berbew | 69c4afc7bd3a384694c4d978cbfbb03b38280d01101d79b46923285d8874d69f

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c4afc7bd3a384694c4d978cbfbb03b38280d01101d79b46923285d8874d69fN.exe
Size

94KB
MD5

cf58ac8423e7403a35b9cdcd02aec180
SHA1

c2d488012cc30cf70b1a8fee6dda03731663b443
SHA256

69c4afc7bd3a384694c4d978cbfbb03b38280d01101d79b46923285d8874d69f
SHA512

48696f76a7ba5149438b59a2b21feae0da9ee51a9828087e5b17df77de50d61fe9415dff46b0a94134cb03cac56376e10f466751be6c3e232d2b7bf36f97be1a
SSDEEP

1536:X9tFl52q9znq99/yj6uXzl42LYtaIZTJ+7LhkiB0MPiKeEAgv:X9tb559znq99qj667YtaMU7uihJ5v

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	69c4afc7bd3a384694c4d978cbfbb03b38280d01101d79b46923285d8874d69fN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 57 IoCs

pid	Process
2760	Pmfhig32.exe
760	Pdmpje32.exe
3480	Pcppfaka.exe
5076	Pmidog32.exe
5024	Pdpmpdbd.exe
1040	Pfaigm32.exe
4864	Qmkadgpo.exe
1516	Qdbiedpa.exe
396	Qfcfml32.exe
636	Qqijje32.exe
1432	Qddfkd32.exe
2972	Ampkof32.exe
1200	Ageolo32.exe
3764	Afhohlbj.exe
2500	Anogiicl.exe
2028	Agglboim.exe
952	Amddjegd.exe
3788	Agjhgngj.exe
732	Amgapeea.exe
4040	Aabmqd32.exe
3640	Ajkaii32.exe
844	Accfbokl.exe
4944	Bcebhoii.exe
1620	Bfdodjhm.exe
2336	Beeoaapl.exe
2180	Bgcknmop.exe
4452	Bnmcjg32.exe
3544	Bcjlcn32.exe
3428	Bnpppgdj.exe
2492	Bclhhnca.exe
868	Bnbmefbg.exe
4080	Bmemac32.exe
3228	Cfmajipb.exe
3280	Cndikf32.exe
2388	Cabfga32.exe
4420	Cfpnph32.exe
1916	Cnffqf32.exe
4176	Ceqnmpfo.exe
1108	Cfbkeh32.exe
432	Cmlcbbcj.exe
1276	Cdfkolkf.exe
832	Cjpckf32.exe
3492	Cdhhdlid.exe
3564	Cnnlaehj.exe
220	Ddjejl32.exe
4172	Danecp32.exe
1608	Dhhnpjmh.exe
4380	Dmefhako.exe
4336	Delnin32.exe
408	Dkifae32.exe
1424	Dmgbnq32.exe
4972	Ddakjkqi.exe
2932	Dogogcpo.exe
4636	Daekdooc.exe
2608	Dddhpjof.exe
1420	Dgbdlf32.exe
2772	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Ddjejl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3204	2772	WerFault.exe	142

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69c4afc7bd3a384694c4d978cbfbb03b38280d01101d79b46923285d8874d69fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2760	1664	69c4afc7bd3a384694c4d978cbfbb03b38280d01101d79b46923285d8874d69fN.exe	84
PID 1664 wrote to memory of 2760	1664	69c4afc7bd3a384694c4d978cbfbb03b38280d01101d79b46923285d8874d69fN.exe	84
PID 1664 wrote to memory of 2760	1664	69c4afc7bd3a384694c4d978cbfbb03b38280d01101d79b46923285d8874d69fN.exe	84
PID 2760 wrote to memory of 760	2760	Pmfhig32.exe	85
PID 2760 wrote to memory of 760	2760	Pmfhig32.exe	85
PID 2760 wrote to memory of 760	2760	Pmfhig32.exe	85
PID 760 wrote to memory of 3480	760	Pdmpje32.exe	86
PID 760 wrote to memory of 3480	760	Pdmpje32.exe	86
PID 760 wrote to memory of 3480	760	Pdmpje32.exe	86
PID 3480 wrote to memory of 5076	3480	Pcppfaka.exe	87
PID 3480 wrote to memory of 5076	3480	Pcppfaka.exe	87
PID 3480 wrote to memory of 5076	3480	Pcppfaka.exe	87
PID 5076 wrote to memory of 5024	5076	Pmidog32.exe	89
PID 5076 wrote to memory of 5024	5076	Pmidog32.exe	89
PID 5076 wrote to memory of 5024	5076	Pmidog32.exe	89
PID 5024 wrote to memory of 1040	5024	Pdpmpdbd.exe	90
PID 5024 wrote to memory of 1040	5024	Pdpmpdbd.exe	90
PID 5024 wrote to memory of 1040	5024	Pdpmpdbd.exe	90
PID 1040 wrote to memory of 4864	1040	Pfaigm32.exe	91
PID 1040 wrote to memory of 4864	1040	Pfaigm32.exe	91
PID 1040 wrote to memory of 4864	1040	Pfaigm32.exe	91
PID 4864 wrote to memory of 1516	4864	Qmkadgpo.exe	92
PID 4864 wrote to memory of 1516	4864	Qmkadgpo.exe	92
PID 4864 wrote to memory of 1516	4864	Qmkadgpo.exe	92
PID 1516 wrote to memory of 396	1516	Qdbiedpa.exe	93
PID 1516 wrote to memory of 396	1516	Qdbiedpa.exe	93
PID 1516 wrote to memory of 396	1516	Qdbiedpa.exe	93
PID 396 wrote to memory of 636	396	Qfcfml32.exe	95
PID 396 wrote to memory of 636	396	Qfcfml32.exe	95
PID 396 wrote to memory of 636	396	Qfcfml32.exe	95
PID 636 wrote to memory of 1432	636	Qqijje32.exe	96
PID 636 wrote to memory of 1432	636	Qqijje32.exe	96
PID 636 wrote to memory of 1432	636	Qqijje32.exe	96
PID 1432 wrote to memory of 2972	1432	Qddfkd32.exe	97
PID 1432 wrote to memory of 2972	1432	Qddfkd32.exe	97
PID 1432 wrote to memory of 2972	1432	Qddfkd32.exe	97
PID 2972 wrote to memory of 1200	2972	Ampkof32.exe	98
PID 2972 wrote to memory of 1200	2972	Ampkof32.exe	98
PID 2972 wrote to memory of 1200	2972	Ampkof32.exe	98
PID 1200 wrote to memory of 3764	1200	Ageolo32.exe	99
PID 1200 wrote to memory of 3764	1200	Ageolo32.exe	99
PID 1200 wrote to memory of 3764	1200	Ageolo32.exe	99
PID 3764 wrote to memory of 2500	3764	Afhohlbj.exe	100
PID 3764 wrote to memory of 2500	3764	Afhohlbj.exe	100
PID 3764 wrote to memory of 2500	3764	Afhohlbj.exe	100
PID 2500 wrote to memory of 2028	2500	Anogiicl.exe	101
PID 2500 wrote to memory of 2028	2500	Anogiicl.exe	101
PID 2500 wrote to memory of 2028	2500	Anogiicl.exe	101
PID 2028 wrote to memory of 952	2028	Agglboim.exe	102
PID 2028 wrote to memory of 952	2028	Agglboim.exe	102
PID 2028 wrote to memory of 952	2028	Agglboim.exe	102
PID 952 wrote to memory of 3788	952	Amddjegd.exe	103
PID 952 wrote to memory of 3788	952	Amddjegd.exe	103
PID 952 wrote to memory of 3788	952	Amddjegd.exe	103
PID 3788 wrote to memory of 732	3788	Agjhgngj.exe	104
PID 3788 wrote to memory of 732	3788	Agjhgngj.exe	104
PID 3788 wrote to memory of 732	3788	Agjhgngj.exe	104
PID 732 wrote to memory of 4040	732	Amgapeea.exe	105
PID 732 wrote to memory of 4040	732	Amgapeea.exe	105
PID 732 wrote to memory of 4040	732	Amgapeea.exe	105
PID 4040 wrote to memory of 3640	4040	Aabmqd32.exe	106
PID 4040 wrote to memory of 3640	4040	Aabmqd32.exe	106
PID 4040 wrote to memory of 3640	4040	Aabmqd32.exe	106
PID 3640 wrote to memory of 844	3640	Ajkaii32.exe	107

C:\Users\Admin\AppData\Local\Temp\69c4afc7bd3a384694c4d978cbfbb03b38280d01101d79b46923285d8874d69fN.exe
"C:\Users\Admin\AppData\Local\Temp\69c4afc7bd3a384694c4d978cbfbb03b38280d01101d79b46923285d8874d69fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\Pmfhig32.exe
  C:\Windows\system32\Pmfhig32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\Pdmpje32.exe
    C:\Windows\system32\Pdmpje32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\SysWOW64\Pcppfaka.exe
      C:\Windows\system32\Pcppfaka.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 396
        59⤵
        Program crash
        
        PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2772 -ip 2772
1⤵
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
94KB

MD5
f520a8f632d6b19c00a32ff1b2529377

SHA1
b146431b4a9a6d6191aac1ac4f120c8c8d13aa70

SHA256
00aa3ca2bc396672f024f86e91ac1a77883f10ec812dcbe8746c457fe09bdebb

SHA512
e6dd3f1c66eae1a6ddc88473bad57b55a45b45f02cd859b437da30dcfda99fec1caaf5737bf59ddf05319f211e3eef73aa2f0de245fc470974ba6e22ddeaa462

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
94KB

MD5
306f202172d90023b288816b4bb4763d

SHA1
ab22928a4c6acd4fc15eb2bf66a6ac2ae0d3584e

SHA256
61c392bd003cc03c55b04dd2a627d825131fb4ac4cd80a13adbf28176d4534ca

SHA512
196cee60c6d43fb5bc9a3c1ee40bc354b35dce0401515144dfd28686bc26114e98007423ce7ab2054edaab6075e911381d05f8503bed14312b102217ea20497a

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
94KB

MD5
573e26ebd7fad26a085e54e63b20e00f

SHA1
15286cbd98c2876ffd3cb09da5944f8835778fa3

SHA256
9b4918a2ca20ebd64079f14312ff9e9c9e216ede93e6bf5bab6ee25b19eb6a73

SHA512
048a4421e05698eaa79b8779308ff551006ff195b96befbf420851c844dbb6683c7db2f198cacb7fd16226bab55759e2275acd72e0c3d9857a8c0eb4382838ab

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
94KB

MD5
066695a51b696e009cf254eab925bcb6

SHA1
8924ee07b0f06da6b8ce4839bc632276d42c4814

SHA256
0f963f495b74d76972c61aa7a8c821bc981f8be462c13c8259f3bd7368f099ad

SHA512
b7a5c23758586c9a6f6445a5654509127095421899e348da5a560e41e3629bc4b1fe52abf24425d5a5efe2e59269186040456b7576f4b110eacd9e417bf48147

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
94KB

MD5
7d653414dc68cad9312bf23e9c81bb35

SHA1
ff58d524015f18a9bf924f0851ed7b33123c9897

SHA256
ecc68830445dc7af5b3f7120d2b7473ff96aeaf17cff23c559739a18f2e4be33

SHA512
ae41f04d01f1f5f938bdf7c0cf4bc921267214b57a3bdaea51cf6f22a088411d3e14ac88bb29240124be9c96bc53f30c1faab9441e84c449db42689435b50b80

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
94KB

MD5
36884ae125f6dbd0a665ea11db62e287

SHA1
e3e294cb6017e01da6690c95ed504c1e2f1b4886

SHA256
0e57f4196f4616c82ba5c661fd05e36ff868ff805b09e4c820302d6db4ed3c03

SHA512
9cc277ea0b5f3e1e31e102ae731d4d627594575dfadca344444f5e456c051b8968edee09fe21875c4b47f72f0ca07dd0e016d069f7121d244300df258f61ead0

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
94KB

MD5
c2845930f1db27717bde9eeafff4bda5

SHA1
0a146c508b74cc2b1b0bd0e19d390bfb0d516307

SHA256
5d725e782f2db85656058a574a17f651fefb8951b534073530be0a06ce01c55f

SHA512
482b8fcd83d620fa8f347a42d4ff1691943bfb445bb4c0b7f241239f80be1762ec5a5fafbc9ea997bdad00780875cdfacb0a8d9691d903abeaae96aab620f877

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
94KB

MD5
d3be4c7a6957630285fd81851b33e54c

SHA1
d7413de161a8ab0677e40116bf31bd3d082b0d2b

SHA256
8eb9fa92e550bd729dc4eea6b4a0d874766abb5fbced10ead53b3f1b4ea65c4c

SHA512
317a69b81315317e997219b62863d17cd02299bc4b7577f74c7c312f5a7913414b2c3090fd15919daed63f4f9c5a0cfbede4596b1774f587984ed39a955918ee

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
94KB

MD5
fa5e8e53620cad6f52a00183494ac091

SHA1
d777b87cf7219a4cf307d8348d1ff3edb488c97e

SHA256
33cdcc19cdf89402f86349db52df1a0bd3d1957e462755309385ffda4592981c

SHA512
9e30ff6e2a33dc3771444ce0cd79d610423f772f23feb3cdcbd2f284e6a4ffa6af9202b65cd580a3c53d062dc90162970208fbec9c1de097a89fed04ec9b5b8b

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
94KB

MD5
b92b84a046fa5e9ac2bd307b2b0700a0

SHA1
b1923b68cffcfd7f43817a5b9979179f2c614089

SHA256
0ecb2ff81387967f0e7680dd3e37d0f8b3a0a9823fc7c457c867e429382fd6e1

SHA512
9fcbd70bff1a135b6353f998fa2f686dd09aaa623c9d75c823092367bb815e5e80dd141257bf49082e368ec023a9c5472f12d11aff13997e9b9dfaa1b450b5b6

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
94KB

MD5
258436b4b4e8ea121a8eaa0fca2a71b5

SHA1
cb9807ef1b9d00141ba4519c38b0e27d31e5453a

SHA256
fc3f040112806a81e8efa81f5b09a5045ef459e6dcc3a983f3a63a32dc43e69a

SHA512
f15ae9006c7c13ec030f680fba3598d25e55a709fe66d6e3438a87df6a17f7ba520d678665a3227d75d1a213cd4fe530a0ea25bc3e73bb80ee049d4e375568f6

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
94KB

MD5
629ba652ebc624d6c553ce1bd447d712

SHA1
c8fb596a0e87964fbb64cd80431561acbd217933

SHA256
b4f71e6c9fc7e874ef814003d8f77aa95c3329e1f3f2440b9dc1233f7d74ec42

SHA512
8a37991946893b8bdf1676fc9fac9f53fa31a33408a91b8ea3eeb843e09149c40515bbce3a1b3280869473c1a9f0b58dbd76a467108df86146eb0bf29624111a

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
94KB

MD5
e11e25bff71fa8249fc028b3f9963261

SHA1
80de04b7eabe0505a40b7b258e77aa5cc847173e

SHA256
e6dc39d1e8a18cc6bdbe586c7621551b3e7e0f424bf8dbab16f89619524d4002

SHA512
d2ad1a2647fa292c2ca2fea07c99e3965bb6e2cf9debf70c4e2c0173d79d52764f1e569263dd7d4d37ac80a05b03d406debe071e032bc43086a31fa4a8f848de

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
94KB

MD5
c873033d0424ff813124e321bf97a201

SHA1
41d7afd708c1a3357b91fcfc72aaaeb0d71fdd7d

SHA256
f7bb01e2683fc5aeae3257cb8d44559f00f44079d5807701952e197c0b4712b0

SHA512
875f203c8aa1eb9a88167e0d7d4f82e618a795af87671d17c76fadd2ce2b1d3ed8977b4d9416a8351dab1971b54a25ed2b044bfe3526f7cb6eff6933b4a6bb66

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
94KB

MD5
53bee68857fd388be2839a1706437fb7

SHA1
3ef2181f99736f0c09fbb3202422751930b6ddce

SHA256
d8eff178113545b44ae23bf4cb5904d88b7b7a8b1cbafde4c0255cd2ef791d08

SHA512
45f38e2acb41ae136fd3b1b1270f3c1dc4c27501f5a94d88e9bfaa93bd58b0d347c04670f8492ebb297d00eff1917759d7f5fbeb6b4d4f419cd9e5d5c821b43c

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
94KB

MD5
29f741104b8c4c8d32e9ee4f887b9775

SHA1
697f0a87326c6e380d3c7e6efa46b6ce441b6632

SHA256
eea6b150d3b3b00b32f1c33fbfeb2ec1eabd75a09226e11db8ca92fc6c1e322d

SHA512
97bba758d52ff9050189cff6b12fe69b34608eeae3e918016015813408adf611b3e6d6c8d1486033ae72200137d8e6d640a9f7227073d156eed2164c636c01ae

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
94KB

MD5
8e2e78537ff83ef473f6f23fa2f863fc

SHA1
dfbc1a053d9c8cff13869a2efa4b68e33e3ded2c

SHA256
963216ff349888d9d5a56a2944d67feb5400cb58951b1e13bc856181827339b9

SHA512
cac877b3644ec0ae7d8aa106e608d19279afb012d808b32434ff9a5c76ef158801293ef6f4926b1b7d5d3ed87e09b0ba81e464e1a148dffae9d5110aee4f6aba

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
94KB

MD5
f0e00cae134f86242fdf59006e48e511

SHA1
f99a67dd5c7eb0de32636eede0016901d8a8e1e0

SHA256
e0dd7694faf8b6f99e904b96ae6aed3197b38574960539435d1cb0f419ef970b

SHA512
fad5397da09d5a92a8a049281d6f4968cf590215a9441108f95f93ea5f955f9e4014f354392a9f27e43690d395c3e195a81aa34f7143a787786d8307933c5835

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
94KB

MD5
af2fde2afbca0975738de8643bba5a26

SHA1
570ea243a828ed0b4176663662d7b2137937e445

SHA256
58033af81fa1b6a8efa693d2798673da0da067d612beb205ebf6b9cba6082d0c

SHA512
0260656619749a59191e9f75e658835296ff6119cac46e2b0da94a7b152ac6c6aa43881ea7b3f7eb365ab5064190a223ee7e255b7cab50b2019a8c3ea9e65003

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
94KB

MD5
56f8cb1f471d174ff28bdd0649792804

SHA1
06bd248609496ea6ffbc50b99dd7a10d2e692e64

SHA256
0814bf1557a532e5460c2451197d401f7eca17c019f06bd5f852e609a15e2b47

SHA512
7bbb20cdf267beb227da89e24c6fb01969d56902c23b278220c1fe94105ac239516c66fca957e34446a06f1f98ed96164a7278f81d69a11c148315f950e6353a

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
94KB

MD5
9035dd200c118ea132633d6a43b39070

SHA1
e061acb5e0e625023dd85a6ca1b2555461c16d7c

SHA256
73cbf28a63bffbc890962a14149d5bab7ed3dc0fa30b7db3804285a8c137d1a4

SHA512
97e4a253398bddb6eb90c3014f304e40953379fd977acb06b9c88719cc4a5860f9d905b633a83f4b50f82a5962b25b0b99234f96a07bd8327c915312a6fbc27a

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
94KB

MD5
cb66e917056485a0fce3025ef936a9b8

SHA1
618b5dc33e47e52cc790dbcc6c7c5b51e8d9406f

SHA256
c439cc2895871e99cd6650b170118c9778f9a04e83f3b4e73c72faa3a0ab1bd7

SHA512
e8ecd2ae011f27f88bf9cc948240db3cf4363dfe136f2059fe79ab36cc3ad51fda86815e2fe468a1828c0be6b7b77b3f0816acb1defed4b997c54bf3e4d5a924

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
94KB

MD5
e91ccc572cdb34b92380c5f4f192cba9

SHA1
1b5853c9b88deba40e5b997e0ab3ffbd1d71c63b

SHA256
3c17a7db9bbe0da5119c03e7c90ec6d2bf91cb199d4bd8da160cb0ca929f825e

SHA512
ebb891e8605fc61e62a80317460a768bba11411cf0a16dea9ffd4ed226103ead0a01efb083962d921d8f0331c5955ce108373329d0430b593cb0f4f81daebea2

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
94KB

MD5
5887d0b7ed79c33080c58b096eff34f9

SHA1
11f4c42252b28fa26548d28339a69907bd2ff4f1

SHA256
20f0f1a2019d54edac481dca3c03000c31487b2efc408f20eaeb764261b68ae1

SHA512
07f6ffbf5261434f83ab7de79f541efaae7942266ce58583e5076c4cf763b8ba76365da822a14b2b2059aaa0a76a8ffa3a0d7414d5c989342738b13e431d7598

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
94KB

MD5
26a4a72d3298a1c6514d27f78566679b

SHA1
a72c57c31fdec1bb05da5e1edc05cb9ebdeb16db

SHA256
7b628a8a8a6b181bb9e9505ea1d0369988ba1fe5b5695be664a4ee6fddae098c

SHA512
8073b75b96d3bb409a0233f52fde2e088a55c540d62eff993ddbc7436287743d4c614e5bb0720c91c8e1f7e35229b2a263c9008420b9167843aec4eefec4a210

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
94KB

MD5
d3208eecc0609b2d5414d1aba73ca42d

SHA1
feeee038619ec3e41bebeae69d23d9137e6942b9

SHA256
7c63f7587128657d9eff4a9793d97a5bc981e41f72edb438dca24595dd91df01

SHA512
d2af039878767b9f83aeda75ac71144edc16a3660322e12b7fa80f7d5b52f17d8819bbd85081cc38055eaa1bbbcbf1ad32c8ffa8d6aba1eb1e9a150d72647903

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
94KB

MD5
acdc78a85a1cbe800830e11fa34e0634

SHA1
1eeda52601bbba392164eb6b9b4d4e40fa917014

SHA256
25e72fda1c17abc5a62b792fc50fbd4f2e76c815523c64bfda575b8c38a91f42

SHA512
782e98ff205d40bf972186bd1662d7374145d6c0f316302c115ed5ea4ad8718c770442dddcf7b69c4422fda51eef378f87637a9db416d4d425daab591c8e1e5f

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
94KB

MD5
5be8ce19b2546645d58edc0c10be6b6a

SHA1
5a99d518e7f0dd732a91dd56735408c5acf29120

SHA256
8e1a755795f0d1288bca8e0b24713974e9e437e2d835977d6417284f753b1f65

SHA512
dea01578faca30a042b30ec334986276d94b07302c1621787925a6bc81db19f9010c82c62fbe5779c5d57ce60ba0a1be67a2bc38564b02ff2fc6aef323321104

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
94KB

MD5
f34e48c5f2667ed9971299d9ded59f68

SHA1
b6073e458efd64e89bcf23f4a7ce60112c91f804

SHA256
5889b91b0c4252908035a93b1d86d6d3e92146416ca139adfa1873d8bdff1992

SHA512
4ca1582df5f37d078d51c6176fb406427c7de3fccf0ccb59f8e055d4796a15daff76e7710242b88b3f341383e38bc9fd29c39c50b8fa18020367114db1e570f0

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
94KB

MD5
ee65bd8d16e902d02eee3b722b3757a8

SHA1
87137b87cbde5f3a48146ae8a7d5854eea197ea2

SHA256
3a9f6946c1719c98f375e2d4ffd97b329fd205523b510cf20446283281187b99

SHA512
105e1864176304f54e9df0e8fe9b7c1573a10a59b47bf54102f68a5f7831a5432295c8778fb0f0fbbaed910ecbd969f4e8187e8e9815a4b2ec0563e29b991725

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
94KB

MD5
d9c9c6deb6a5844978e21d2ce3da0d91

SHA1
8543585020f089314d6b2805a71ba159826d630c

SHA256
b3de87ef81921eeb246e6ce16796fb8a320cb42d9ec926134a7c336c04483dbf

SHA512
66d3d85a5a8f368a573955db15f24b9dbddbb8f9a341e08034c8a911e336078a69dcd2556963adb9131af5230d3abdf980ee5357984156e3106e07fb395d8f71

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
94KB

MD5
12d0cdfde37bf63fdef2fe95cf3118d1

SHA1
5f0ac06e4bbf0713653f02b6cd078ded4cc3587c

SHA256
582510204177a60e3c4c0707904cda2a7b0fab64a217373524c8e31b1749963d

SHA512
0e73cb395a04045034d4644740e49efb616e13dd212a620dd3e685413e14fc1a53fe564a5ef87eb84fa5fd412fa2ff8aac89aa18b025ddb3fcba0551b31f2b49

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
94KB

MD5
5f78424a6e3e5631012b8364513254ae

SHA1
93780d864aa1d3e64f47c454bfa3401d09070573

SHA256
b1f7770004697d0882cf414412531e8e51e4350ab2632d949b772464706d794e

SHA512
7b896505e6cfcbe56543cc321a27fda5362b246dc9402fd3aeb6da9367889f425ccf0f580d36809821f3a6630cc25ebc72c54ca1d7281b5b793657d630079c53

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
94KB

MD5
5f6084747286da841e5b3e023065768d

SHA1
1743d228fb00f6b96f6c3a23415419068acd6bd8

SHA256
503e4b20b5dc7b3db173080cc23ec8095cf6fdbc662c5efb262cdfc0ce0b8a19

SHA512
e27a78ce284a7e908606c3017648f11ef391ec13d1f45d05dec1f227084d6ef9d36beb434ab453dd37c14071e327a0979834d3b4ed6c117e2dbe88f2dfdb0bed

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
94KB

MD5
3bc9310a00f7c1c62effb7b9b9094a69

SHA1
bb42e31f2b0d76749252cb2426702aeda93dd309

SHA256
febe892d3b8a18f4f3d37e6e4fae55121c1711a2d2f8c8a8daa74c7d3fde157c

SHA512
3b175ca12c18e2a26e9af8019763f855a279df4782fe148ad892890ca125c04cd62ea104c6762161dff52a2e978c90444ceb786c0f2c703f9bfc019ba8264ece

Download Submit
memory/220-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/396-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/396-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/408-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/432-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/432-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/636-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/732-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/732-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/760-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/760-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/844-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/844-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/868-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/868-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/952-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/952-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1200-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1200-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1276-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1276-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1424-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1432-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1432-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1516-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1516-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1608-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1620-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1620-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1664-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1664-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1664-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1916-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1916-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2180-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2180-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2336-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2336-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2492-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2492-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2500-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2500-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3228-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3228-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3280-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3280-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3428-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3428-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3492-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3544-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3544-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3564-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3640-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3640-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3788-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3788-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4080-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4080-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4172-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4176-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4176-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4336-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4380-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4420-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4420-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4864-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4864-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4972-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5024-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5024-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5076-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5076-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads