berbew | 004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81N.exe
Size

64KB
MD5

cdf40ef25043ef018e34c2219fed37f0
SHA1

0a4317a63a9860e708e60d2229b30eb52f04208c
SHA256

004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81
SHA512

243e51a0eceb2f0f4dd3ed0410273496950265514450f631c9c592b3231a885b5417111e0d0d03a117dee5343e343491304d6eb95880621aa13e360158abaf9e
SSDEEP

1536:dSbjwo9mVo/YJvH6/h0PicY66b9MyXUwXfzwV:uMo9mVou/6/Lbdm2PzwV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 62 IoCs

pid	Process
3500	Pfjcgn32.exe
3936	Pqpgdfnp.exe
4548	Pflplnlg.exe
1272	Pmfhig32.exe
2960	Pcppfaka.exe
1692	Pjjhbl32.exe
4336	Pqdqof32.exe
1668	Pgnilpah.exe
4140	Qnhahj32.exe
2652	Qdbiedpa.exe
4964	Qfcfml32.exe
560	Qmmnjfnl.exe
3060	Qddfkd32.exe
4168	Qffbbldm.exe
404	Acjclpcf.exe
3912	Anogiicl.exe
448	Ambgef32.exe
3032	Agglboim.exe
4956	Ajfhnjhq.exe
1900	Aqppkd32.exe
5008	Agjhgngj.exe
3356	Ajhddjfn.exe
1648	Acqimo32.exe
2036	Ajkaii32.exe
540	Aminee32.exe
116	Accfbokl.exe
1500	Bmkjkd32.exe
3320	Bagflcje.exe
4220	Bcebhoii.exe
5048	Bmngqdpj.exe
464	Bgcknmop.exe
1156	Bjagjhnc.exe
5060	Beglgani.exe
1204	Bfhhoi32.exe
1264	Bmbplc32.exe
1972	Bhhdil32.exe
2920	Bmemac32.exe
1616	Bcoenmao.exe
1644	Cfmajipb.exe
1232	Cndikf32.exe
4624	Cfpnph32.exe
3360	Caebma32.exe
3532	Cjmgfgdf.exe
1048	Cmlcbbcj.exe
4848	Cdfkolkf.exe
776	Cfdhkhjj.exe
3008	Cmnpgb32.exe
4892	Cffdpghg.exe
2936	Cnnlaehj.exe
1468	Ddjejl32.exe
1832	Dopigd32.exe
2932	Dejacond.exe
3144	Dhhnpjmh.exe
3752	Daqbip32.exe
1216	Dfnjafap.exe
4600	Dodbbdbb.exe
4760	Deokon32.exe
2112	Dfpgffpm.exe
3124	Dmjocp32.exe
1332	Dddhpjof.exe
5004	Dknpmdfc.exe
4692	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81N.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
968	4692	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Anogiicl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 3500	3276	004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81N.exe	83
PID 3276 wrote to memory of 3500	3276	004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81N.exe	83
PID 3276 wrote to memory of 3500	3276	004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81N.exe	83
PID 3500 wrote to memory of 3936	3500	Pfjcgn32.exe	84
PID 3500 wrote to memory of 3936	3500	Pfjcgn32.exe	84
PID 3500 wrote to memory of 3936	3500	Pfjcgn32.exe	84
PID 3936 wrote to memory of 4548	3936	Pqpgdfnp.exe	85
PID 3936 wrote to memory of 4548	3936	Pqpgdfnp.exe	85
PID 3936 wrote to memory of 4548	3936	Pqpgdfnp.exe	85
PID 4548 wrote to memory of 1272	4548	Pflplnlg.exe	86
PID 4548 wrote to memory of 1272	4548	Pflplnlg.exe	86
PID 4548 wrote to memory of 1272	4548	Pflplnlg.exe	86
PID 1272 wrote to memory of 2960	1272	Pmfhig32.exe	87
PID 1272 wrote to memory of 2960	1272	Pmfhig32.exe	87
PID 1272 wrote to memory of 2960	1272	Pmfhig32.exe	87
PID 2960 wrote to memory of 1692	2960	Pcppfaka.exe	88
PID 2960 wrote to memory of 1692	2960	Pcppfaka.exe	88
PID 2960 wrote to memory of 1692	2960	Pcppfaka.exe	88
PID 1692 wrote to memory of 4336	1692	Pjjhbl32.exe	89
PID 1692 wrote to memory of 4336	1692	Pjjhbl32.exe	89
PID 1692 wrote to memory of 4336	1692	Pjjhbl32.exe	89
PID 4336 wrote to memory of 1668	4336	Pqdqof32.exe	90
PID 4336 wrote to memory of 1668	4336	Pqdqof32.exe	90
PID 4336 wrote to memory of 1668	4336	Pqdqof32.exe	90
PID 1668 wrote to memory of 4140	1668	Pgnilpah.exe	91
PID 1668 wrote to memory of 4140	1668	Pgnilpah.exe	91
PID 1668 wrote to memory of 4140	1668	Pgnilpah.exe	91
PID 4140 wrote to memory of 2652	4140	Qnhahj32.exe	92
PID 4140 wrote to memory of 2652	4140	Qnhahj32.exe	92
PID 4140 wrote to memory of 2652	4140	Qnhahj32.exe	92
PID 2652 wrote to memory of 4964	2652	Qdbiedpa.exe	93
PID 2652 wrote to memory of 4964	2652	Qdbiedpa.exe	93
PID 2652 wrote to memory of 4964	2652	Qdbiedpa.exe	93
PID 4964 wrote to memory of 560	4964	Qfcfml32.exe	94
PID 4964 wrote to memory of 560	4964	Qfcfml32.exe	94
PID 4964 wrote to memory of 560	4964	Qfcfml32.exe	94
PID 560 wrote to memory of 3060	560	Qmmnjfnl.exe	95
PID 560 wrote to memory of 3060	560	Qmmnjfnl.exe	95
PID 560 wrote to memory of 3060	560	Qmmnjfnl.exe	95
PID 3060 wrote to memory of 4168	3060	Qddfkd32.exe	96
PID 3060 wrote to memory of 4168	3060	Qddfkd32.exe	96
PID 3060 wrote to memory of 4168	3060	Qddfkd32.exe	96
PID 4168 wrote to memory of 404	4168	Qffbbldm.exe	97
PID 4168 wrote to memory of 404	4168	Qffbbldm.exe	97
PID 4168 wrote to memory of 404	4168	Qffbbldm.exe	97
PID 404 wrote to memory of 3912	404	Acjclpcf.exe	98
PID 404 wrote to memory of 3912	404	Acjclpcf.exe	98
PID 404 wrote to memory of 3912	404	Acjclpcf.exe	98
PID 3912 wrote to memory of 448	3912	Anogiicl.exe	99
PID 3912 wrote to memory of 448	3912	Anogiicl.exe	99
PID 3912 wrote to memory of 448	3912	Anogiicl.exe	99
PID 448 wrote to memory of 3032	448	Ambgef32.exe	100
PID 448 wrote to memory of 3032	448	Ambgef32.exe	100
PID 448 wrote to memory of 3032	448	Ambgef32.exe	100
PID 3032 wrote to memory of 4956	3032	Agglboim.exe	101
PID 3032 wrote to memory of 4956	3032	Agglboim.exe	101
PID 3032 wrote to memory of 4956	3032	Agglboim.exe	101
PID 4956 wrote to memory of 1900	4956	Ajfhnjhq.exe	102
PID 4956 wrote to memory of 1900	4956	Ajfhnjhq.exe	102
PID 4956 wrote to memory of 1900	4956	Ajfhnjhq.exe	102
PID 1900 wrote to memory of 5008	1900	Aqppkd32.exe	103
PID 1900 wrote to memory of 5008	1900	Aqppkd32.exe	103
PID 1900 wrote to memory of 5008	1900	Aqppkd32.exe	103
PID 5008 wrote to memory of 3356	5008	Agjhgngj.exe	104

C:\Users\Admin\AppData\Local\Temp\004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81N.exe
"C:\Users\Admin\AppData\Local\Temp\004970ab69a95234a0b8c3d21f75849001d3b0cf350450ee655f8824037c5e81N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\SysWOW64\Pfjcgn32.exe
  C:\Windows\system32\Pfjcgn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\Pqpgdfnp.exe
    C:\Windows\system32\Pqpgdfnp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\SysWOW64\Pflplnlg.exe
      C:\Windows\system32\Pflplnlg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 396
        64⤵
        Program crash
        
        PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4692 -ip 4692
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
64KB

MD5
0360d40ab69dbcee27ea2618a5def481

SHA1
9328c79d318dcac11cf0e8c672a359777039f8a8

SHA256
d5f3d3bc378a4d89f8a2008973e60223e6daacec2e72b6abc05464c4e20bae03

SHA512
12c05518cbb96949da0de02446d5b1b42fde4b83f60b7d3011c770900b804c1da49b4aa54a3c05049326b976465f7120f2e8e58d5c87e72e649148445ea0d373

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
64KB

MD5
ed3151c0344bc31ae5587c65f985fa8d

SHA1
55ce61b3a7f9db59e2b0df9266a4da51561e9213

SHA256
cd4ed62640cda3753b440fed610710f13c4f1725c9094a213ed25fa986af999e

SHA512
f47af217459addc94d1ee1a7cad1649c742eec9cd66da6014a8e053cc58144d38ec296c30ba9f279990b1867a1852a36d521f9cbabc6dfd4c189dcfc749ef056

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
64KB

MD5
c7e5d950a69e46722598ac228d6564ba

SHA1
92a405db60957d9e949309418beb598fda7a552a

SHA256
cda876e805801d75e1190c18b7b5e52688771689666a6eddb69ea731aaa63448

SHA512
9e2d357a392a6b4887c3f7c277cabd852f2c0c2306852142e657e6fb8c5bf7a3fb966d37b029c3286b47a920bb518f14c74c63bf9e1594350f937f526c642009

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
64KB

MD5
6d64497da641587971633fe66097b2a9

SHA1
8ce464c9a9b8c9135cefea0c437813c97cc522db

SHA256
8d68da6dd22060b3601b4a23ac63e9ca43130b82e848d76fd82dd14f7a9b1e6e

SHA512
b4f0f772c12c77ba5e891c8d6b3e401b8b50d75bf861d952ce36068c852d92ecabb48eb5bd36687de48f690b0f982068f16340a1c504703c61fd17b38141ab9f

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
64KB

MD5
b9465b657cc95b9e9499b4fa0e82c187

SHA1
a1b2037bfe122c6e583f81bc4a09a787e92d6f0d

SHA256
486ccc8cbb1be61131fd3833d8a2f4c319924e0330bc0512a11cb73929adcb2f

SHA512
0aabdc956a80833ad7c0d0f07254d5e58a9d17a9959543d0297e1900cb1019f83b47d886c83d2a8b137eaf84437c34a8bbcd2889f2e64358cc06fc180bbf2edf

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
64KB

MD5
87d0ca0fab4f5c19bcc4bddceedd22f4

SHA1
2c8a820f8348353ed2e407637f962933d7297e9d

SHA256
0182c52c5cf4ad1cc1e07f4829347101a69acb09ee18da2aa8a848a4ad574b75

SHA512
c786a147de024adb7228249268534573744fced9f49ecb444629fec0d77420cafa8504a3c7b0fa7bfe81ded5adc2128ceb80686e8d26148ff3c6f06d6c8631cd

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
64KB

MD5
cba6a2f8dc42ad1fc52041e5d91849a8

SHA1
74dd674b683acd3b5e8b193e164fcf7815507d7f

SHA256
101ffcc20d0fd7abe6b0bddc963e76b40c4f3dc2fe4da4a9fae2cdcbb8b2b57c

SHA512
69f45906efe108e59b3996d52c711cd24e6bb05370ed4c58049a8611c134005d5194d65ebf601b4dd7afb6ea51835078ab3a8bffd68dad2ff7d7a3a7b875a13d

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
64KB

MD5
9613545e544f0dd0bb44f0a957d11450

SHA1
a1dffa568c78b04334e287c02e13f1b513f2cb16

SHA256
882487bd40ede4f133d272dc344f8e0b27b235588aac296dfd6c3ccac70ed75d

SHA512
488f16342e2280e443414f99e09200258ab1b934372f9c881e4b80366c55defb7796a567eb37759f4fe0dcb1ac41db88666632e67371d6db7fa4913285a56a72

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
64KB

MD5
1087da576cc39c6bec3ce1bcca2be9ae

SHA1
ffc24595120c072485554cf61fd5017ed01afa85

SHA256
2e5e139a15372e4920ff8ddc9ba390fd94775725f906373a96bdec4c62ad45ae

SHA512
40157a13fa8ac84e8933dfe76a36b83ebba34a69defbeaefe3cebef372a4bc9e5fcfcee6cd517463f6b46919498707db8856dff30e3b7be155a6d869d6bdbc77

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
64KB

MD5
b7f6c68d9abde01b671cb2b1c08b8a77

SHA1
2c599b514299716ac6b204afa4af852b454f8efa

SHA256
82393a1c17905ec5e2b9be2300649ff183fec506e89883e5231929a4cc083f5b

SHA512
e2cdfbf4500c424f1fdf1a019fe496b3977b2866fb37916be1b8d6bb019988b2ec255d13ef328be591b316dd0e4a1ae43e93370aa6205d597a7119ead19f7203

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
64KB

MD5
a06599840f3d64f03c7f492f033b2895

SHA1
6f04e5d8cd02dbacc3cba55ab25c1bda88c691c3

SHA256
e4a69d03e6d1ecd876dd7a414ee29b774d7c7f14438dc800b31941cbb41f51cc

SHA512
e24847e23218ffdd14d825b31b6302e5b7bb2e418436930e50a87e0dbcc5ed21db464d79adced6476cc6e705ee8d1bf3328b1364c1bd63bfd374816cb6a7134b

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
64KB

MD5
b317d04d500a3d864d33d07aeca35b3a

SHA1
39a6ef69926ad60a349839da4bd6e29f99f8f784

SHA256
6dca14bce256858cb4b0d948f3f1ef2518158724efc426d03f293f34a1cd2c4e

SHA512
c8b58025b8dff8a9d3427ae59d5a864734f6b9b431762e69d982b9f8af22d2404cc6e695e91427d673f7fabe19c26db54835c271207cc9379a9eb0c0ba6cc994

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
64KB

MD5
2e8855afc74061b7d517784ae39e6b8a

SHA1
fceac08f76f81715930a8035faa6f76aab7544e1

SHA256
f3ae57673a879b1995d09adad2ae9bd88583e10053f09c9f4f75e0edd9bac902

SHA512
94cffeec790ab56c9f282ee13b9eefee02e9254235e40ba18ce293c274b48243aad0e6fc07039045d98d9b06aea8fa56058f59f64703b51eb7c47ba543aeeed8

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
64KB

MD5
d1855f11be78c37c45fc5664aa6f0d6f

SHA1
b7f4987367496b1c03588bb1e99467d249e707f7

SHA256
8e4d7c966005712bb868b5d53864d07082f12093913fb09287114f1d78cc744a

SHA512
6045c37dbb52e6f887e24728a7995a71b7bfce455364af6c2d6fbafb89c5d2fd1cc7078520ab295ff717337770b07dbe10456ed46c41041d176802ad72277fad

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
64KB

MD5
71758511014ac8b8f8262503f11b674c

SHA1
6947d79d6216e66e36bd66974d8db88ad004c997

SHA256
beff41da8520d6c5121cf18ef5d3daf30a3801c12e36eff30267253409bd9984

SHA512
061723736177edb0002f9781b64339a177d60564fe930c45242ab3d801baecbc87498dc0fc860bcabd6bdfd805968f73a57bf5f42148f9f9ca52836aa481eb1d

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
64KB

MD5
b1c89433827ee04c7e0d2d7a83c30b47

SHA1
f0e132e6d3ae14972987f69aca36cab462b3dbfc

SHA256
b50e852199af2a8ee7c00ee01a356df9f01665133a7e3e956739a1d61353bce7

SHA512
4a2b13e9f1111ee8e03c69cbff82e032b9e174d074cc73ab03d7e5f573629caca9a8bae53bc7da81a2fad60c1f20ec387150943a5cd8ea82a234fb72dc6b3faf

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
64KB

MD5
65bad57ccdf56cca48667969afccffe9

SHA1
7e43a6fc91b0e9fab92b547b82796ecd2555e052

SHA256
757dd72d2e5d63faea71a6ba6ce9ffdf07cda5e3dfe7bb50dfb81d4428c48787

SHA512
0fdf42d7e0d23e9b4b6dbb08a044bdf311b570ba559085b0a5c1e88bf1e2944e307cd2be7dd85dce381831f1e02b73f3f906ee1c13f49262168623da00df7047

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
64KB

MD5
a475153efa8f3b0f43791d3f8974290b

SHA1
fbdbc8e1bcb604d8bf8631ed74ac87026eb1be4c

SHA256
96eb925a30fac795c14d344e22c6e1006d1fbe03fbf80e106b87c7d5044035ce

SHA512
bb352c65d800213b093da360fb3fa4e8cebd620edeece8aa11161c1bca7448f0b389cb2a63110f5567eb33b13caca88a7f713e3fd63d058d5a8efd945a4b96ea

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
64KB

MD5
48220fcb58e32632b87fe87d1016d006

SHA1
51a8c2ce7981d4ddd5dceb71a6cdc413eb4841af

SHA256
ddcdb4d98ff9d2263b67eb79d41653d7c3953274eaaea9559cebe558eaba20da

SHA512
36dd65e94aa48e6d059ac2eab15a3753f8614f044360deff6c800f982f623c61360b95af9e9e129cbb357437a8a373dd292ef747e2e2b40b3bf42348a897023a

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
2a952888e0f06b4e2d51d405ddde7032

SHA1
ddabeabc9942bb3a494f335abe30a47d2c1e6d60

SHA256
76cde088ea14923e66c12c6c4a2dc504a8bd3bf7f5cd2913cb285d34c738d046

SHA512
ed3381b95c318860b312c10984524a65cec3ed96bf4ac1cbea2b3c20814ac15dab4597150a794a9f82e3817203fde8f3302eadf400b6b90b21f2e0bcc64ca5ba

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
8b9e86ae6836ba0e47f6f14ae2453d87

SHA1
34e859c6158b9e95e1ba41a64c78d11551b99f3e

SHA256
59c79dd2d668931b79ea0b366a29c921b988fbf79c28275494a02f97ab98f28a

SHA512
2e1055e2bc8a8e382f676842bca0b92161b5a8184510a17a8bb98853e0a1173d456141a7628021fe1a52f8796e740fd294dfd5d04595dd31efaa23c5588c60a6

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
64KB

MD5
3b9140db298c6ebc14472951cd22d15e

SHA1
0a9ae47f9a38143ae0293e9ed3a3138a97c34a24

SHA256
79cabb26da0cee269678d163eaace329d9562313604bf76466e844885a1be382

SHA512
f999e236ba2e9174f8e1446abe830ab88223a2bc18817a7491b31c45c288ce5a1f837cdda3b7d249df0ed6b85c5a47abaef649dad6e6712c270958e22edac5c8

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
64KB

MD5
03c62fe18286f4dfc82025425fa2353c

SHA1
0da650d3e99276f5bc9ec41135939eec168b9393

SHA256
2b8616505c38e7a52ad2cd72b4fef23f66533eee0e535d81fb76a8121508830f

SHA512
57f92b33c2ebcf21eaeb05e13c6e522f69f24e9e8de6a666dfe30ff8478501470340d4a98b4df4303d1f5dc0ba7de6465bf1eebfaee79b632e0cef2e9885181b

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
64KB

MD5
4c9b863b7bf2a051a5c526581c49e417

SHA1
337a186a8c1cb7bb8b2b94c52a0f8fc0967232eb

SHA256
412763558542972823f0b7ef0ca9fe7bfa2fc5707f14099edfbfb29eadd4391c

SHA512
247c523e76d27d69b1b761071744ec4f044806cddf3237d98b396d57bda93440c88d6a98ec2d6ebbfbac537e837b522c535077b4c76d71498f36955a50d3682a

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
64KB

MD5
0d2f83979c6b0a59ff7658d8a6640b4b

SHA1
e50aa2ed8a6bd7e6ac35d706128cfd15acefeea4

SHA256
baf0bdf0631a568239a31446ec35843584f05fe9d0925731edb4fc49bc7941fd

SHA512
a7a46231e0c2356b3dc8335bb6f4496804ed4a780ae26186eb1ef41b187bfcc8028141efdf9fe4617e39d569ef93a940b23966824abac4a5b92d32a88297f2a1

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
64KB

MD5
d8a692aad6692e77b95d86db9018e35d

SHA1
f21933d7262f1e592ffeee221b10a214fc4dc32a

SHA256
77b5a81facf5a89ff366b6e50ebfe87dca6f12a23b1ebc8b31ca38763773e77e

SHA512
d15a576816deecbcce2f047d54d4505706016fc0a671bacddb0ca0a92541031296d7a9c0e51cb8e5d12e79562111a5c6ae1419bedaec610f0f633f8cb4a72c6d

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
64KB

MD5
d96ad7da0b49a7ec59d9db8913635c7b

SHA1
e55e7e390aee458449b962ba27aecd4605672c64

SHA256
93ef158e7cfd877c8fd60478623d6928c4ec82a3245b4f3acf5212ea56a38650

SHA512
a7a0b175070653ce48ea44dd11eab28d856e782fbf67cfe26caa93e0cfa137592eda35c5ac6209ed7f0161ccf4fc06217ba87ccd3c53d40d695b1dce930785a9

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
64KB

MD5
7e4caf0f7b70bb18a1bb7f27a7178a9c

SHA1
2a0f505ccb2dbb46086bf86cf19a040ddce2819c

SHA256
83d50d90e42136fc694715337712c1985485a1c5c9cd4e2c36ef1331ae616b3c

SHA512
2c517cec642498e216484e0bc57ed349587252e62578a553edb0ae11fad70a71cbd3547559a68db14f6cec5b2315ff329253d31800d1fb34a6a41389af10e901

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
64KB

MD5
99821045afe0ea17e1f5d45b444db05c

SHA1
90d67b7314ed04390186537e4986cc51a5f1c5be

SHA256
5e365eb89830ebe5ca4ec31c424c3d6288ed14873aab20b87baf791d091533db

SHA512
6151a2b7316fe63ac5657a428dfab96182b6df1c1b2579a75a9646eb2a2fe82d21cbea167c87eac38ab4dcc6445444a1c8ce5552d880865938321300883b84f9

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
64KB

MD5
624d0221f2390b328a9e5aa2bd0174e9

SHA1
47903fc0ed0375d4433e1079689d025e75bdcbd7

SHA256
2a8e9f564ca3bec763494012b59226c02ba02ecb3b506542075835c4d80ac9c3

SHA512
7a37b1a1833c6bdf271a105fc6eb13aad8fedc4a0e8b0aab878e0a5953ec878b65ee5b4b62fe8c1e7428bc32f13567a5d243bdc03edf41771756fc163342f8a0

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
64KB

MD5
6a4f6d50b02a28a38cb458eedc92842b

SHA1
09f3d97095fa97e404e72f827f1d81c0935bd901

SHA256
2cbe57be0b3e45b8d30bfe96861ea64a10d9b816fbab9cd3bb7e41ceb397b98e

SHA512
41a6099b69fa6be603e9bcd7fbf46e8e1f29c9d9f6157d84cc9d62e97d96b182999951803664b1a87e0667193f205fa1f91ff1b70d969a7fa3c3845d7f139e6d

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
64KB

MD5
f60a467f511a9b043c7508206c1ddd36

SHA1
768e95b20be7a748cb8b5422fdec2b93aa25e8a9

SHA256
14d6c1c1a538ad30c8e6cd6321fce1846ff0ce767db69fc43a937416e98b0399

SHA512
2ee6d71c46cb4cf74b83173f3f30e77b356be24d2c2deb5cd435a0f850611c855a1286bd4c17904fc709b1ca30117fea7dca80685de53d6ec0a0efe92d666d00

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
64KB

MD5
cf9b7e59087d7eb1f28f8ae42473e9b7

SHA1
592168a51ab43970e6e640736d4e8818120fb7d4

SHA256
37b26f2ee09889ead1968fe2dcad883ac7099b4ba2cf7b1cd950c15964fad5e2

SHA512
e909d14361782b1039ed8deafc1ceb5db7d6ed71c346fa37cc9da3b0d3b1c6563d86aa796fd65391ad53973292ce34ab86ee702a3627771d751355d9e6bf7396

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
64KB

MD5
656ff2b3a843a77c3729c1f5f981a8c1

SHA1
af88ca5b65085ea2d4070b1d84d6784fdfcd915f

SHA256
9108451ba67a704f35a7c0efd50449db33cf9c3e400c38bfc9a92f2c082d805e

SHA512
d0b21685894de5820b21a16f5390aeab30d3d085baf586adff8e0ed3c81099292cbd2fe0f9ad8213818077031b43c802b76099888342f3aa9a00413c1f6448a7

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
64KB

MD5
2350b5319f96edd78a0cfe98354704be

SHA1
a6bc37590345b94981e7ad1a8c663251f8161ba2

SHA256
fe680adc9925b3d47038e51c46889d60673e969563a0d382441c538dffa0ed25

SHA512
611f13ab00da9b03d92e02f58f5ac28ec14fd4c9c237b2ffe60de6e5f631dc2149e0a887aae4239aed96b52fd5f00fda63fbc96f43d9fb2a6239d219cf80a89b

Download Submit
memory/116-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/560-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/776-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/776-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1048-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1048-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2112-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2112-445-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3276-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3356-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3360-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3360-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4168-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4624-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4624-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-439-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4956-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4964-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads