berbew | 546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d.exe
Size

80KB
MD5

d983ac76dd59e1bb688c510c77f64fab
SHA1

ce602fa1ed256e20442c47b92351b167c6a5d1d6
SHA256

546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d
SHA512

11bab0b17a34e79282df2b7b0464fbdab9ecd4650e810763942595396a24abaad70083ca2c20ad48311fb8253b748b556695d64fb517883144c1c860f1f66d42
SSDEEP

1536:sMfKkgU2Q/nKkIaJAv99+t2L7J9VqDlzVxyh+CbxMa:sMfGRQ/Kkui+7J9IDlRxyhTb7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2764	Pqmjog32.exe
3804	Pfjcgn32.exe
1272	Pmdkch32.exe
4332	Pcncpbmd.exe
2636	Pjhlml32.exe
744	Pmfhig32.exe
3776	Pgllfp32.exe
1232	Pjjhbl32.exe
2468	Pcbmka32.exe
2368	Qdbiedpa.exe
2940	Qgqeappe.exe
1048	Qnjnnj32.exe
4848	Qcgffqei.exe
2024	Qffbbldm.exe
4128	Ampkof32.exe
3476	Adgbpc32.exe
2252	Afhohlbj.exe
3976	Aqncedbp.exe
3756	Agglboim.exe
1832	Amddjegd.exe
4984	Afmhck32.exe
116	Andqdh32.exe
2752	Aglemn32.exe
4428	Aepefb32.exe
2828	Bnhjohkb.exe
1824	Bagflcje.exe
464	Bcebhoii.exe
4312	Bjokdipf.exe
1744	Bchomn32.exe
4360	Bffkij32.exe
4320	Bmpcfdmg.exe
4840	Bjddphlq.exe
4856	Banllbdn.exe
1240	Bfkedibe.exe
2980	Bmemac32.exe
2520	Bapiabak.exe
1236	Chjaol32.exe
2044	Cjinkg32.exe
1944	Cabfga32.exe
3164	Chmndlge.exe
3032	Cjkjpgfi.exe
2936	Cmiflbel.exe
1708	Chokikeb.exe
4948	Cfbkeh32.exe
3432	Cmlcbbcj.exe
3584	Ceckcp32.exe
1344	Cfdhkhjj.exe
3320	Cajlhqjp.exe
4784	Cdhhdlid.exe
4804	Cffdpghg.exe
1156	Cegdnopg.exe
4572	Ddjejl32.exe
4340	Dopigd32.exe
2240	Dhhnpjmh.exe
4896	Dfknkg32.exe
1960	Daqbip32.exe
5040	Ddonekbl.exe
5052	Dodbbdbb.exe
448	Deokon32.exe
4044	Dfpgffpm.exe
1760	Dmjocp32.exe
1848	Dddhpjof.exe
3144	Dknpmdfc.exe
1968	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3152	1968	WerFault.exe	149

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 2764	4232	546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d.exe	83
PID 4232 wrote to memory of 2764	4232	546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d.exe	83
PID 4232 wrote to memory of 2764	4232	546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d.exe	83
PID 2764 wrote to memory of 3804	2764	Pqmjog32.exe	85
PID 2764 wrote to memory of 3804	2764	Pqmjog32.exe	85
PID 2764 wrote to memory of 3804	2764	Pqmjog32.exe	85
PID 3804 wrote to memory of 1272	3804	Pfjcgn32.exe	86
PID 3804 wrote to memory of 1272	3804	Pfjcgn32.exe	86
PID 3804 wrote to memory of 1272	3804	Pfjcgn32.exe	86
PID 1272 wrote to memory of 4332	1272	Pmdkch32.exe	87
PID 1272 wrote to memory of 4332	1272	Pmdkch32.exe	87
PID 1272 wrote to memory of 4332	1272	Pmdkch32.exe	87
PID 4332 wrote to memory of 2636	4332	Pcncpbmd.exe	89
PID 4332 wrote to memory of 2636	4332	Pcncpbmd.exe	89
PID 4332 wrote to memory of 2636	4332	Pcncpbmd.exe	89
PID 2636 wrote to memory of 744	2636	Pjhlml32.exe	90
PID 2636 wrote to memory of 744	2636	Pjhlml32.exe	90
PID 2636 wrote to memory of 744	2636	Pjhlml32.exe	90
PID 744 wrote to memory of 3776	744	Pmfhig32.exe	91
PID 744 wrote to memory of 3776	744	Pmfhig32.exe	91
PID 744 wrote to memory of 3776	744	Pmfhig32.exe	91
PID 3776 wrote to memory of 1232	3776	Pgllfp32.exe	92
PID 3776 wrote to memory of 1232	3776	Pgllfp32.exe	92
PID 3776 wrote to memory of 1232	3776	Pgllfp32.exe	92
PID 1232 wrote to memory of 2468	1232	Pjjhbl32.exe	93
PID 1232 wrote to memory of 2468	1232	Pjjhbl32.exe	93
PID 1232 wrote to memory of 2468	1232	Pjjhbl32.exe	93
PID 2468 wrote to memory of 2368	2468	Pcbmka32.exe	95
PID 2468 wrote to memory of 2368	2468	Pcbmka32.exe	95
PID 2468 wrote to memory of 2368	2468	Pcbmka32.exe	95
PID 2368 wrote to memory of 2940	2368	Qdbiedpa.exe	96
PID 2368 wrote to memory of 2940	2368	Qdbiedpa.exe	96
PID 2368 wrote to memory of 2940	2368	Qdbiedpa.exe	96
PID 2940 wrote to memory of 1048	2940	Qgqeappe.exe	97
PID 2940 wrote to memory of 1048	2940	Qgqeappe.exe	97
PID 2940 wrote to memory of 1048	2940	Qgqeappe.exe	97
PID 1048 wrote to memory of 4848	1048	Qnjnnj32.exe	98
PID 1048 wrote to memory of 4848	1048	Qnjnnj32.exe	98
PID 1048 wrote to memory of 4848	1048	Qnjnnj32.exe	98
PID 4848 wrote to memory of 2024	4848	Qcgffqei.exe	99
PID 4848 wrote to memory of 2024	4848	Qcgffqei.exe	99
PID 4848 wrote to memory of 2024	4848	Qcgffqei.exe	99
PID 2024 wrote to memory of 4128	2024	Qffbbldm.exe	100
PID 2024 wrote to memory of 4128	2024	Qffbbldm.exe	100
PID 2024 wrote to memory of 4128	2024	Qffbbldm.exe	100
PID 4128 wrote to memory of 3476	4128	Ampkof32.exe	101
PID 4128 wrote to memory of 3476	4128	Ampkof32.exe	101
PID 4128 wrote to memory of 3476	4128	Ampkof32.exe	101
PID 3476 wrote to memory of 2252	3476	Adgbpc32.exe	102
PID 3476 wrote to memory of 2252	3476	Adgbpc32.exe	102
PID 3476 wrote to memory of 2252	3476	Adgbpc32.exe	102
PID 2252 wrote to memory of 3976	2252	Afhohlbj.exe	103
PID 2252 wrote to memory of 3976	2252	Afhohlbj.exe	103
PID 2252 wrote to memory of 3976	2252	Afhohlbj.exe	103
PID 3976 wrote to memory of 3756	3976	Aqncedbp.exe	104
PID 3976 wrote to memory of 3756	3976	Aqncedbp.exe	104
PID 3976 wrote to memory of 3756	3976	Aqncedbp.exe	104
PID 3756 wrote to memory of 1832	3756	Agglboim.exe	105
PID 3756 wrote to memory of 1832	3756	Agglboim.exe	105
PID 3756 wrote to memory of 1832	3756	Agglboim.exe	105
PID 1832 wrote to memory of 4984	1832	Amddjegd.exe	106
PID 1832 wrote to memory of 4984	1832	Amddjegd.exe	106
PID 1832 wrote to memory of 4984	1832	Amddjegd.exe	106
PID 4984 wrote to memory of 116	4984	Afmhck32.exe	107

C:\Users\Admin\AppData\Local\Temp\546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d.exe
"C:\Users\Admin\AppData\Local\Temp\546b9e27bf3530a4398cbaa12d5716f4883e899e52d398cc4a162be720234f3d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\SysWOW64\Pqmjog32.exe
  C:\Windows\system32\Pqmjog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\Pfjcgn32.exe
    C:\Windows\system32\Pfjcgn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\SysWOW64\Pmdkch32.exe
      C:\Windows\system32\Pmdkch32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 404
        66⤵
        Program crash
        
        PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1968 -ip 1968
1⤵
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
80KB

MD5
1a14d5e635c32f0b5c22d0153f5b7c01

SHA1
5b02525cca84a96c8560f95caf2ca80ff18a08dc

SHA256
0bdbfc03fdec00bb5fab6c6baa33ae8b1013e0a25631fb633d1af7aa80a0a283

SHA512
72585969076dbd83ebb8c00a4ae21447a7fc193797d90493bcd34ce1476dcde6ad4d1b31e937a3489faacb2f6d612a2fef94e7dad4576c11860cc7047a98f4df

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
80KB

MD5
fe2d62c0a270da3536edeb02b6fafaae

SHA1
c1fdb97edf01ed0e9c8f124030f5f12ada85140b

SHA256
5064c4755931ad0552d2871b6814086d4afaa8bfa1c5823c839f58afbb18bc98

SHA512
c7ee8a1cac7c846f20882661ea713089e41768b2a26dfe824cc5ebda3c8a2e4032d34fab90bb0f2fcd20f9b204b59941aa89013269dcfd5bc87b477580284444

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
80KB

MD5
6373913cb11eaba595d4e4db91214ba3

SHA1
1634c52b67b0ea4dae162b7d0299e3bee6d4d662

SHA256
52ec123912b557ecf5c598baa0780ae4f7ebbf117385c95a68f1d00a895a8b8c

SHA512
5fbbb7b2b3e1c64d0370e01b2d630a99520dd0804dba0c075329d0bc13e5b21a1ca84b869e14c0075bdb6eb6a57db84dd3d07b825727b376c4a33ea29f8f75bd

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
80KB

MD5
c9f2c0d78f6cca1f2d3826643fc7b605

SHA1
bf1af797662bebce737d315f122975a6b84837d6

SHA256
251ebee3ca293146e4b42b75d94958ff17858eb7139d72fa82915fd65ed5cd12

SHA512
a20b0643e93c7efc2fc4c933bdf1100307bd8cab58ac9794854c1c7e88c8792c3b3199dedbb759030c4559cbb02082d3f249b36543a8ad7c02fcb59a06535a97

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
80KB

MD5
b50d2abca5fe12fe0c906cfd2acd024f

SHA1
7abedfad42e21d96e7f1699accbf9f4ebe557872

SHA256
a9f44d0c0d7c00f3b71af700ae14bd18e8d69bc91f46ed201f235d84aea704be

SHA512
95c2fe3bca97aa068a4b405a6721f3ccb3b38f36758580c96efef85eea98c65f12e4831f6d9c97ebb0c0b5fbfa61df287f4772b0392a9ad1996b8b36dd177eeb

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
80KB

MD5
ccece9582e32c56330dc9a7fffbca5a7

SHA1
b03a140be413f3a8299f48529bc6e7b7aece6553

SHA256
b47cf273406d7b5c89652e94bf5e27c2ef70199b80488e199db52a9580aadbf1

SHA512
bbf280929cf4f463c9d1bc3e78a1d1e6781660a510da8d970fd2280711cd5d07af41424cce4aa41becf4e3c7577d6fb69a7abe93f908ae560f81cdf4f6ec7aeb

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
80KB

MD5
c261c11e74cfb8e67a86fca21abbd71a

SHA1
09b61038e9011a7305075bef633e82d8193162a2

SHA256
0cba7e8949cc529efcc3796dab6c64e08b2e62743222aa409aff0bf1a7eefa85

SHA512
f5ce4182722cee1a79fa57744da072bb3bee255f6191066e8cdd90833e217c20683716a7d1526936a3abe8d80f637ac2188f9da490c2f3dc709c38c1bde3cdd2

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
80KB

MD5
9731a86378a2bcd243a8c7643cbf1d5e

SHA1
688db65c34af757abe649169a85e55c4808c6803

SHA256
b0a088537657644806f08071efc3fd1109996e57a5f4341316df73dd92b4a17a

SHA512
a2325c52017c23011dfee876bbb2c2e386f96b3382a2f4255060355768d6c2334b7d7d7f6075f17005a331c6c5f3e5c2804cf5cf8a907ab911e8f7853524ad41

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
80KB

MD5
892ec1326da340ee12d55502ae80ee9a

SHA1
3f10f0849f8ca9e778df482c5f17543a22403723

SHA256
9dd8d611f8d5f34232691d99011b6b63f2b2b7b4db1bb9978fe7fc8af3fd9b42

SHA512
5868c7818cdbdc6e809d8ea8d681275d58638ccf5cc392219bbcaa4935259c2654dfdb031c956c0f2cabcaaaeec08807856202bf540a3957128e14ebac94392e

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
80KB

MD5
f6b45e9aca357dcc743b608edc49392e

SHA1
d3162cc2c99722e862f45b4012a22924b52132e4

SHA256
8badf593551d50f1f9773dbcec2fc779f42abb97d3880bb3c32169732ab9a775

SHA512
e8e20706b58ae0e25890b1e79ae865b7464dfbc4c60428cd5fc61e0fdfe9f8da9ee0914dfa46b521c9a27b965795270f3ee0baf980107eeecf8c79eb8660f99b

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
80KB

MD5
117ffbbb1a5e60f3fd5f41f51e718edd

SHA1
099ec162ca3b9c3b93c22cc1d3b1223341428227

SHA256
23b235d64dd0b078fb58b9771486e1beefb25ec8c39260790597f423c217851b

SHA512
25ad1ba686ab688e3fabd575cb562e6a296dda31c26a3afaa6ac00cfa69860b046b9d36a657e6c9b870eb23da55741bc323df899e6b04ce19d2914799fd1401e

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
80KB

MD5
cffb5d934f53628f97c2c2d2ded1e18e

SHA1
8c87fa4ab39c46061bfbee7a1e4fb29c4b3f2164

SHA256
f303efd6fa8e1da516a96def6d97eb6aba44b53e48fa202c757e3c85f501f8f5

SHA512
c2c0f58e3722febd33b45a89da6c60a16d6513c6713fc3c5631db8242b3a490797434e07de1c54379e4f2abff86c7206ec245a8862575aa50d06e97c03043771

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
80KB

MD5
162b7ba0e1e7ea9655d34f2638f90e65

SHA1
d183351730617c40836907da40630fbcb77f734d

SHA256
295c2f33eac66094c80234ba21e3dc2649563b25d1402f16f40144d740db4d58

SHA512
4a525bcb3156ee8a9d13ca3766b7d279cbf5e4496cf7625b09f77d862216a7bb688e2a72ca70cca5d15d59f006bc44d369c9ebd2e4c94356a50518528f9e180d

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
80KB

MD5
38b98a34cd9fc6edeba5d7297057c71b

SHA1
e6876dd04d1ddf8591e1d281c76c634387306271

SHA256
4c26ae61f0eaf5909f7712743a0be4702ab98a1e93cf2ed17ab3d344af653c11

SHA512
7622b5de58d8747fe98cd318266b6a0e4dd751382909730917b5d9dbcdee41743c6a1278ae0a724f221addd97fdd56e3ea88cc8a7599a54df281849f7cd6e1b4

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
80KB

MD5
7ae768041428d34794981dd7b1c2f5f0

SHA1
db0a8492651a354e1d38c0dc8f95ab8a517cc403

SHA256
d0de0034d4cb2f690524684a8bf0d1f685dc96fbd95b8e477293bfc621b18d6f

SHA512
1025ae61022cff0c6c061340db40c8ec7ee07310d42bdb6a70afb8ae69958c26b8ed0c3b7910cf6ce744192f3fff84385ea1baca2b672dbdab8a04ac7547c9b1

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
80KB

MD5
6f54ffd3a553226fb2b5d247320a76c1

SHA1
415bc536741075652e06172b7294b7c85bf30be3

SHA256
f70dfa3b7fd99523244b564144d3b8d625ea08564bc4cc6f97b38526a16dac84

SHA512
0a695a98718da5c5ed782a7dbd46fa27107c9fe6a6cf5589bff68fd2b41c4073a94f9338bf2c101baedb3449a5273a45b3790abdaff681a2959c824db3d12b9e

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
80KB

MD5
390b9e635df5999e2fd4d155e7f13eba

SHA1
6624f71f1d76b92f6866e1f76665745003445a07

SHA256
13d1b5c80486d1c197f11e886b3ca305a97261eb8fc422acb13421e75fc625e7

SHA512
ea42edd27e196c557f0aab6b7478717c57d7e21f4f44c87879ccc8ca39d6fbc6e9a6084f53cfece69bdfa3623c8501b1419f666baaa77e8573bed060b43a5afb

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
80KB

MD5
4bdab84f186961893e4bab1b1a6fd006

SHA1
7cf572dab89eb8cb2a858cf995572650a45d1cbc

SHA256
772b2732b59f72a52212c67659c8f7da198af92dd5cf36b32c71500a416c9b86

SHA512
c7478db5406b7a3037736042d17aa64a20ed4fe98634c8b869f3081c74b8b9c854886efa8a8d215484952c4cf414b0b2cee8a7c0b12b0b3a86eb58b8da277aad

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
80KB

MD5
507983b52042106e28bca4c3621583bf

SHA1
fc94dc374bb8493885206fd09af09cfc7063e705

SHA256
91fb34d4cebe41f115ceb3f3490b74210c699c502b11948615a8db8bf52ea960

SHA512
eb1d9db0bdc1ad8d4d4c9a30d8bc8db783b6734ae4702d0f72d616a7bd8d1a4a2f1b7612c84851b6708c23455f51ab5293ec51a62fc7386f8d2d7b308cee0a5e

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
80KB

MD5
4163e7c7b08817f7343d842dbe8d0054

SHA1
d422f3d47a586f0a1b3472c48c2f8e44411c9336

SHA256
4c1375411f9ec561fb1a0efcf3bbe3b876d29fcf69326c2048e92bfef74f201c

SHA512
f853877124c81aa3583412b77436f9466d367214e343c99d82c92f51d117e4b52a9d6809260d9a7467fa7dd895d22471650a0cffbbe67ca707149c83ecb74afc

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
80KB

MD5
db8276cc09b52881438e439753fcaea4

SHA1
56c05f3089c4345530e65997a5e581c9538471dd

SHA256
92cfc03719655467e5e7bade0c6e871e3ed39ae94bae9cd7d8c6edf3970e2fbe

SHA512
61596480e51c66ba0afe3f2a4d14b5532a0a4a1b7701d949421b07f0303de7f919846410e985d0e43d084aebddca34fd35e82ea1826fc2c5b02bc9bc6c838c96

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
80KB

MD5
238a727f97f27fde1218ac5a2a07cb8c

SHA1
c3792161cf5434b9a1dce1c46b876a7bdc5c5c9d

SHA256
a3ecd30c88acab5b3b18ec179cf8b97dfedf497cc26a8dd758d7b64b4c0b49e1

SHA512
a53b8d508ab229f2fd0da21c1b96a17dd3f0d12f8a6043e17143b1f1520cc2036e95df232ebcbb17cf9982574b2b77f647fb112d82c531a4afaca08c84fb53b2

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
80KB

MD5
0c3fd2d95f97bc4434996cd773170a6a

SHA1
4427183d76f8fc37b2165db83335b932c8a7cbb5

SHA256
0d9685270e87c0f44c819356977d84c7fceff497d30214793849b4cf52dfc67e

SHA512
1fdc65fdb3994d1a62a8732365319b8a0eed06b5a57e8922d96ad7cdf99160ec90149db809a714726ecbfc5a0a69619c21a92b93d3a467aa2a0ab85941c2794a

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
80KB

MD5
08e5e70a14cee703337c66a017123c9f

SHA1
9ccefd6a8bd54377068b5598963b1a5ae5443859

SHA256
bca4af5cfb52a67234f63054417657ccaa112edc8fec2f845e0d9d3135fdf69b

SHA512
a63749f9eec27bc233d02529b32bab329207ef379dc2dbbe8c4f762e43e5736cb07b5e369538d147dda363ac693297670b3df5ac596b1a0cce58cdf45340cccd

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
80KB

MD5
10ab3a7cfe33f0168d9c1048b89b1763

SHA1
566d9b4104c0e9d495b2c9a942d7e42f1292a2a0

SHA256
505cb222ceab0f005e293069a8353f58fc7f60a7005eecbe02dec9996fb1c087

SHA512
ecd9f8fa3c1400a0a98f964e81a12c1871a1c5a598da44a095a391615167f566a8c81c76717c8eb89a414fa61b4de58192be268720479ac1e8727e9a3c2e6bcd

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
80KB

MD5
b8184dbf300f0968e955bf3403894ad4

SHA1
202c0622f612815962963d859c7c3e2b928b35c2

SHA256
147fe335c45f7943b0bbc80ec4e35cf5bd3bbf9a8c856fd190ac1c9d663700fc

SHA512
3178bdd5e82eeab296124d37e289c7c39dbf47c5d624ac7c8bec317e35e2465fae72ae6cbc5d3e62a2395bd32ad65cd9f5afbc689d61aae903e8e296a0e1da12

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
80KB

MD5
1435d440bcb1e7034dfa9472294f37d5

SHA1
ca1e6971d79a2a09de0cf9c8e3ad7932371f0c95

SHA256
1830f416b772a24a0e632a0d2b54379d97eb5fbc9ece2d127540b28ea3600c4d

SHA512
061a9927cfd7b4f7dcc7a0f5e17266fcda4dba0ff6fe4b3209372a0f4322855df23f0d307eb4551ef582383a146a186dc6595df880f712f5303dc628635a8686

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
80KB

MD5
d0b6054ff1683af93dd2e2f6963cb6fe

SHA1
f1f3807eba02050ef1911343f5c0ee2e0c828527

SHA256
62ab04c8feacc5fe41f325cdbfc1ba17a2a5501e18a06f7fe02c66d8ba531cc2

SHA512
839d649fdd290df10c03a95039fcca4f2630943728cb8cd07b3f3500afba80e322718f23b5892dc03113fe9ad8b419f93d9af07ec84bfb1acad6ab9f987e2c0e

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
80KB

MD5
0a50cbe8132e47515d771c70db62f2ae

SHA1
c206899e933ae20b135db44c727af4dd494a661a

SHA256
6ef48e40a044e227dedbf22e05eab9685f011a612b7fa4d9723e5eabaf440f25

SHA512
8343343ebda2d2457af229618056895d7282fb7958adc248d556d7d44075e56ce19de2f551b1f9ad44328c313a251c2733ae29f5ae6a93244e3e13d7bdbc8091

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
80KB

MD5
fba777931bd0eac2c86e882258ab74aa

SHA1
5d3141a2e97d243118f39f7eb57b478b72dcfab3

SHA256
940a79fd5d0584562f0175f1e332f80d21fbd96ef479758aebdb3847268d4c51

SHA512
c18d85f9e64d84162165c280c074986d4aa9abf03eced190a333238cce7b08d7258171c7095a41f53cdae5df6175bbbeb58fd3223e6a490e862724531a327f23

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
80KB

MD5
75ea470d67b992c3706cfd0df450d37d

SHA1
05bc63b27b54c0507c2e173853bc4c6a9ab019d9

SHA256
e71dda4483c2d8714c856b0e13b7cbb7e32178a12fbbfe997235ea23d960a828

SHA512
ff8847faf7cc2d6c987f2d9bd19cefc21965789d90fb34338ce70f1080434aaf59276cf49a2c5192e41e8be8af82ea173ba56b94d9418aa5678df55b2b477436

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
80KB

MD5
bebe9ba66fe3e9b8abd4f8d1d8303d19

SHA1
959124e0f3c10cf8c0fe26d023fbc666f0257436

SHA256
d9bebc909a6f4f34fb6d6b03bdf173cfb2e5b166aef5c89f7ae9672cdbf2c216

SHA512
1e52259b2f4f4e058f5da9501ba453f180ca1708ebbb6e55cfecdc355847a9e55f3845379c44a31c31beaf6a70268e0a10f5cdceb781c3fdf61a01ca83edd038

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
80KB

MD5
11d4344d048817ed7143ca4d5623dba0

SHA1
bf72289ea75dfa4169df305fb99f4cb75160b4ab

SHA256
e6c5e3969f4b1a6985e5af0c2dff36811b1d48bb0b57165067b981faa3d5b767

SHA512
bb54e50dab63b3684325125952457db16408dd893f8063a1e9453e016de4626a5aaa4260c5a12297e56dce8fd42122002a66596f5b2f6b4fb181912989fb842a

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
80KB

MD5
f2f1814590530945f8040c15333d02ab

SHA1
7e411c4dcb97f38df3c3627430a5c2af176a2d85

SHA256
7ab44145412fe762f605d8b5f8e3150ba63d961abb3f24665ee2ecd04591eecf

SHA512
c9bbc53db2e44a54efea14f07e9350c3cc155634b81e86ad7cd1d86542dcd4ea806a158db6946c69c845679652b61e1aefd84bb835d197e4c1e5eb8781cf6fb7

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
80KB

MD5
d96638cda119046b6ab721f4ac5d7d11

SHA1
1d0c7ef3f188e67d980d2ca523c8d167bddec77e

SHA256
21ee6f90acc45f9e88469b85aa3a568ff5496ad9beb5cc765ae0f26e65507e32

SHA512
2a465507d706b4d60c7508650649368834a811d920e73634d381fd702b60f1153bb307db50a36f5a411cfb52b632bd3566bd37a6eb4c0d5a4262d663a27fbe3b

Download Submit
memory/116-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/744-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1048-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1236-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1236-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1240-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1272-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1944-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1944-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-476-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2368-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2940-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3432-469-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3432-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3756-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3776-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3976-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4128-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4232-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4232-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4312-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads