berbew | 252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe
Size

465KB
MD5

b807f1026b402db0600364704134d364
SHA1

68e954f1ed35050c69abe42275ef1053506026ea
SHA256

252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd
SHA512

96e74af5f8740948a09ad207b0ad9d9b91a4e94e41af9f78c902abe4bdd494583392f916bf17ce2fea2b555b7a427fd472c1fb3930b31a1a3adfac158d415f32
SSDEEP

6144:k77rQcinvC2z5MwEHPQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQb:GPina2zj/Ng1/Nmr/Ng1/NSf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 63 IoCs

pid	Process
3824	Anmjcieo.exe
4324	Afhohlbj.exe
2708	Anogiicl.exe
3968	Aeiofcji.exe
208	Agjhgngj.exe
1752	Aeniabfd.exe
1388	Aminee32.exe
3080	Bfabnjjp.exe
3572	Bagflcje.exe
3616	Baicac32.exe
3632	Bffkij32.exe
4692	Bcjlcn32.exe
2976	Bmbplc32.exe
2320	Bclhhnca.exe
1084	Bcoenmao.exe
3168	Cfmajipb.exe
4336	Cdabcm32.exe
384	Cjkjpgfi.exe
5088	Ceqnmpfo.exe
1924	Cdcoim32.exe
392	Chokikeb.exe
2112	Cjmgfgdf.exe
2648	Cnicfe32.exe
3720	Cmlcbbcj.exe
2936	Cagobalc.exe
4384	Cdfkolkf.exe
3208	Chagok32.exe
3780	Cfdhkhjj.exe
2556	Cjpckf32.exe
368	Cnkplejl.exe
1932	Cajlhqjp.exe
4292	Ceehho32.exe
4788	Chcddk32.exe
956	Cffdpghg.exe
1612	Cjbpaf32.exe
4040	Cmqmma32.exe
2148	Calhnpgn.exe
4144	Cegdnopg.exe
1948	Dhfajjoj.exe
2576	Dfiafg32.exe
3704	Dopigd32.exe
2704	Danecp32.exe
1788	Dejacond.exe
3476	Dhhnpjmh.exe
4524	Dfknkg32.exe
3796	Dobfld32.exe
5108	Dmefhako.exe
1580	Daqbip32.exe
3260	Ddonekbl.exe
632	Dhkjej32.exe
2084	Dkifae32.exe
4932	Dodbbdbb.exe
4656	Daconoae.exe
3600	Deokon32.exe
3672	Dhmgki32.exe
2096	Dfpgffpm.exe
536	Dogogcpo.exe
1092	Dmjocp32.exe
1560	Deagdn32.exe
3964	Dddhpjof.exe
2852	Dgbdlf32.exe
4660	Doilmc32.exe
676	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe

Program crash 1 IoCs

pid	pid_target	Process
4724	676	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 3824	4152	252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe	83
PID 4152 wrote to memory of 3824	4152	252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe	83
PID 4152 wrote to memory of 3824	4152	252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe	83
PID 3824 wrote to memory of 4324	3824	Anmjcieo.exe	84
PID 3824 wrote to memory of 4324	3824	Anmjcieo.exe	84
PID 3824 wrote to memory of 4324	3824	Anmjcieo.exe	84
PID 4324 wrote to memory of 2708	4324	Afhohlbj.exe	85
PID 4324 wrote to memory of 2708	4324	Afhohlbj.exe	85
PID 4324 wrote to memory of 2708	4324	Afhohlbj.exe	85
PID 2708 wrote to memory of 3968	2708	Anogiicl.exe	86
PID 2708 wrote to memory of 3968	2708	Anogiicl.exe	86
PID 2708 wrote to memory of 3968	2708	Anogiicl.exe	86
PID 3968 wrote to memory of 208	3968	Aeiofcji.exe	87
PID 3968 wrote to memory of 208	3968	Aeiofcji.exe	87
PID 3968 wrote to memory of 208	3968	Aeiofcji.exe	87
PID 208 wrote to memory of 1752	208	Agjhgngj.exe	88
PID 208 wrote to memory of 1752	208	Agjhgngj.exe	88
PID 208 wrote to memory of 1752	208	Agjhgngj.exe	88
PID 1752 wrote to memory of 1388	1752	Aeniabfd.exe	89
PID 1752 wrote to memory of 1388	1752	Aeniabfd.exe	89
PID 1752 wrote to memory of 1388	1752	Aeniabfd.exe	89
PID 1388 wrote to memory of 3080	1388	Aminee32.exe	90
PID 1388 wrote to memory of 3080	1388	Aminee32.exe	90
PID 1388 wrote to memory of 3080	1388	Aminee32.exe	90
PID 3080 wrote to memory of 3572	3080	Bfabnjjp.exe	91
PID 3080 wrote to memory of 3572	3080	Bfabnjjp.exe	91
PID 3080 wrote to memory of 3572	3080	Bfabnjjp.exe	91
PID 3572 wrote to memory of 3616	3572	Bagflcje.exe	92
PID 3572 wrote to memory of 3616	3572	Bagflcje.exe	92
PID 3572 wrote to memory of 3616	3572	Bagflcje.exe	92
PID 3616 wrote to memory of 3632	3616	Baicac32.exe	93
PID 3616 wrote to memory of 3632	3616	Baicac32.exe	93
PID 3616 wrote to memory of 3632	3616	Baicac32.exe	93
PID 3632 wrote to memory of 4692	3632	Bffkij32.exe	94
PID 3632 wrote to memory of 4692	3632	Bffkij32.exe	94
PID 3632 wrote to memory of 4692	3632	Bffkij32.exe	94
PID 4692 wrote to memory of 2976	4692	Bcjlcn32.exe	95
PID 4692 wrote to memory of 2976	4692	Bcjlcn32.exe	95
PID 4692 wrote to memory of 2976	4692	Bcjlcn32.exe	95
PID 2976 wrote to memory of 2320	2976	Bmbplc32.exe	96
PID 2976 wrote to memory of 2320	2976	Bmbplc32.exe	96
PID 2976 wrote to memory of 2320	2976	Bmbplc32.exe	96
PID 2320 wrote to memory of 1084	2320	Bclhhnca.exe	97
PID 2320 wrote to memory of 1084	2320	Bclhhnca.exe	97
PID 2320 wrote to memory of 1084	2320	Bclhhnca.exe	97
PID 1084 wrote to memory of 3168	1084	Bcoenmao.exe	98
PID 1084 wrote to memory of 3168	1084	Bcoenmao.exe	98
PID 1084 wrote to memory of 3168	1084	Bcoenmao.exe	98
PID 3168 wrote to memory of 4336	3168	Cfmajipb.exe	99
PID 3168 wrote to memory of 4336	3168	Cfmajipb.exe	99
PID 3168 wrote to memory of 4336	3168	Cfmajipb.exe	99
PID 4336 wrote to memory of 384	4336	Cdabcm32.exe	100
PID 4336 wrote to memory of 384	4336	Cdabcm32.exe	100
PID 4336 wrote to memory of 384	4336	Cdabcm32.exe	100
PID 384 wrote to memory of 5088	384	Cjkjpgfi.exe	101
PID 384 wrote to memory of 5088	384	Cjkjpgfi.exe	101
PID 384 wrote to memory of 5088	384	Cjkjpgfi.exe	101
PID 5088 wrote to memory of 1924	5088	Ceqnmpfo.exe	102
PID 5088 wrote to memory of 1924	5088	Ceqnmpfo.exe	102
PID 5088 wrote to memory of 1924	5088	Ceqnmpfo.exe	102
PID 1924 wrote to memory of 392	1924	Cdcoim32.exe	103
PID 1924 wrote to memory of 392	1924	Cdcoim32.exe	103
PID 1924 wrote to memory of 392	1924	Cdcoim32.exe	103
PID 392 wrote to memory of 2112	392	Chokikeb.exe	104

C:\Users\Admin\AppData\Local\Temp\252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe
"C:\Users\Admin\AppData\Local\Temp\252caf293d9f856962843e1f96bac2367345ef3d9522b773e3b4a960e4e3e5fd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\SysWOW64\Anmjcieo.exe
  C:\Windows\system32\Anmjcieo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\Afhohlbj.exe
    C:\Windows\system32\Afhohlbj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\Anogiicl.exe
      C:\Windows\system32\Anogiicl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 396
        65⤵
        Program crash
        
        PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 676 -ip 676
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
465KB

MD5
e6ec5631d2a375d66c48e63225b0ef0b

SHA1
b334b5ae91025c54894169cc0ef9e4b15f116479

SHA256
204fc791c34a573c4cd2f4f149c3bddb427c9628bbf1857524b1de9317535887

SHA512
18c7d2ab167343f9eeb617b631a0d5dc937d373a5d09cc76709c3c2d11f23519da627a433cc26309070868607ee30a9735bc0503929b29ff941d87545f565a9b

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
465KB

MD5
412a60a9082dc342c5a403bb2c68a220

SHA1
eb81c47ab2394de512abc4059cb72ab0c54fa1ed

SHA256
7cbeb34b6c77256872cd1d68c9fd47472351865c117a6b500f226864eeceb2fd

SHA512
24eed3088e2d794d4d6325493aad05c928a73311f36f881a141d21228ba0ea2fca4f92e14dc0c7d862ab55f123b57b5c918c813f4fcb1195aa1e332870318645

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
465KB

MD5
75c972525b65fd48e7e62bbebed97ab8

SHA1
a8b225bd696045cefc19b1907f0fa78481ad1aa9

SHA256
5ab83545b9a6532fa8e88c7eeecec4776fb5678ba9d57c7e9c5ecfa2d3bc23be

SHA512
f945f5f2eafd2a657c937bb44adb3a149effd3b44a0106ebcee90c506ad55a3074a9620379099d5bf0002f6f84b84b2a465ceb6198e527fe016591889349ac11

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
465KB

MD5
0b1ae86c1488078c4c0d0813ca923edb

SHA1
286e33a1fb7bad3c2bebdb1f291a61ae4d37b462

SHA256
62edad88274206ca91e4f0bd50030a6262d17dcf3560c8d3019ca7868d369fee

SHA512
1f55db20fe3d33e5cb6d14a1aaca807d7a59ff404aeb6d056871ce8ff7b39b2b804a95e17d500afdce2fac0b66280aa3d4374bbadab033271bf1e8f87af001a2

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
465KB

MD5
e05ea294ebb7932d96a15fac28c59909

SHA1
7eb566015709f6171545282af9cdd21fbfc83f8b

SHA256
f358e88fff6426c80e891ca2e29f51a2ec38907c9f994a3295d826e0e1712f6f

SHA512
a84478a2ed2b926436f6a4af4e04a09c6b021b10a029e2b61cf608199288094e3cdd48137150fa5ee156c4b46a02540e361d2de7d99f73048c06403ffab84c6b

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
465KB

MD5
4f65645844b86a2a665e5723ac8eb433

SHA1
0e971d41d60b2fba5655283e78175a0f445e085a

SHA256
f3ef67c1fe8c6cd56c2628711a4fcb2985981551f84e5dc4f32f4413122acc84

SHA512
122bbd0aaf6bb63caddaec5212acc52a070c91a333f2201571f37c0aa042d2bf8719c9584b41f2e30a8efd4dae857c3ba252ce489e411f1aff1c8ddfb233e59c

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
465KB

MD5
a6f33a4d9b9428cd0ab9fade513c758c

SHA1
d588efb5280bd5ecb19db53e758601e6f0f352a8

SHA256
12d2450f5a6be06e3875f2330217e406303bda557cab7eb9b2ebbe74e431938b

SHA512
404cbb95b2c7ff4cbe002f839e0cfcf1235d34015375d7a87a9a1c340efb8ff112d78dde697578174e36b0455f4e6eb6a53bea8c520fddd773e72ca549a41bc7

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
465KB

MD5
9ccaea70545fc7eb27814f17f94b2436

SHA1
b124dc920106959b188b932a921af530be078ba5

SHA256
638d7085d2d353b956098ef6f73803abdb2b4d5beba0097dcf5d72aa464bcb9a

SHA512
797b4f8583d2b0209c15ceb4bc489e29fb322dd26cfc43b262828651b7445a45db7755f9bfa5859f3a2481ec9fc75a7413e5f0d9bc29a67f31f88fd66de4ace9

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
465KB

MD5
f72df06eee8d1e193b9c7e330c8b0672

SHA1
67f993c3a548fb452177338d93aa36d2af0c1017

SHA256
c28c36dba38b7018294fa7a00e9a9f055d1fe90895150b19e0a45b9616cbabce

SHA512
33ccecaa92fa497b74c6aa373d6eb9eaa852e8ffccfb0ae3299a24e96d80ca91f2ecda9e1dfb7ec1942863338fdbcedeec43ff7111eeb0962360fd0a20247b2a

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
465KB

MD5
4b86505b92d1414a118b74e97c5bd1f3

SHA1
e5982fe1f9c39393ce53579c8eb1121b833df5be

SHA256
a18b8f0ab6d6c11ad19cba9d55f6ae31ae32830d65358c9970ebc76310fd8a75

SHA512
5663892d9002dc78acbde8b17e512c3c3ba333de3aaa44362b53d9194dea2b99e22075259ea405f15037135b6e1db4c38407ed16f2b0eaf19aad3d33f20c716f

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
465KB

MD5
aec563d073f269bf323bc35c4a8900e6

SHA1
ac1b9e014030e157a3b817bb501f67b2fb00d1c3

SHA256
0b7ba520f139bd87d740bde7205767f02ea1258b6455edb13ed2d5ea5f38602d

SHA512
9eba9f4ceb16ff09ceac26df6065c56fcb45333bfccc85da8f2c68187de08f042d666a55409323135246f9e1d2e03b1345aedd553b477341d714191ba08ded3f

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
465KB

MD5
5cae7745c69819cbfdf5f61e08d1b4f2

SHA1
cc7ff5a628733ed62e43bb08dcd00fcbcf3f87f2

SHA256
a2837e1087641865a88e95d311712f3e92dfba5f977f987177a164d10d1bae41

SHA512
daad5c7fc27a9e9328d46337da0a01433417f22f26dc3bc5b8e520b06ddd479445af3d961a5f7c92780e1eeb11ef2d70e3e6aa31153c3ed608f74e297f48fc1a

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
465KB

MD5
9ff0f4bb20bb35051b43821280319b07

SHA1
4c000dbecf1d5dec8b07e9d3fbfbfbf2817ad5e1

SHA256
b2d6c82af9cfb80526d6fff2a748a45c06ae7c6086980857c014d082ff8f0df2

SHA512
1a70e743efad4f1fabcff8f8336b602a8d968e9d5b5d045f02eaff8eeafe899dc54c33bf2ec2f5bad82cacb74870e61d3cd2b2dff3f58b89fac8b19bcebe47d3

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
465KB

MD5
1bd2344a30a8dc5d8255926f59431d52

SHA1
e2dd9797114ad61b93eac18ae09256b41475e493

SHA256
774ed0fce06bf212fc91193a3c36081ea2a401ebfb846e1c26376391b49751bb

SHA512
f30c5508021ab60cd2f30f655c62558ef723bb51086da01bf9b745e19d3dce1987ccc464bb44ca4d51cb72da798fa235d6b40141bd693b1bc3497bcba43e16c9

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
465KB

MD5
93b46b7df942d8c4b58d3ee7ca29fe87

SHA1
b26a603d567bd52aa5d01f30b6790e4933a0e508

SHA256
959194d720aaa8f408d3a1854eb0c13460388544da77b3ad05278b8bc7d45f00

SHA512
540d6c1cb1d45de020e36cb4e9790beca629b73c23c319e140ebd77d04686f4be7b4a9c89647eedff6cbe8d04fc036d8ed4efe79f43ca632323abc9446e595b6

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
465KB

MD5
2639f49b34fb535247161e418cf3cd5f

SHA1
cda4a7aa8f78ac09f3a12bce41705898608e85a3

SHA256
663215bb214ee500d5c20ed1c94341d761728e67eec93a4e7c35a6c98174583e

SHA512
6840ad755512f0a5cdb85d6d7245f8a9a1b17fe06088b3649fe6faa2079072e4f69367a2ce16b7925c90569f9c10503db4cd7cea75d2d0acd860ffb4b9a05594

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
465KB

MD5
0deecdd05f661df023ea2eef84a47de8

SHA1
28e524061f21278bc24bf219a8d85d29ed5f40eb

SHA256
31dd2f654595520d12228ab3cc700583e17e7ba80aba7aa3d0d92171eb5b3f42

SHA512
b8a645ed016eb88d5348667d5dcf18dbc7d78a204cfcb835fe108b825b58314d99eb76779e0465d6d94459a5b19520ca3c44028858015f8ba8d808b11b40cd28

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
465KB

MD5
bf02cbf4ed707ebc22e29d59d078658d

SHA1
8210e46fd8758e5f6f8c56710040b6e913bc4f84

SHA256
c260da39f3617cf6691fd8a8c7117905e00874fac54efccd0cd39723a63f4e42

SHA512
518350e38938ed12d8f62f9fef5e5d9d80545fa536da0c8630e8ed3976655f21bf755d4d87a46dc6b97a03104e15681919fc622b7938817b2a39e1d2bda80726

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
465KB

MD5
224fd820ca33afbc57e758c18e38b04c

SHA1
b177252ee0d3bd20f27e36d4890dd343391778a6

SHA256
24d7deb1d7ad670cb7dacb63d88b5ed22392a6fe45311ebf3d76bbad05dea4a2

SHA512
5090b254bb3a0d8d55c5fc1104ee1a8eee5547e5e3b824f1b927d2283602133d1a445798f4dc6885d8edb091f103ab7933c757d9d77caf6d6a4feeb47a34206f

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
465KB

MD5
0de081abebffaf9e22180b9548822b9d

SHA1
315191dd597f5fcfd2ef9117ca1e2538799709b1

SHA256
9a6d53c066239f78698c0377992515bc135d4406c97282b8bbaea91e6c4eb232

SHA512
8505e432ba177d2198934b3e514c9f6bee59aaeb1459becc03b66c49da26c92d9c7f3ccf1e9a5e47309f9fed75ec26778c2da0224eb0584889891df59e2052a2

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
465KB

MD5
c46d94d23d88b5b3aba731301e700957

SHA1
a3096f538de84c0167a88f6613d78ec53fb65239

SHA256
72536154903ecef69afa46c92ca5ae411d8564bbd690463fb19e4e72c25cb2df

SHA512
f015ba02d61babac958cef33fea59d62df5a17da5a3dfb8b2e127fc4e9d87669db885c141af541881c105f8287b8987e527d29cf13bc25253869f169fa74da1e

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
465KB

MD5
f32400a7a09f4e7e1100db2774971da1

SHA1
3e70a9cb339fe591d054cadcea5b5610a00a2fba

SHA256
a782fc8c3930eddaf630507b5850b1773afb4e81e9110ad60d0e2e0141d05cc9

SHA512
0d52104428e17950073f7269be3da30d4f21f139a7375a957b981b5a87b0fb62aa51f06a906105ce033646798a298e8c9c1580e7cd27e0b009ad14d27dbfb0d8

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
465KB

MD5
3649499c0e24b17b44cf27e9bc3d917d

SHA1
74856c7e0f650b0587f5ddbc35846560039239ef

SHA256
8eb675bb498d9dcc7f2dd57437905cd83c7e29d9df0f45c220736c5d56e8e215

SHA512
0e2e144be7dbdc568b7c7e9bd918afc50d3e9424a2fbe06beb543dfbef8508cfe963c5c890c8a7a947c65283d41d045750bca1eb94be24b4d8559077ea056b51

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
465KB

MD5
e4fbb93d0f692a1be26674029107d562

SHA1
23a2ce1c5bca2386a3aa3d46858f3336de473769

SHA256
2d9ca4e62110fd722035a99e6ca4f7defb6e9ee122be3cb3c316c2ca5b38f63a

SHA512
17356846507b29d10404633e2821f44cfd6b851f8c2ddc8c1c64bafa432d1df7f6da0d6950fc2358c9289fae4eeeb11a557f4dda3c913ff821359c2f66a6e420

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
465KB

MD5
d28abf99bd7170e31397c67d49c7061d

SHA1
7d91fc0a1c981e7e6277ecb9b376a739578ff065

SHA256
f2556a8cdd43c281defa5c73092281c0f31a2a86e575e95c39fb9a64f43301f4

SHA512
0a38b82a346b9776c32563b0cacb67c12921868d757996078efbf0e368401b7eb5cc3f3f8dcf71d5679611757c70dd01827e90c2f7f6b35bf952774f8f36abfe

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
465KB

MD5
2381582ccec010cdd18b0dca0b81335c

SHA1
ce6a235c6075803a4c29fd8eaf569ce5ee58dac8

SHA256
dca79b1031cb2a1577e24de0dcd52332486ad7e7f21866f90d6384f856261792

SHA512
628353da960154052ec483aabf072db0e5c7c8c5cfeb3ce53bcf1f9f4b83b14787d4b1ce73ff0539279ac3537989d53f2b1393cb06d25141c122798179274358

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
465KB

MD5
56f03fbb5c95d6fb972fb421f23d9d60

SHA1
98871e9918d942c164bc12ccdaf287f907cf5da4

SHA256
9580c071c6556b4963d3e6b848b47332f35bd118028c09fdfd76557492f3c5ee

SHA512
8333b55e35a0fb018e8632acd060555f44c81719a7a1c39ad7a6391eb35dd5466f728cdfb42b17f10002d7cf7a2a03beb19d48fd10699dc4a539e102ee4c0594

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
465KB

MD5
976269b750dc90167a6a59e02ec28db3

SHA1
6420ace08013f01dbb822c07d6c049f5fb06af15

SHA256
d49b09162c730f0c27f978f7ab2e8b107dbc4ee5aef15929514eb5dc99263836

SHA512
a6e3c039c0bc72c76c7ddf60e49939916b3c15041594bbdac682b058c019864b4f16d08d54c9fe57aaab31e3f9fc8cab66521bb8c21ca74e786545f62416eaa1

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
465KB

MD5
22738fd9d0f39366167cb2a43a613a1f

SHA1
2e556be89a34c774146c9fad3eead118929d6014

SHA256
809c6c9a868630ed8b85f07547597086fffc58887b9ac96e9fca6695cff33b84

SHA512
024280a1813eda3a0c588c3a05a427bb8611bebb59038eba923a8375061d1ff5008ff552b04af133aa961ddaa786eecf565765c590b44318a2d6657074a80fdb

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
465KB

MD5
74ac167c299667afdf844012b79755bb

SHA1
5b2fe2d26aa4676d3c71ce536a4421e98ca0362b

SHA256
fbcc4d9f9019c432e3fd9e99f9b4520a78ad4e605890f8eb906bb70027bb8c87

SHA512
51dc537e7bb23d2ca4a498f7a50c7cba7c0fc557e11c037a89332618040fb61c857409bff6f802489397326ffb7a3a2b72c0776d9a49d0b45a73b97f81f4112f

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
465KB

MD5
3486361625d05852c7f4a2a76dc844eb

SHA1
c68400e3ba51fa11459c80b8d6198df3361b1311

SHA256
2824e78bb6b7a62a578b861c675f22a757054c76373c1b03324cda55c895d08a

SHA512
3f2ef38daf36cfe64405810da58b717029dca43059d9b48b43433c8cc25350ba31f687a9015cc324e803e5957b12514ca3b2adfa98d365c5bb9cb0bada612874

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
465KB

MD5
2c25869a1ef5389f8aec717863904efa

SHA1
44eca8c635213ccc15d57ac9706a7d65fe6e5737

SHA256
0699bec2dd38d2fa70a874807c33a5cd76dd0c99c92c9b61bb0ca13a7e0aa3e4

SHA512
e17a6c44b769977fd8fae2fa83e3ed0077ba021f0a8add1886807f317d901cb7133b0633b039bd64e45be32517a968cebbbef89e8ea8f4a482cb04efa1158f86

Download Submit
memory/208-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/208-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4152-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4152-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4152-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads