berbew | 4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36a

Analysis

max time kernel
95s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe
Size

96KB
MD5

21498211512cd2fcad8cd5a6748b95f0
SHA1

79c05e54683dc3a8ced51323f1c29a6388d13d0e
SHA256

4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36a
SHA512

9d90a2628a2bac409128cf8e3578e88550f25e25027c3f7159d1cb83583e80d624ed42530fc10b4c4b91ad574d77af2f1a9b4db67705d48d98e0c5fd243f00ec
SSDEEP

1536:ciCkY90ndOwY7rQ4bmox8DU3W2LP77RZObZUUWaegPYA1:ciCkm0nd03Q46ox8D47DClUUWaey

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 61 IoCs

pid	Process
1644	Pcncpbmd.exe
2936	Pjhlml32.exe
4080	Pmfhig32.exe
992	Pcppfaka.exe
4856	Pfolbmje.exe
1384	Pfaigm32.exe
4424	Qmkadgpo.exe
4624	Qgqeappe.exe
2312	Qmmnjfnl.exe
1664	Qgcbgo32.exe
3260	Ajanck32.exe
4916	Adgbpc32.exe
1656	Ageolo32.exe
4140	Ambgef32.exe
4668	Agglboim.exe
3096	Anadoi32.exe
3696	Acnlgp32.exe
4984	Afmhck32.exe
1776	Amgapeea.exe
800	Aglemn32.exe
2416	Anfmjhmd.exe
1848	Aadifclh.exe
3172	Bjmnoi32.exe
3228	Bebblb32.exe
2656	Bganhm32.exe
4220	Bmngqdpj.exe
996	Beeoaapl.exe
4008	Bffkij32.exe
1340	Bnmcjg32.exe
1756	Beglgani.exe
2788	Bnpppgdj.exe
3976	Bclhhnca.exe
4868	Bmemac32.exe
3220	Bcoenmao.exe
1060	Cjinkg32.exe
2820	Cmgjgcgo.exe
2300	Cdabcm32.exe
2428	Cjkjpgfi.exe
1584	Ceqnmpfo.exe
3364	Cfbkeh32.exe
2916	Cmlcbbcj.exe
4924	Ceckcp32.exe
3524	Chagok32.exe
4484	Cnkplejl.exe
840	Ceehho32.exe
4764	Chcddk32.exe
4580	Cjbpaf32.exe
3972	Cmqmma32.exe
4160	Ddjejl32.exe
2840	Dfiafg32.exe
1552	Danecp32.exe
2940	Dhhnpjmh.exe
3204	Dobfld32.exe
1372	Delnin32.exe
4412	Dkifae32.exe
4848	Daconoae.exe
4880	Ddakjkqi.exe
1896	Dmjocp32.exe
3136	Dddhpjof.exe
3116	Dgbdlf32.exe
3368	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2808	3368	WerFault.exe	146

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 1644	3080	4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe	83
PID 3080 wrote to memory of 1644	3080	4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe	83
PID 3080 wrote to memory of 1644	3080	4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe	83
PID 1644 wrote to memory of 2936	1644	Pcncpbmd.exe	84
PID 1644 wrote to memory of 2936	1644	Pcncpbmd.exe	84
PID 1644 wrote to memory of 2936	1644	Pcncpbmd.exe	84
PID 2936 wrote to memory of 4080	2936	Pjhlml32.exe	85
PID 2936 wrote to memory of 4080	2936	Pjhlml32.exe	85
PID 2936 wrote to memory of 4080	2936	Pjhlml32.exe	85
PID 4080 wrote to memory of 992	4080	Pmfhig32.exe	86
PID 4080 wrote to memory of 992	4080	Pmfhig32.exe	86
PID 4080 wrote to memory of 992	4080	Pmfhig32.exe	86
PID 992 wrote to memory of 4856	992	Pcppfaka.exe	87
PID 992 wrote to memory of 4856	992	Pcppfaka.exe	87
PID 992 wrote to memory of 4856	992	Pcppfaka.exe	87
PID 4856 wrote to memory of 1384	4856	Pfolbmje.exe	89
PID 4856 wrote to memory of 1384	4856	Pfolbmje.exe	89
PID 4856 wrote to memory of 1384	4856	Pfolbmje.exe	89
PID 1384 wrote to memory of 4424	1384	Pfaigm32.exe	91
PID 1384 wrote to memory of 4424	1384	Pfaigm32.exe	91
PID 1384 wrote to memory of 4424	1384	Pfaigm32.exe	91
PID 4424 wrote to memory of 4624	4424	Qmkadgpo.exe	92
PID 4424 wrote to memory of 4624	4424	Qmkadgpo.exe	92
PID 4424 wrote to memory of 4624	4424	Qmkadgpo.exe	92
PID 4624 wrote to memory of 2312	4624	Qgqeappe.exe	93
PID 4624 wrote to memory of 2312	4624	Qgqeappe.exe	93
PID 4624 wrote to memory of 2312	4624	Qgqeappe.exe	93
PID 2312 wrote to memory of 1664	2312	Qmmnjfnl.exe	94
PID 2312 wrote to memory of 1664	2312	Qmmnjfnl.exe	94
PID 2312 wrote to memory of 1664	2312	Qmmnjfnl.exe	94
PID 1664 wrote to memory of 3260	1664	Qgcbgo32.exe	95
PID 1664 wrote to memory of 3260	1664	Qgcbgo32.exe	95
PID 1664 wrote to memory of 3260	1664	Qgcbgo32.exe	95
PID 3260 wrote to memory of 4916	3260	Ajanck32.exe	97
PID 3260 wrote to memory of 4916	3260	Ajanck32.exe	97
PID 3260 wrote to memory of 4916	3260	Ajanck32.exe	97
PID 4916 wrote to memory of 1656	4916	Adgbpc32.exe	98
PID 4916 wrote to memory of 1656	4916	Adgbpc32.exe	98
PID 4916 wrote to memory of 1656	4916	Adgbpc32.exe	98
PID 1656 wrote to memory of 4140	1656	Ageolo32.exe	99
PID 1656 wrote to memory of 4140	1656	Ageolo32.exe	99
PID 1656 wrote to memory of 4140	1656	Ageolo32.exe	99
PID 4140 wrote to memory of 4668	4140	Ambgef32.exe	100
PID 4140 wrote to memory of 4668	4140	Ambgef32.exe	100
PID 4140 wrote to memory of 4668	4140	Ambgef32.exe	100
PID 4668 wrote to memory of 3096	4668	Agglboim.exe	101
PID 4668 wrote to memory of 3096	4668	Agglboim.exe	101
PID 4668 wrote to memory of 3096	4668	Agglboim.exe	101
PID 3096 wrote to memory of 3696	3096	Anadoi32.exe	102
PID 3096 wrote to memory of 3696	3096	Anadoi32.exe	102
PID 3096 wrote to memory of 3696	3096	Anadoi32.exe	102
PID 3696 wrote to memory of 4984	3696	Acnlgp32.exe	103
PID 3696 wrote to memory of 4984	3696	Acnlgp32.exe	103
PID 3696 wrote to memory of 4984	3696	Acnlgp32.exe	103
PID 4984 wrote to memory of 1776	4984	Afmhck32.exe	104
PID 4984 wrote to memory of 1776	4984	Afmhck32.exe	104
PID 4984 wrote to memory of 1776	4984	Afmhck32.exe	104
PID 1776 wrote to memory of 800	1776	Amgapeea.exe	105
PID 1776 wrote to memory of 800	1776	Amgapeea.exe	105
PID 1776 wrote to memory of 800	1776	Amgapeea.exe	105
PID 800 wrote to memory of 2416	800	Aglemn32.exe	106
PID 800 wrote to memory of 2416	800	Aglemn32.exe	106
PID 800 wrote to memory of 2416	800	Aglemn32.exe	106
PID 2416 wrote to memory of 1848	2416	Anfmjhmd.exe	107

C:\Users\Admin\AppData\Local\Temp\4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe
"C:\Users\Admin\AppData\Local\Temp\4dc0e6f3b22945617b626aaaf4b286040eaddbcbf21f835f4c6dc2ed3acce36aN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\SysWOW64\Pcncpbmd.exe
  C:\Windows\system32\Pcncpbmd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\Pjhlml32.exe
    C:\Windows\system32\Pjhlml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\Pmfhig32.exe
      C:\Windows\system32\Pmfhig32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:992
      - C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 396
        63⤵
        Program crash
        
        PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3368 -ip 3368
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
96KB

MD5
b83a020089defadad9277f0a65e94f74

SHA1
3edcd1ce4891b26f295f6fbc24a979a567045bbb

SHA256
d427eeb8208ba44b43bd4f54c7b797497f03eea01232d798d19ba257493d95d4

SHA512
e98823148b72bde28ec3189d509acc68d1e41088ee458529376dc014cf6625d84c75fb0ea058cbfb601f962157f044cdf58ca78564e7765387c33e868162e44e

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
96KB

MD5
8ac385a1c03e92687f30c36ef3cbafc0

SHA1
5709604c7a7f36a0a88734e90a89599b156538b6

SHA256
a9752ef879ac0bac412856efe3eb16e2ed9185cd9ad635b154db519dcd1dedb4

SHA512
0315b99d8f2cee73d2f669bc009ddf2461189dea35becd979cd0c91290c6649656bc07d226ce1d2577388fe31d1491cde38144f0e1b8a01fad014ad26f70d7c2

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
96KB

MD5
3f0557d1ac8397ffd7595baeddff18cc

SHA1
635ebf8d3172da3684092c9088e456db86c76e75

SHA256
9c772c15080f28a2b7b55e8ff71633145703f688a0dfb5a3ef621a101e7dde90

SHA512
8e311231933376dac5644f06f93d0c59658e285b9f14b2079f923a09302bcec4e491d0e13ea6c18036e0f7b5c15c5f4ffd2c857fbc878d0a573316ba12e1a1bc

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
722bf8b4ed2ff4d0d0db0de007625295

SHA1
ee91731e8d044c9d8e37388f3bff9a6778b635a4

SHA256
474f2cb9ce372843569e9cb2e7cf4dd153bc34e0e9d38c94591ef9a4012fa7b2

SHA512
fa48470c56bf1667a0b0310759ff6ca8498ecb1deafd020ed7d93e44ef16b8d4634db20d5b642e74763e82635b17a0afcb6bfbd8c2ef3ba04af088146a5d814b

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
96KB

MD5
4e127d024145c1fdb7275987338f7a29

SHA1
d2f414e25b286b8ecd8dee0b9e45e9a0f349fa41

SHA256
6516d29c68f24f7c2430d5e04b80a04e94fa7f20d2ebd140b391be300249ad88

SHA512
69d776c8c58a1972ae9929bb93c77d33016228b1ca3fb43d62b95c8f52b924af1ea4c5178d9fb059f46100afc8351f1331cd071b469f14f7f12830c288304980

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
96KB

MD5
ab749556eefa27b542f59efad6e46ecf

SHA1
b4afdd735cb466e88306b36e941d11c1e6d1a148

SHA256
d81b0332862623451e11a02712da24eb5878ba1b32fcb5c5c69e32199206c25d

SHA512
5519d2b366a8529f658d497d2c0aa53fb5a9c1fa6f4e19dabdd29d319224e4780d92ee9bcd8e55e6b8c2ca3249a8fa54f0ff4fbb5e1a5aac51bc7c9ea3d3ff13

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
96KB

MD5
437676ba92fb7e3d10f3831d2451121e

SHA1
6633a76bdce0d88a8c59772259bd377091398610

SHA256
1553902117227665b380ce6c9264e2fa1324080a1599d8a1cb2a2c096995cf22

SHA512
a90076b51915be91bd068095cc18872f4a3f6a642a7caf4c270990e973c78bab5eace921281992873ee9f6c0a416711ac47b0db99e3e440c75aeb83d8d5381cc

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
96KB

MD5
3caf35190e45ffb58e386ecafde61e25

SHA1
babe041ea169274c23933e8d6d518c90b53e026f

SHA256
a3b90a78e7cf9ad804285a2271ef94b5c5a90e8d38049a1fff693b6389811b81

SHA512
6aacb4c627d1dbade03502489e6567446789e63c8c095b79895fa2cfb34f092e74bf9e5ef2882f4b02e6e27c881a54c604449feb2f69f892ed57f93c696f7a70

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
96KB

MD5
9022def106fdff63b2e11a8982a7c6d2

SHA1
3d3d8e5430eded9ef4db029fc2cf3e988f0498f7

SHA256
2822d0f0d524d066515feda10763dbb8f430cf518f944bb44e4a294fa6676642

SHA512
8ca099118a847cf0227e88fa7fb37b76a5ae7738b38cfd8d442c1481a6d191443077418732345ebe456797b51ce101bd10c1e0f9dac69af5b681bf7ee10fa59c

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
96KB

MD5
5f1ea02a77897e68a332ca2f8168a777

SHA1
6ba155f64f0d996d79561dee1e71debb86b975c8

SHA256
52faa3ab5fa40b983a5308ae54db18a5732b9b0660b1f271791bc5614d7ee7cf

SHA512
6d5787f164f416a14e219bb751f177bd1ca25b3bbaf1645ad41dd83e737c567b73257abe058b8615aab524cc3c4720088ba53f0647fe58df534ed54b6dbb769f

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
96KB

MD5
5bff4a22623613bdbf269255cce00dff

SHA1
91b6300806d4e6e3c6087ff706b1555aad4bb3d5

SHA256
2aeb58af1e06443d361507fe9b3d6aab89f97f1d3ef0ae966881a03d1c39b9cd

SHA512
0e48d93c797f059949cf0e3767118a52939e4bcd3a215f37537a05a223e7a727aaf1a271b45a1f0cda3a361c670e56940b56360917ab89ec99e3f834e4a11afb

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
96KB

MD5
ad116d191465baf53b6010313b037568

SHA1
de6617154cd50ece1045df4b3b777c2b8869a87a

SHA256
51fcfbaab224bdc066560d1fff77d3661536a2f87565c675af78de4740947188

SHA512
3f2f694093027e5c4fbdbdf7efec8c438099f8f5808258bb4ee68b1cab4cfe278a8f28f9b609a13df26fbc6d577b72538d3b14e0f0ab1a67921cf0ea3a8862ab

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
a95fb7987b34e99f91f293f10ee4d8f4

SHA1
2a93fbe130d67381e8ee24eb1674234e8661a84b

SHA256
450f59cdbb297ab7f3de5c3f3fd58f1fdcb3e8563480d2ad72d7018194917a16

SHA512
3c28a1dfd806478c236e84cc719a7d6c0809392428280fbc622ab184c2c1cc193d06e0958c0c34b54b0824525f712636403e5ea39bf0abc309f0c000d6789eab

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
96KB

MD5
11b1fb2f14d49f0e0c279a9be105a719

SHA1
e4c107c5d7d1624844fa0c141a6e99dbd41b681b

SHA256
b4f531ee5bc23b6def87cbee15ab990a54508cf65cef0ae579bbe8a202002b0f

SHA512
5501ccb5298ff6042e32d877f9de4d25ae38ef3605ff02e0e80f82e1ace6080859118395a2277cd13128e5db8d65c550af1ab740039854e894d23b11f114af4a

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
547d7c0efcc70a36657846fedd718061

SHA1
b09bb0f2a05ef6931333175c2310e5826459cd36

SHA256
d218899259edc586cb1ae9a03d394435adb9b612660559587b23bc37a15586bc

SHA512
8c417ff6ae5bb230f534aae37d19810778a84e14c207f44c53d9441a3730852515cf90258feaecf029658f4a252187f6e13ac2232ad03a55f378f93ca8c5d962

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
96KB

MD5
149a85e2e2097fa23f19ead0b50395c9

SHA1
27ac962b81240eda96d60223032697c8a248b562

SHA256
61f3129ec0f57d162be9775cf7349a58bce6419d22350875dc8136542fa36e4e

SHA512
7f6f19e91ef37a6650df8747e1d3486589ac092dd213508d7e6c95328170f41c1474400940f64ed92a258d2d7cd10ee411fb6811e25b154e169476c1261f760f

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
0e2001117287f00986632adf4ffa3efe

SHA1
903b10a2973c2122cfa7cfdb55c72eb0fbb26a3e

SHA256
be51ef2ea8af14a992e91cd80f454bc9312b4af1fe8425e29481afb6f4e5a800

SHA512
30eb21060d7d4c90b3a2b733f88e6f31907d3d705aafacd683031f7f1d93ff6f77e557d334eddc25d293483a66bfe21b20e8b609e8052fb3bc8f34847f9ae1e7

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
96KB

MD5
90848eb05e3ad48d88a50c6d3a562fda

SHA1
70d963206393ab5506ebe83664f2a5784abff684

SHA256
beb688405f2ab47bf8a41994dedc4a1114bdf68a20936b9b968e502f531b6609

SHA512
7737282f41b286e12e1e78cb580cafe31c886937bd74ab33bb717e99b285b7875b330e6e47963a4437adafb0a5d768dd4938d52d490cb2d72ac8470b16a1b341

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
96KB

MD5
c7124c13bd2c89a1c1a9d51b86374995

SHA1
0eeed5f7063f7e31e7efc32fab3f168aa6e40e3c

SHA256
e61f3c6e05d56e762389c05c7752d1c7842dd203ac0959121b961d6a3bfee112

SHA512
40e3ab551f5a9099d5e8a654213ec29de083d1b547736dcd71f9109c7359d0f0b555c31fb11c9e47531b74d896a09f7bf2abddd7fa4e7da7166c92be3e397aba

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
6b5c521d3b93afe8e0e526fbcc3ec916

SHA1
ee23d8827cc429eb63d0a217c80ef59cc04370ba

SHA256
6c977b011ccef57eb3128304c981ccd8378116552e9ce84946adb32e632405fc

SHA512
7de99fc934deab7fdbb85d7b64dd67bdbbbf4ae63a337d5637c138f4ad90654e51584b7503408105b864c53ddfc9eb4f4ef2724c847ddd4fb1ec5caf2915e78c

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
8b36d20c9a8b70be9d022b988272b151

SHA1
48b764803909d8481bcc2ff6cfb9fe8d8b2371c9

SHA256
09e066408c1097d20309694695c5ebb3750070024bc532b625796a16954cf81d

SHA512
86a53cfdad25f962aebf89fa8f998f1f2333311e6fb6891a5406ff9ef036a1660c942524275d86e31493e0f2a975a282a496c5183e44420f54a10f46a48dd342

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
af8ea88e214815bee5c7440084c7c5aa

SHA1
51f5931b31b5864c851cf2712523855ebe04f46d

SHA256
2dc44831316622b270847506371ba6e88be244f0e63fc39b5c4699318b068cb4

SHA512
797f9422fb5b136de81070c7b36504e581ebabc7a28784df1e7374b191630ae9e8db899d336a3895acb625a050fa5b9ec052801a9b0e7b4734da1015d0fa9e68

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
5af9090f437b6fbba5b496a1ce27e06a

SHA1
b1f304d0e62974b210d2ea4372b566ea48777be7

SHA256
ceab36441946f0ed4323d55850a5b7cdf4c585bd83c2bbdbe8ccfd7fbe3a0867

SHA512
72a0eec0855f94743100dee0da994f09bbd76283c6ed92eb4d1333eade04fd69686b17b69a35ed879d9bb9bdc666f3ca4d85a59f22d8f063623fdef746e3cd88

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
210e354a163c78f3b352378e84c78ec9

SHA1
9980bb853a62c29fdb317a468376aab7ed02a47e

SHA256
2fb2484c396b5c16c672cb0b34ec8ca617a4cad1bb720f24bf29a417eaf48aad

SHA512
a134640ece33f11488ce6197fc2be91fddee8990ef3cdf1d3e552a4b8cda5579c1e976df93e52b6dfd4c35ea6cee765ca0ec5675579ccbe99be283fd6bb0e44c

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
96KB

MD5
49d2a7ebaed5b10f0d0f21cf78506c56

SHA1
282a641f84c646feea8992b2a37dee051e4898f3

SHA256
dd2557a5295282c9fdc3b565405b8e16301b3dc7bc1252b211d45e7ba64429e5

SHA512
9fa64aa17908035e28b53c86f48d03057e0ae20ce41040bbaa3171a9fd5c01b2dac13b6f3e35271fb1cdd67cab4b416773ad468af92943283f46067e89c5a05c

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
783292ae267bcc38c6c315800a1156c5

SHA1
6959d6c4fe58fb3ec2057b210c8c9cb21a4175cf

SHA256
c0fd5decfb43eb7b9ea9c1234cb9652fd3b06837a6d8aaeb6334b1a9e235e58d

SHA512
bd2d8d97332c9ca7ba99d575a4e692de8baed5076d8175c1b41762b9e5f296061808c0f37c11c15f96860f8b500f8d26a7b3d3a09c89715791a0bf2c2cb7eadd

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
96KB

MD5
5ac463e2160f549bcaa6e35b0d895e79

SHA1
705573763dc744ad2de6fc3d4a0dfa802a484d5b

SHA256
6e91403b85d7eb6723555de0cfa09122e7107f881a216929c136144e8077ffb3

SHA512
7a644feddfc8e3dd016e84b5c900476743c849a7275aae0517f2f5f268bacd62e633e4717857d471994afeeee088a62cafad0da8e50d078a9bb8184204d7b12b

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
96KB

MD5
cdd69473169beb154c4c19e692e48563

SHA1
f9a0830c2f9edcdfb9ae81a2c8d3a7079c497e8c

SHA256
c602546363f4f259bd5e9f6e1ce22ec58a633dd0356d5945822d4cb4be0d4f2c

SHA512
8aae33343d665cf2528daf6a84e8b2e2cbc76746abab6009571ad93b0339897f204ee82dd8076e1f5bcc31a99cdb0eb76ee85a577a49f073a80a55683fc83a03

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
96KB

MD5
ed7cf6e55a309992e152e337146a85af

SHA1
4008b088132db6cc5efe4d3ee150c6a871d0bdac

SHA256
ab691bfc059b1f9faa102130038661ac79c082f6db4a4dafbfdbf9ac0827ca57

SHA512
1131ca81f1e312c4b06418e94a7742e79148a2f16d9b455fe7e986edd21e6c50a5486a7e02f1d3bac2e018bba0afaa85bb8f1a6692652d06e0e26f91b0108a5c

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
96KB

MD5
1d51dbd42c33b685b319a89e5b4c62be

SHA1
f163e1b81b07a6a2729342dc88ca26beede26af2

SHA256
37e94d513e12f45caba17dc03cacc5984159237d3b9e32c75001f1ed31d7de6a

SHA512
29703e1a831b9a9f133dd056552692c0628092596be520d44cc90ff5386cd1cd77e7be2307dc62106ac7d4bd2148d2bc1b5eff095929228da291d61542221b54

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
96KB

MD5
0ca868801a33cff1f5866085e0cb3577

SHA1
427fb433191f89c0c78583905f24ccd0cf2d6cb9

SHA256
aee31a14702ae3c9a2e683793a81768d33b9b77bb6c6f092d10fd0615e0a56d3

SHA512
a097eaa654b838ccb716ecef6f8df1fc81f068eb1fcf3b1b2d8a2a6a37c67b42f1b4a9591dd4ac6bf00b7c3d6619e42066000106ef0ac9f14e263ac5248744c4

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
0d8b14746b5a728ff1650f142c227fce

SHA1
a5585628de90e140f54985e0b33ccd45e1e82619

SHA256
08bb2d4b42fc33ecf71ee5255225f99e2cff2de26b147d277a95b85afbec722b

SHA512
42b01f4dfe3422049638de2c22578dcd72f252963697cce1f4eae36b6fb870a2ec5f686b5b2aa4095f24354d6ac20b3e335a417c157fdffffc0b588d86d37b43

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
96KB

MD5
93ee13bb2fe6cac5068674f44fb53995

SHA1
fc33134022f88bc0589569d7e1de9e6428361dc6

SHA256
63d7b688e07ecfc741bc912c1a4dfa849630ecffad8335513faf5b077b6c2557

SHA512
a03f0567f68970423a44f788c62d764c0282bdb9fae4aa7b111371e1a880d36c4408e5d889a283994f4537b3f848f67de149c1a4a46a0ed8935d3f333ef39e0c

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
55bc0edd8107226889da863f9b368ec9

SHA1
bac4e057035eba80b8269e85dc7936d076c91f16

SHA256
912042103009141c135b5aa1abefc5f66295ff7dfe1c7e32f8e5762f4f17776b

SHA512
7b5f7dcf5a4414ca414cdf07972dc6ab394880696fd6da87c0fa5bd8f4e3709824df397630a046c1d5bdc72730f5c5a970d1b328e5dd77e993139dde76f47170

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
96KB

MD5
b5e21e8c32d120e5c8405e7a05542722

SHA1
22c3bdb6fedbc874a8ab912d3be0cb3e4ec7396e

SHA256
1f19fbdf6cceb352568db0b228b8ff8ba9bcb2ab4bec9a5780db4f2857bea5f5

SHA512
130ae996ca9f3e5996e08da7b689c29929f8f63dec5aec90e86cf7d45b7963ff777f6fc4f0c0cb8ed6fc385fcbb7f529b414937d92a4da9c6f69640cca57e29d

Download Submit
memory/800-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3080-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads