ceb63ef8f1cc56752c256d6a04859843254baf835397064f81f242d5febe1fed540b913d99eddf0bcda212d1c70f812bcca3acd22ccd95f6258d826

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
96KB

MD5
0811349369b9ce30cf3f192926684863

SHA1
62ef6d1a2cc8b1e9678f7fc505d98cc72ca56018

SHA256
b2054023f37486191fd1164453c74d2a12776183ceb56e665978ac2a953b522f

SHA512
ed96c69f5e963738bbf6fc69c64e7121dc4d6aaee46c9a40dba95c17c6d8b1a8d132066157cf9b8002b3a59eaa23c285d89bc258606d2d9a2162e6205d4d3d2b

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
96KB

MD5
9dc407ce67dbd91c26a9672472bc1bfb

SHA1
3d82532e2d3d238c74975c4a6b245201413607f9

SHA256
e61ec5f61d903b2887e2ce0ae2e01774b11c6fa833cbf359aca5f4743ceb616c

SHA512
ad748a6092c03edcceee34a62c516d0d9c33bda1c8aa46e69f872118f2a4e280eb7718959f7cc36291a8385eb18dbe357dee83298c7dd7a77410c7264bf11bfd

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
96KB

MD5
c66c62e7abc778eff8ef637b2efa5f9e

SHA1
21e7772d79e7f21c1a66312e1479860913ea77ac

SHA256
3b5fe720def858a5bdcd89028e80903d7b45c9bf6ff508888e8c71e84a6bd2f6

SHA512
b9ce315ef9f746bf00c8bb18b04308590a33223e5a84e53b6e8aff95317d397c6516594e32747acf161efdd89630ceb939cf3179e7a5d0829a8aae244638d10d

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
96KB

MD5
e49fcf352a45cf8b60fcb2f5ba9e1d98

SHA1
85e504f7ddce36afcef0830fd9266f759d2de7f8

SHA256
9be1bf37f401105fe8c6645f21f9063d607fe2880cef82d415436bbd850e89bb

SHA512
414de8848c41625d9b2681282593ea613e173bb6f1862913f57cff03d85cc54253a504dfde927b086798a391e0a730bb409ab8219616415f86e4da70ec468361

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
96KB

MD5
c1ca7a760f4947b0862882560cf9d5c3

SHA1
57204828d189a3e82e61a8d74aa069abf0ef8250

SHA256
6ff0fce3eaba138ef5ec91cb3c6f67a4c33b8f2be1fcee4cfa3f989fa6b112f7

SHA512
71eae15879bb9b6dd521edba219f0bf19263cde84629224685dfa0eb83138738fce19d621a6c3d755023dc381e29e45da2baa0e39d5c26cb856989fbce5bcd87

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
96KB

MD5
f148ded6295bedd0d0c273b6cae88084

SHA1
aff06e9fe5017ac3ea6bf9cb5b07c941f7b4ea5d

SHA256
ceb84a74e0af9ccf6a368b4ec1ec07d463214cf33c5db51fd3024e79d699af15

SHA512
22d2208e1a0dcb3affc7b780d8a27d6a7b668c6bd0c5ed0acb68707ff3b57eb272e607c5b9c2b1a4a98b4cebd67f7f05f3cdc11e32d563e2f675ea091c765f97

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
96KB

MD5
4dcb9921e545f00c22b71928b4869684

SHA1
d3f92bbac5e13174d6b9203d3be2239b9255b927

SHA256
3c5ebb2584b1331cab18f0a7d3011baea37483bfbe81422c20bb6d1beb9e6642

SHA512
cf12146c319fa4b56b0928c8ab09edf240d4aee87ce4332c7c57296e783e618ec8d62b833a695507c55d504ce76bcece14f53759eb2dbd9bdce7b777879617e7

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
96KB

MD5
b0ccca7beef7625bdcab1ae2aff88b00

SHA1
1469c82d1ad7e56295e6b4a7332d5cfa415e36e5

SHA256
71b4bcf2fcd7a4e55bce128121afb3652a54d9d33162000389e4df85eb0ae390

SHA512
c5a86adc029424380765f9e5e9fe8f824bf7bb5a7eb0e320c55be4273f856d06b9df8a7439e71ba933f6b69042eb4fbd3e00560d5410244f3a9efecec69319b3

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
96KB

MD5
0d9b271cdfdffd0c4f9aeb5eee6bf2b5

SHA1
7261fa33c0c80e6813e749b16559bdbef56ec169

SHA256
37a686b66af52ec04e85668e37bd631af756a67b9257bc53b3192e8a2769690c

SHA512
ae3a506009fb909efbb308dde3c1b9ef4cdc7c594b18bae1c11908e4ac889f25527730e926115e020320aca6c402c4ce8cf41962f77c17b9aba04741e4a90fc1

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
96KB

MD5
026d3a3e6fa77eb9f8e347c5cbdcec57

SHA1
20274c391d0a3137b62680f48109064caf568472

SHA256
2dc3dce7058fe900bb6fc302f4ae670a232be3363ec420d30659c6d7adbe205c

SHA512
0facf85184bc4402992437cc7ec3d768f3d73ad9db238c69f1f7fe7d2f458588133f59b226582932082c1f9730157c45b03023f9a0419addfb415bc3d8ad3971

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
5ec0d3eaf66261775ab2ea013fe7558f

SHA1
bb5f847e22b3233ec1ff218d1289d99b2fa06054

SHA256
a5a1321c11b2a26970d93b544c8ba84d7f003c8bd46663647959cd09d259fd05

SHA512
ad4377f99d728e5ab501435ae75477dd2796a76b9d4873abfed90211042c3b3ad24c5f64894bf07998faae1d009887b57c086f51e97c698fed85e733360df194

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
96KB

MD5
c8c5ea121916f7a36745701eda184673

SHA1
06dbd5a0bdcbf293b5393515edd77a87d27cb6b0

SHA256
bf46b43a199c3cefa83d7f0790280465967a0abc4fca88c801606b554482ccb3

SHA512
9127ff71e42f5e2d640fab79f3ef961d10b82b39a057ba854dc1ad663626437e720714006f4fbf6936d38cf5587f39b7f6e4f9ad224bda5b698f008c1421db40

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
82be8eb86f6aabdad54da8a5aef29725

SHA1
ace77f03793c9f29c49889fc32f182323a266c37

SHA256
d3c382d82c5f9286c9eb0a379023abbcc45a4f7a6c348b158f68ee2aced9a00f

SHA512
cd2cf86a87b33038c1531e7d3eb9d6828159244abaafbb00787f6cb398ed97a11297725c361da43ad60707029a50936620959d8f0252172f6a5595847f295aaf

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
e01ac2736ffff8e76469e163c5a26383

SHA1
73bfe52c58a6a37d243f52d338de74c478f9ddae

SHA256
541d69241810b24b133a269719f0aba914cbf891e4e108323c097231253d2f97

SHA512
8b4ae8516fade137a469faad45f2d83a4d7ae1c955b14e58f952a8ce475e162c4261fc0850775462bfc5f3abd96f44f83aa8a9c4d0eb45ec716623575402eb7e

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
96KB

MD5
17342f40a2d49287b462e07524adbb9e

SHA1
cfe9233755a980142b8977266a559806f4b70f17

SHA256
b5f90eed8ae26d5db1cfaba740aa0fd942c555b8c959fba57b5ce479545bdff0

SHA512
81c56dab5b4c96a58a2483f842172ac00ad4412028ff43cabbbee6e5f492e74cfbd63d83f1e171003797cc1216efacfaad49ddbdf37848ec2cc3ef60780f4e2d

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
6b677a49ad151d7a0976c4c564d5c87a

SHA1
69b0dbbb896aaec105413f48d062d4f721d8c2cc

SHA256
828e494e5d9987ef34c4a51f2c21ce31c2fda61504772d038a3e4bc092c5f5b7

SHA512
2d577ddc9fe139ab4b4bf8442281f68c3a0f6d0ec139bcebf3e81f5f2c779bcc90e3644168c8c40702bcf6e228d788bf31c93faa879bd8f5c3389c16185443f3

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
96KB

MD5
7e22c260968e475e7991379b0180ae07

SHA1
fd322e0d3fb706d4e511ad93fc0a6f9d8ef39575

SHA256
b3707c4eaa904da4346e9759a5ef258212755bcfec44a3a4a8a19d5b34871ad1

SHA512
30a51650e12d793a07b0fec87cadad6441bd67ca0bea25de7142e90c15839b3aa8718c2dc8ddfbdc5924137764b4c1102e10e9d925bf79b958d76f3a7b062cef

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
96KB

MD5
d978a97af76d279e2b23f2359839f865

SHA1
505252dd788206ce3f565c952062c354f65c1b69

SHA256
d456d53a7cdb69b173f8e99bedd4c3cfca43267848e52266f32867a5e18dce5e

SHA512
e8f77f9b4a43fc9c658f0c8dad84635634adc4aa68e1af273745921a51ebb31ebd3dd3ded16ec179d0455e3b1743d7d79839398b547bdbf4a5ea40aa8b7d7f2a

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
96KB

MD5
8dac1dfa0f9903e8f9b478de3c727ec2

SHA1
8575d4d967feb1e21f2a614151af04c12b697d23

SHA256
1bde8e6fc7b37b3f5497cb944d495caef321fc6e8db9c9950fd83c4ff4e6b5bb

SHA512
6da277367d33b8eaebc1aee8eaab8d97ba450cc8da8594984c528fe835b79d4d6924c62ba0b3d420f7a6bac160feaf84ed9ab36665128428fe64a81caf3cd6ba

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
d05f71b10923a968808240fd6478856b

SHA1
95158015877f4d498d45a94b9889a63051572d2f

SHA256
7c4fadd0127b9f4e218f7cdaf92c9e33aacc91dc8d795bbb185838d2658840fe

SHA512
8b92def7f3ba9f0259904f83db158b61a22fbed0c79ca330dd22ad366c0581662d695c44176994c7f67226f1a5dcfaff789249e686e9de836c568ff59bb3faab

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
96KB

MD5
46ad7445ecb690d64d02eb8bf9ac4c00

SHA1
3491df9bd9f4d12568307f2b1fcda730b943b891

SHA256
76c069fc35c01c1e36ad5c37a56fffafe3e7c3b33e17e181eb8f3d12479e1799

SHA512
a3c1f977119db1e903ff7d33cfcf656ab422615787e68a1cd360545255e2ac9dcbec68cea39c2bbc3e568c1bd9639fe0db55f7b928daad8737b00f0407cc2fbd

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
96KB

MD5
880c604bb5cc5ffa2cdb822904ba180f

SHA1
36784b8e5f7daeead10774ad5cb1fb2fa31ddb31

SHA256
b6039f207ec7f15469c3ef81d730a16acee19a6b0e8ae146e4493f10e1c30a30

SHA512
448646d19a892b469ab9aab640dd0d95bd205ac6be7b36ecafda520d266d894f6249a41a8d6553129e8bfa2a5b58f940322f2bd7024fe1746d62fd7cf21744cc

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
7affdb54b62db4f10211e407c61dd9d0

SHA1
e1c3ce378b77fc998e2fabaac1bef6d25edcc949

SHA256
d0779c6879a6b2c36e8bd69e98597d171928f51c65b85f61e04d7d95480f7fa8

SHA512
5e81fc774bb263f245676fd73c001af63677a2d397c6f24f7d165cc144b9d8c1a0d07f01cdce845329eb24f92f9f41196a225176e3cf52014315443ce8246d30

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
f735a1eb4a62b6233dc5b42de6665fc2

SHA1
8deb8006b65fdc971faeacfb0e803c792246b044

SHA256
b9754948019aa4840ba70df44764f5302918b7229b3ca5ddffdcd76bab64e510

SHA512
5c338c79fbc6db90e80afabcd2b49ba158583143be56b200be3f46b73b1fcc83a49bdf48395a588a49340f470b4101484628df59d35d6c4a88e555a6617713b4

Download Submit
C:\Windows\SysWOW64\Gokgpogl.dll

Filesize
7KB

MD5
9f60da9115fb9565b0cfe234fe4e4be7

SHA1
a746e819c9d84ac9c26352163cb4b0a0ec6d8ab0

SHA256
fb91a3c7982fff0be968696026b4e54ae05cc21fd3ad2aa8dba0b4fa48939dba

SHA512
8970be46518916c22b46f2ae177c933082c797ae04f200f272e51faf65843f037eef3aaed91f784ca857d4c08108a38e57ee917c3222de4dfd31188716baee15

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
96KB

MD5
c8cd81b77c81535ddb56da3a20b10485

SHA1
2ea300df8d4e5f7cf7d23fc7c81513abc823c766

SHA256
9ee139f141fbf1ad6fa3cd079f2f2fb6b0c70117a49b1cf70faca7a0dfb62c82

SHA512
5e84aff1619505eea61b6ab4669f9782e9ea5e32a9476827efb059893f3370678c414f2bdb3e61907826836d80718da5796aba95449ab64ada96fd63025c6946

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
5ad4fd49ac6d2eab3f979c3ab681828a

SHA1
e45a21a11a07fb141063de58760908949a14200b

SHA256
3b8d7132b7afdfe0103f1b79cff701c8882c63b59cf358f2675f541b50b2904a

SHA512
e6c9bd20bea018a553fce90c780c44a67f31d9b313992e53ded20b58df7c557af724c776a254ffed7f4ab80db0e550456cdc858b6ea58335de5474a479247cba

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
96KB

MD5
baf114524e1f322dd6a2a3ff6466e992

SHA1
6d0b63ee9ea2d78e9cf477f91466c363cf876a77

SHA256
27bb3faa93d69dbf8a17239c22508dda48f109e67b40b9a618e803b980be355b

SHA512
38ebb07b2987c5a12c23ef4caace8bcc6ae41842fe05d49f8069dcb9d47b5ed021f1dec4ecb33debbd559b85c3a0502b27631d722f39f72228772f6f582f386f

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
96KB

MD5
a5d9d9627b59d2ff3582da0bbde8905d

SHA1
e985bc25f8ffacedf7d3b71e1a63cebd9b28ae59

SHA256
f86529ee7445885fa60cd0601cd2bb7d693f1d8f14b94921c82139ec854402dd

SHA512
35bf651497bb446a232a60ca00baa52a2f61e9f6bea8c984e7eeedc485c30b0e78c0fe8187296639a089bbeed3107e42c10f155359a6bf0efeb1e59d520e49af

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
96KB

MD5
3507053f8efb80465b94ca6819e056ff

SHA1
af5e0c313dbee2fdfcce9b5a1a0cadf86277f59b

SHA256
5cd4004ee153c1d8c7110976b5ccd201db8ff3e570a8c0608a6b5885213ca46c

SHA512
431fef34d6f2faeffc4323d321e85aedc049305ee439db5d350ec3fbae9c9f518f4c92f1861b7381d008ab839ddb387a5b04678c979127f9da04c61aead06b89

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
3346768c3f60347b7773b8d495c99ca5

SHA1
18929315ee89bea9cae1299c158ee472fd601cc2

SHA256
085989144725f7b1250b7b57b253f1cbcecf70ac29427e7d4b5011a11563b610

SHA512
7f57bd292ea70f8de69278e3313964c8f330b23b4dc3be2a934cd317f81ee59ee8d8044a58f1a23b3ffbf8d88a81a82c6605338e9e98e0651064342878956498

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
96KB

MD5
82a919671c9e4ad3418a2e3090fa79a6

SHA1
80e96de3c35fb7cab9dc2ee7d357b688f227f4fa

SHA256
6752c5b98c9602f4c06432309730161d3e340af6eaada5d4cf3f5250c221dc0f

SHA512
f65eb61181145a8757ed8fed45550778dd2bbefb51de92ea258b9f3dd13949152020047e668d358702bb958e7cad6626903b13ff4696ea44619b07039470d121

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
96KB

MD5
b2527d7e9ac5ad930c538baad82d9102

SHA1
2e8a78cb63c8ed23aa07e5448b0b602e4feb2b3f

SHA256
a3c7b14906c284b02fbb7d67c10545feb51b235af6233610ea375661504820dd

SHA512
594ce9d6cdd13b0e90ac2eab4d15dd163a7e2a88cad101df74c9f703654cc4be5e77787da0de7aa8f200c6fa6f8065590dcf1fd9d74b0b3c71e87b91c3dd3e8a

Download Submit
memory/8-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/8-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/316-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/448-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/544-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/544-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/668-455-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/668-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1016-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1016-463-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1216-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1216-469-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1352-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1560-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1708-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1908-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1952-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2036-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2036-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2208-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-446-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2292-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2292-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2436-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2512-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2648-440-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2648-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2824-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2824-461-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2916-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3144-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3144-445-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3172-453-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3172-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3176-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3180-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3180-464-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3184-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3196-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3196-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3200-456-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3200-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3368-459-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3368-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3444-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3600-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3688-457-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3688-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3712-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3788-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3860-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3860-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4012-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4064-438-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4064-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4072-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4080-451-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4080-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4132-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4320-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4488-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4492-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4492-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4500-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4600-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4600-468-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4604-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4604-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-452-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4716-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4716-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4760-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4764-467-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4764-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4812-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4812-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4844-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4844-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-447-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4984-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4984-444-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads