berbew | 33ee889dc622e082013c8c78702e9d349fd0e637600df4ef93a1e75d228627bb

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33ee889dc622e082013c8c78702e9d349fd0e637600df4ef93a1e75d228627bb.exe
Size

163KB
MD5

c8ee279de2a6d57986141db5a0099a87
SHA1

87d69fad7447a5b08570c211a4f2a8802c22cc45
SHA256

33ee889dc622e082013c8c78702e9d349fd0e637600df4ef93a1e75d228627bb
SHA512

11fc90172d81c9dc6accd47ed645eb22aa88df5151e848c12135a10d35d207fd8cecc85d3587808a121eeac48e7f8405fdc6d5ddb6ae527ea9eeb78554fc83f8
SSDEEP

1536:PG3z/OVId/ODtZWx2vSVgmB9aJ4lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:V4Ope1g94ltOrWKDBr+yJb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3924	Ogkcpbam.exe
3128	Olhlhjpd.exe
2240	Odocigqg.exe
4580	Ofqpqo32.exe
4704	Ogpmjb32.exe
1052	Ojoign32.exe
464	Ogbipa32.exe
2156	Pmoahijl.exe
3124	Pfhfan32.exe
3000	Pmannhhj.exe
1900	Pjeoglgc.exe
1428	Pcncpbmd.exe
2696	Pmfhig32.exe
956	Pfolbmje.exe
4348	Pdpmpdbd.exe
5088	Pjmehkqk.exe
768	Qdbiedpa.exe
560	Qfcfml32.exe
2424	Qmmnjfnl.exe
1460	Qcgffqei.exe
3520	Ajanck32.exe
8	Aqkgpedc.exe
2332	Anogiicl.exe
5020	Aeiofcji.exe
1128	Afjlnk32.exe
4408	Acnlgp32.exe
3148	Aabmqd32.exe
4512	Aglemn32.exe
2704	Ajkaii32.exe
2508	Aepefb32.exe
1152	Bfabnjjp.exe
5004	Bagflcje.exe
896	Bebblb32.exe
2168	Bnkgeg32.exe
648	Bchomn32.exe
3892	Bjagjhnc.exe
3692	Balpgb32.exe
3664	Bfhhoi32.exe
4960	Bnpppgdj.exe
2060	Banllbdn.exe
2072	Bfkedibe.exe
2740	Bmemac32.exe
440	Belebq32.exe
2652	Cjinkg32.exe
1620	Cdabcm32.exe
1388	Cmiflbel.exe
2412	Chokikeb.exe
652	Cjmgfgdf.exe
4680	Cmlcbbcj.exe
1652	Chagok32.exe
348	Cnkplejl.exe
4708	Cdhhdlid.exe
1440	Cffdpghg.exe
1700	Cmqmma32.exe
1556	Ddjejl32.exe
3808	Djdmffnn.exe
2624	Dmcibama.exe
4812	Dhhnpjmh.exe
1032	Daqbip32.exe
4332	Dhkjej32.exe
3308	Daconoae.exe
2616	Dfpgffpm.exe
396	Dogogcpo.exe
1936	Daekdooc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	33ee889dc622e082013c8c78702e9d349fd0e637600df4ef93a1e75d228627bb.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	33ee889dc622e082013c8c78702e9d349fd0e637600df4ef93a1e75d228627bb.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2912	636	WerFault.exe	154

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33ee889dc622e082013c8c78702e9d349fd0e637600df4ef93a1e75d228627bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3924	2944	33ee889dc622e082013c8c78702e9d349fd0e637600df4ef93a1e75d228627bb.exe	84
PID 2944 wrote to memory of 3924	2944	33ee889dc622e082013c8c78702e9d349fd0e637600df4ef93a1e75d228627bb.exe	84
PID 2944 wrote to memory of 3924	2944	33ee889dc622e082013c8c78702e9d349fd0e637600df4ef93a1e75d228627bb.exe	84
PID 3924 wrote to memory of 3128	3924	Ogkcpbam.exe	85
PID 3924 wrote to memory of 3128	3924	Ogkcpbam.exe	85
PID 3924 wrote to memory of 3128	3924	Ogkcpbam.exe	85
PID 3128 wrote to memory of 2240	3128	Olhlhjpd.exe	86
PID 3128 wrote to memory of 2240	3128	Olhlhjpd.exe	86
PID 3128 wrote to memory of 2240	3128	Olhlhjpd.exe	86
PID 2240 wrote to memory of 4580	2240	Odocigqg.exe	87
PID 2240 wrote to memory of 4580	2240	Odocigqg.exe	87
PID 2240 wrote to memory of 4580	2240	Odocigqg.exe	87
PID 4580 wrote to memory of 4704	4580	Ofqpqo32.exe	89
PID 4580 wrote to memory of 4704	4580	Ofqpqo32.exe	89
PID 4580 wrote to memory of 4704	4580	Ofqpqo32.exe	89
PID 4704 wrote to memory of 1052	4704	Ogpmjb32.exe	90
PID 4704 wrote to memory of 1052	4704	Ogpmjb32.exe	90
PID 4704 wrote to memory of 1052	4704	Ogpmjb32.exe	90
PID 1052 wrote to memory of 464	1052	Ojoign32.exe	91
PID 1052 wrote to memory of 464	1052	Ojoign32.exe	91
PID 1052 wrote to memory of 464	1052	Ojoign32.exe	91
PID 464 wrote to memory of 2156	464	Ogbipa32.exe	92
PID 464 wrote to memory of 2156	464	Ogbipa32.exe	92
PID 464 wrote to memory of 2156	464	Ogbipa32.exe	92
PID 2156 wrote to memory of 3124	2156	Pmoahijl.exe	93
PID 2156 wrote to memory of 3124	2156	Pmoahijl.exe	93
PID 2156 wrote to memory of 3124	2156	Pmoahijl.exe	93
PID 3124 wrote to memory of 3000	3124	Pfhfan32.exe	95
PID 3124 wrote to memory of 3000	3124	Pfhfan32.exe	95
PID 3124 wrote to memory of 3000	3124	Pfhfan32.exe	95
PID 3000 wrote to memory of 1900	3000	Pmannhhj.exe	96
PID 3000 wrote to memory of 1900	3000	Pmannhhj.exe	96
PID 3000 wrote to memory of 1900	3000	Pmannhhj.exe	96
PID 1900 wrote to memory of 1428	1900	Pjeoglgc.exe	97
PID 1900 wrote to memory of 1428	1900	Pjeoglgc.exe	97
PID 1900 wrote to memory of 1428	1900	Pjeoglgc.exe	97
PID 1428 wrote to memory of 2696	1428	Pcncpbmd.exe	98
PID 1428 wrote to memory of 2696	1428	Pcncpbmd.exe	98
PID 1428 wrote to memory of 2696	1428	Pcncpbmd.exe	98
PID 2696 wrote to memory of 956	2696	Pmfhig32.exe	100
PID 2696 wrote to memory of 956	2696	Pmfhig32.exe	100
PID 2696 wrote to memory of 956	2696	Pmfhig32.exe	100
PID 956 wrote to memory of 4348	956	Pfolbmje.exe	101
PID 956 wrote to memory of 4348	956	Pfolbmje.exe	101
PID 956 wrote to memory of 4348	956	Pfolbmje.exe	101
PID 4348 wrote to memory of 5088	4348	Pdpmpdbd.exe	102
PID 4348 wrote to memory of 5088	4348	Pdpmpdbd.exe	102
PID 4348 wrote to memory of 5088	4348	Pdpmpdbd.exe	102
PID 5088 wrote to memory of 768	5088	Pjmehkqk.exe	103
PID 5088 wrote to memory of 768	5088	Pjmehkqk.exe	103
PID 5088 wrote to memory of 768	5088	Pjmehkqk.exe	103
PID 768 wrote to memory of 560	768	Qdbiedpa.exe	104
PID 768 wrote to memory of 560	768	Qdbiedpa.exe	104
PID 768 wrote to memory of 560	768	Qdbiedpa.exe	104
PID 560 wrote to memory of 2424	560	Qfcfml32.exe	105
PID 560 wrote to memory of 2424	560	Qfcfml32.exe	105
PID 560 wrote to memory of 2424	560	Qfcfml32.exe	105
PID 2424 wrote to memory of 1460	2424	Qmmnjfnl.exe	106
PID 2424 wrote to memory of 1460	2424	Qmmnjfnl.exe	106
PID 2424 wrote to memory of 1460	2424	Qmmnjfnl.exe	106
PID 1460 wrote to memory of 3520	1460	Qcgffqei.exe	107
PID 1460 wrote to memory of 3520	1460	Qcgffqei.exe	107
PID 1460 wrote to memory of 3520	1460	Qcgffqei.exe	107
PID 3520 wrote to memory of 8	3520	Ajanck32.exe	108

C:\Users\Admin\AppData\Local\Temp\33ee889dc622e082013c8c78702e9d349fd0e637600df4ef93a1e75d228627bb.exe
"C:\Users\Admin\AppData\Local\Temp\33ee889dc622e082013c8c78702e9d349fd0e637600df4ef93a1e75d228627bb.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\Ogkcpbam.exe
  C:\Windows\system32\Ogkcpbam.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\SysWOW64\Olhlhjpd.exe
    C:\Windows\system32\Olhlhjpd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\SysWOW64\Odocigqg.exe
      C:\Windows\system32\Odocigqg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
      - C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 404
        68⤵
        Program crash
        
        PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 636 -ip 636
1⤵
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
163KB

MD5
05b3beb7240d29857be7738b9c6b517f

SHA1
d953f76adabcd9a91169631006a148b7f80ad4d2

SHA256
5f8e885fc78290642607306214177e963f17f580f3236cad14534d459d1c5ac4

SHA512
1ecf8d8981e891eae860a0c8645814506b8bef15f98b1e0ab368bc5b26c8a6f56797bb6e89610cd0f0b5cdcdc1be1f8001639b9fec5319a38adc564dd81f574e

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
163KB

MD5
a939427475180360048be2d825fbb50f

SHA1
492b29c11bad5b896a092d46797cd84362b80bcf

SHA256
8a5d3b54de96710fad6bad94a6c69a128c1f1921fd45164c36178805841a003a

SHA512
c46708fa306a0299b2fa0779d9a8879d5d0543e20789199dbcc06cf2b1ed218a3b2cbd4ea830abdeb240e385e2a91854f1f5f489c515f45b8689622a0ce1c898

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
163KB

MD5
49572254d59c764af247d899e77deb05

SHA1
0a20ed84209f5f2f2e3f5c4b3e2330cd4779b985

SHA256
9c88d1cbf58f5f241f1ced72d097d30f2e252d8d0d6a70fc2d6e5391ef129c69

SHA512
fe0aa78dddc3b3caf3078b27d23a7583449a89d6991b0518ed4cbf779b0650d6a8df8dffb7307c7fe1e1c5754c1918bf6f9336510610d0125620cb1af67608a5

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
163KB

MD5
fc71f2b152707fefeb6cb5c0daf7c27c

SHA1
57fc05565f0a35a367a56825b12d27863e1654be

SHA256
36a4be46409abdab933bbfc1844a76075f7fab77f40f6593e759ee049efd8e54

SHA512
0958dc5a429962cefef0917f00790d279689befd0759f903663bf5b76499af934dc7a31acba2f16fe60a7ee8e689111bdedfb2454484cece5741616b238c4aa3

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
163KB

MD5
a598f50fe2f0eb44e7f7af9711b7ca1a

SHA1
82e88195f3b64a167edfc9b81cd86a533f60cccf

SHA256
9a18a58cd3f9b76ed3f4c7e91cae37b39cb444c274696965d87234eb74d0d0d4

SHA512
0541d636b66fcc615b2a96536e54fb81f9572e5ec41e259a7f1cea66f926ef18fc7028049635e31fba44eb7938ab57314060025788693f0695a5f56961198885

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
163KB

MD5
d877eafa21aed34eb9002e6ba7316cf7

SHA1
5d66cf2bb49b815e4698bd7b74d9c1aceaa145db

SHA256
584575c757eb89adeda58b6f6695ba105015e4694095037e7141f8430cb9da69

SHA512
75eff925c7860e0e58f9814e0a061c77f1546b31abd296c4286d4cebbf9e5523d9b6f5cf6c95aef70274ff2f843e9f0ea270669b646f75214a4d6aa4ba94f42c

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
163KB

MD5
9f4a2a39e84aba62fb729963ff8639a8

SHA1
25493640d8d3291a02e1a29d3332adf5f507c914

SHA256
94295c8f5f9457d22af5650e38fce83ff1c9fe466abe8cc7d8410c3f28bd717b

SHA512
874a2b90cb7676dcfc7330236956dece7b3942fa2b70a340bf8271769acdb08fd5d9ca4743deeb6f572982795d059ff845b980bdf305127971719987376c3ba9

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
163KB

MD5
305caa17247b3e5580a7aa861138bb30

SHA1
6338a5a5df544f4e1fbf30c7e079ab2494770de9

SHA256
e9aa1303a2edef62e7578f5c95dffbbcc6a480cf845cc0d0407c9cdbf0ca7571

SHA512
e14efbd625d48515a0ded0c827417961b3196e7266a819db99c8f0641201030f2fbb377f00490ceb7958dcf4b6e350040ae76f403363cbe16194fff54f530fec

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
163KB

MD5
2154844ef732740c18073d702b3456d3

SHA1
26188c7f7950aa5464f4e14813d982bf93878e9b

SHA256
b631c957a83aae2e9f289c13147d992f3076d87fba67dfdc999f5776b5e7d9fd

SHA512
86199a37e0c28072854d5c856e86baa6d8769bdb659796ff9960631eaf24d317ddeb3356e37992f08b7232df0d69ba3864c27b5e090ed3e1746ec4f823775f5a

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
163KB

MD5
a712e9157bfc726576f53eaba490e5f5

SHA1
d857a49472b8d7c4b5ff4436b969b613ea67e186

SHA256
db5a050e4fcbea31e3a5c37ed2cfd74ce79a9fe1a83c13e5dc074c4ce27bbf9a

SHA512
0fddcc66cb1113d64432281beb4198858b90285fdbc7644de3d5b3a9bc72774e3808d8fef803d85759786ae0bf06672f1ae2e2d78607f3824e6ae1ab54911c4b

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
163KB

MD5
f5a3f491e81941410d1ea01155b4da45

SHA1
5f9c5d076e8fa221c2accea38520617299e082c8

SHA256
761a327da72e172e5518b4b74a5b630d27185bb357c6314a621bff5428befda2

SHA512
0568b4fd9eb44e2929a3f557e069f2549d11669b404f5c327ec3eded1e7bc784cdfc62478fe002abc761765750060399bed3d3a4245cf2ba86987bb50611f316

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
163KB

MD5
cc97ccd723731ef4662f992435504bae

SHA1
1746f37c70db18b5052dc83c65632ecb45b3afaa

SHA256
15d18763406a4868d20c08bbae7c48a7a5b38ed1b063454ab4e31d770fd3ff4b

SHA512
57bf2573041d6b7b7a1c0454c4924ddd7fa49f9bf0cf7245d370b99b386e1d9322cc149e243248e02753a7464fb119ec64c60139b0790de267a8845f40b58292

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
163KB

MD5
65992d127f2d5bb0134bd7926f8ed07c

SHA1
02cded87d04c2357da0aad338f181d6b960bc4c7

SHA256
d13ae754114f417f4f54dd3adb7f7f3e364d69d26d702401378d75abf00e1f69

SHA512
399b5011a7f2aaef2236696f83a5a20243834cc86509bd2e2a5ab64070377c8b699160af5463a90d53fb043fb4393034d4f4ddfb12eec55b56a0a68c673030e3

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
163KB

MD5
fc7be9703f1d507c37377af8897b344a

SHA1
187c1e8c202db12327319470be8075c00b78b6bf

SHA256
25dd7dc1137ee7b859e6791d9beccd9ec0097b500fc6aed27fdf11636fd54006

SHA512
adb53e79f1108927116852e29fb949537a180b41d5029546ac903497a0518c73ae39bb91f1551bbf086401cfcdc999fe83b8e0e67169301ebca9b70c2fc9af7a

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
163KB

MD5
0e6b668ff22dabf9f543a7f2cfe88f8c

SHA1
217780731097c8ce560a28a16902b61947b47e01

SHA256
26a6a4b0c03dd0b57dadfee58aa1b52c2faf4189f1cdac7f2029b74d154ede45

SHA512
05c186540ecd26857f606b9758514a9d42b33bb45e2e454322c030e6c88a8849192db68c738165362e12dfb8ceaf298d9fc8edf3ea0491a6cbd1374da26aa6c8

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
163KB

MD5
4fc1c485f94497d034acb5438d34b280

SHA1
3ac8bf6cbea8d2c3847ec12f4c3e6593a3bd1ac3

SHA256
f24659c4ed272df691c772c915b88c95fd828dcb4c7f904b826a7245e91a63fd

SHA512
395d1702e64b2096fdb002f120c041533c2b93ce73d77eab6cd91a0ca2ee7e4a48914f3cd931d533c308f3710048afb45ecf9e16a50cc12888a1c3e93c4e2ebb

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
163KB

MD5
9e7fc2f6781694b120d41b4041f59b08

SHA1
9f402d0ba14795ee6a6ff2da4e305bb57a8457a7

SHA256
80d8a134d8ced6e85532d347d53b067a8c7a58f1a3d122e31ed5dab35feb9fa1

SHA512
683e45c5f04ff4f3f713a6cb22500e1c81287211ce507bde4ff62547b8a1261ae47f20ba3de1d5c8214ad3fc7d8cf68b8c4166ec084cad6c415f60f1e892099a

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
163KB

MD5
ab1c178c652595903ee9140f4d2c14be

SHA1
8e0f6abc83bcd45552e2b16826f36923e310df56

SHA256
0e2c7aec804cf2aad9c09bfe44a3f922ec9d1e9e1f35190ca34a15be8ef1cac1

SHA512
13d0ea88c213d26d601298965aad65ee450e7b1f0ee2ea44fa34f4fee293a057917c1bc5b1b4be9638aefa1856bfc14994f70a04b535655766694c95cba5fe2a

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
163KB

MD5
7343a10c55f2dcb6208098ec70d92c06

SHA1
09ff8865c9b6f62621e22cfb43896cd135e6de8c

SHA256
49f5ac610455c0f6e6a2764ce820025f135a2cc2cb9959a779d515c7f30a665d

SHA512
fac410435a8722c643b18e2da7c0b026612792d444a698d32837e491e4f659e0124cf5c7003f580caf37d6b6057076c6045a62c36509f3092326320b8b046ec5

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
163KB

MD5
5f101c65066e6f58008fda58aed6ec8d

SHA1
0e91d334b35805b20b6be83afb89eee31622cde0

SHA256
6749ac16771c75fb309f728b117af0f6139bcb3bc135739c442ffb4d65f60587

SHA512
607af3db2bece996a7c6389799059678d0140c3745a3cc75a91b697fb8889e1515eab35218863bb1e0b8f9c6ac0deda026ca62e1d39caf16131c4ae5190c179b

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
163KB

MD5
375b4c815e6a49e080d4e54dfef4e55f

SHA1
8b15e8eaaa1618e185fbc859228545c20dc75f47

SHA256
ca6b51a02c54bd4d30d1b9a76280199202459d6fcda41f9ff694235dd05cd44f

SHA512
358df1b89317f2971891b21fd99400886407e8107bf577a6ad71d43b3db040e9b29709c7498a6a9dd1525ce70b06c2fe478898c557ad73076e3b5200ae4fe5cd

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
163KB

MD5
bfb5924c41fd25f10fd97bc6b0779c95

SHA1
32530331d8c4bd039311431863331ab72f737e01

SHA256
c1f57eb5f8d97585dc0a404d49b97d518593fed5fda5d3f2cff364976e70a127

SHA512
3a4df88e465b3b73386977540d7caa759260fe29f652e86e36d166352830ca7c29632a31a5dbd9895ccbfcd5cde53d2388b8e46139b72bbf062ca97e329bb646

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
163KB

MD5
d11d1e4c6059403cce91e0d291e0fc8e

SHA1
4bf8730347c273b84ee6f9d7b504c8d1d0165b05

SHA256
fe843844444774983723140d76fd14a27536426c8f784ed9d798dcd397e2cb22

SHA512
c929a2a745fd6aa8d314cad91e0e1690de40abcefc79ebbbe75f1a5387a28469ed198c2da251a4c8d7f0396a96beb3580c37150ae7a68ceb506551be3bee502a

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
163KB

MD5
91149df5e45c2d04eb2a00111d51a7b1

SHA1
219310eb615d44ba654f234d2cf554fc72ad8822

SHA256
65c9c4354e31e43eacf89b1821e45406c534cac87096d086b9d2306b4126ff12

SHA512
928603fec8105d2b9509aac509e7a649a5baef2db52325c3a7d30ceff4bc9f6a54ec4b72655459fd9bfba3c604f8e52ef65cc54a3ffb8ce6b5a3ba246a0f35ed

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
163KB

MD5
6475200fe63b0dfe7fabcb1101980a40

SHA1
1c5305b1f6efed9ac9fc0d0add1858fad8a6a386

SHA256
4a5c848f21278106d7ffb1da0961152e42a9ff9773f6d4a0c0cd0937bb992a83

SHA512
db1dc3c75c0e99a8cc73e83c5d3fb22795896ada774ba4048f5a7137205dfbfc3936b04870baebf584cf5d7a32c7df2834ce638dc6890a22c95cafab6dd6835d

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
163KB

MD5
496456077dd9a113d8818b0c18ac6c1e

SHA1
b0f784150713cfe07bc61cdadce472af32ea843a

SHA256
7e00ed1b72f99f721296fca7e5b4a0e3a2980ef49eaf74f31c7ff9a79447454d

SHA512
a79cb1625ac9e49f750abfa040940e5e61121b02b9beaab185937a17fed4e31ba3fe55a69363739c563da89fb1af06c6bd9cbcb78f6e92e09bba372a0ae8decb

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
163KB

MD5
10beffe340aefe55271632b9e7c2a57f

SHA1
b40c126b5d31b578f66d15358ba69c43e8327bb9

SHA256
7d5cae733336cca5a69db3fe5425539576da10078ed1035deb1cc2ae00d29ea3

SHA512
4b3d093c8b4779270acd8a84e13537c0b95351708da57aaf56f0dd4b9dc28d4529c3ae287aa04c5a9f9f4c9cdcf18b31228820e03fa05b72cbf94389cd0a2c00

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
163KB

MD5
402f61d101198e7ecf66bc4e64b81031

SHA1
3a493ea186f5d822f5f9a23894de2f45958d817f

SHA256
6a1ec6ba5634f2dd5465ea110fa09a98edee4bb3aaf44fe6f8ebec1127c063be

SHA512
9353b837ff2ebff0fd8abd9ac63c6bc7b5c0d0e3fb77128d0e9c53b7d30baaa594b4cab27661b40b91eed1e5a83f3a85cc6f638ffd90aaad8e374ab1dea5b7fd

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
163KB

MD5
875c9cc60e4494780deaf1c63163b480

SHA1
b816743ea15008f25cb6c498412c96723f1b23c3

SHA256
2fe9e751a648669f8e47b734b76762fbdd9ee7149d1859eee85e9831dd13b611

SHA512
4b842f548f3ad405ee76b79dd4655aa5100218df268dd0d8552c55c5eb0ecb71c709784422fb51de3ada86d7fe3d253dbecffc7105dfd25d0afee2f6fb082afc

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
163KB

MD5
6518a4eb13a5591024af278231a6bb79

SHA1
9deb6fbeb8caf0df1b411a73e9a228003edcff65

SHA256
d20111a6307fc10ac752cd45af1a255d7c9592635c62ba3e207af71d762a93aa

SHA512
b6972ff641d8c8e595ecdedd6c526938357358089eb72e1878c211ad56549ea035eafa239fe209ffafe374367140f929bcc5d770e5a041680b085c060ff89ce8

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
163KB

MD5
8ff4fe277ba8a470643ffe2eed2633e4

SHA1
e58eca3a8913eab069725a8d7721eba7b86c751a

SHA256
4b8ffa02f2bed21dacca079d80d147cac5142f68fe7a6db63aaad3af04133783

SHA512
cdf7777bedeb7ba76d0178dae60f790a68b6cb9a22fdd0eb2885d3573f9f77e8726d86e6f5b5e7bf23d6445985d71f5b81902d52e6fc9b59a2eb5523e79daaaa

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
163KB

MD5
6f4e27fda35ad00bb5abdf076508ff18

SHA1
182c3daf62c36ff56f298fba82f2fb0389be413b

SHA256
a11189caf2e157179890b582b7be9f8b88c8e1b054c743cb026b3ed77880c767

SHA512
b4f7e89859ee12d769fa60480b177edb8074de503357f571a2dc6ce384a44350b05344afdf73183c47a367785d9228df9645534f2c611fdbfa753d403ee8d564

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
163KB

MD5
8fd0333c8f7aad0f271ee85592eafff4

SHA1
901972bc8acf4f055fb1f376ddf9ec5713fcc1b3

SHA256
16f8d0894c6968d6c674e97d0cb701b306349c70c9467fa874c8626ca2c9e06c

SHA512
d98c24e3b29421952ab983a81fe49c1f3c9642fb4e87e4a630e4363e3edcacbefc4fdcec98029c0c8e80f05ce54f2b22c41b34fcfeae9b69df7c88c5b695bce4

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
163KB

MD5
0bde18fd2511a34c65957c20810b7a31

SHA1
7601ea524de479b7a4cebf75b98dff5437118e16

SHA256
6ac6eeb54c9ad2947825df9c376f8768e5fd4769bdeaa63f0af781153752cce9

SHA512
5b543dcb1e57ec81dc5f405c90ba8bb1c1f0e0155790dd8a1ce610ea8d15b221199cd2ca7bd0cc9ed0d61c119958787c0d85afad50d1ca52b4c2ec738066e30f

Download Submit
memory/8-175-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/348-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/348-491-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/396-468-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/396-442-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/440-322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/440-507-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/464-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/552-454-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/552-466-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/560-149-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-462-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-460-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/648-274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/652-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/652-497-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/768-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/896-262-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/956-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1032-418-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1032-476-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1128-199-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1152-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1428-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1440-382-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1440-487-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1460-164-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1556-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1556-394-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1620-503-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1620-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1652-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1652-493-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1700-388-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1700-485-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1900-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1936-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1936-448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2060-513-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2060-304-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2072-511-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2072-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2156-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2168-268-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2240-30-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2412-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2412-499-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2508-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-440-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-470-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2624-481-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2624-406-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-505-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2696-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2704-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-509-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2944-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2944-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3000-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3124-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3128-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3148-215-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3308-472-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3308-430-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3520-172-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3664-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3664-517-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3692-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3692-519-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3808-404-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3892-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3924-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4332-424-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4332-474-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4348-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4408-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4512-226-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4580-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4680-495-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4680-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4704-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4708-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4708-489-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-478-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-412-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4960-515-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4960-298-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5004-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5088-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads