berbew | f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6

Analysis

max time kernel
91s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe
Size

320KB
MD5

edc16442143d0f6c81326dbcf73c5aa0
SHA1

7860d4b4a5b58bd31ed5d038a9cd384bd873df96
SHA256

f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6
SHA512

e201d79cd660fc181fadffca47267676f50465af9d131f1b7352d70f557cd307a599886ad09be806c4aab837e44687afa862a457bb2752e89d6103e05291eecd
SSDEEP

1536:/zKBT+R92XNdGLJgXc/B07urCySS+Tg/Jfff+BNFeHYfPhqkYe/vs4R4d5RHIrl/:aT+r29YgXAB0kCySYo0CkkhHs4WfOb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 61 IoCs

pid	Process
4796	Oqfdnhfk.exe
4440	Ojoign32.exe
2248	Oqhacgdh.exe
3168	Ojaelm32.exe
4780	Pdfjifjo.exe
2860	Pnonbk32.exe
1276	Pdifoehl.exe
4768	Pjeoglgc.exe
1444	Pcncpbmd.exe
2972	Pflplnlg.exe
4696	Pqbdjfln.exe
3400	Pfolbmje.exe
412	Pmidog32.exe
2748	Pgnilpah.exe
2364	Pjmehkqk.exe
1304	Qdbiedpa.exe
756	Qfcfml32.exe
2352	Ambgef32.exe
3584	Aclpap32.exe
2920	Ajfhnjhq.exe
1476	Amddjegd.exe
1696	Andqdh32.exe
4788	Aabmqd32.exe
5084	Anfmjhmd.exe
3264	Aepefb32.exe
2448	Bjmnoi32.exe
1928	Bagflcje.exe
2864	Bjokdipf.exe
2788	Bchomn32.exe
1216	Balpgb32.exe
3708	Bgehcmmm.exe
2848	Beihma32.exe
3508	Bclhhnca.exe
1616	Bjfaeh32.exe
2828	Bcoenmao.exe
744	Cjinkg32.exe
1220	Cmgjgcgo.exe
1688	Cdabcm32.exe
3076	Cfpnph32.exe
4740	Caebma32.exe
4416	Chokikeb.exe
1336	Cjmgfgdf.exe
4352	Cagobalc.exe
1800	Cfdhkhjj.exe
4732	Cmnpgb32.exe
2188	Ceehho32.exe
3948	Cnnlaehj.exe
3764	Cegdnopg.exe
3488	Dhfajjoj.exe
1420	Dfiafg32.exe
3280	Danecp32.exe
3528	Dejacond.exe
4920	Dfknkg32.exe
4228	Dmefhako.exe
1652	Delnin32.exe
1140	Dfnjafap.exe
4344	Deokon32.exe
1348	Dkkcge32.exe
4268	Dhocqigp.exe
912	Doilmc32.exe
1912	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	1912	WerFault.exe	144

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4796	2780	f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe	83
PID 2780 wrote to memory of 4796	2780	f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe	83
PID 2780 wrote to memory of 4796	2780	f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe	83
PID 4796 wrote to memory of 4440	4796	Oqfdnhfk.exe	84
PID 4796 wrote to memory of 4440	4796	Oqfdnhfk.exe	84
PID 4796 wrote to memory of 4440	4796	Oqfdnhfk.exe	84
PID 4440 wrote to memory of 2248	4440	Ojoign32.exe	85
PID 4440 wrote to memory of 2248	4440	Ojoign32.exe	85
PID 4440 wrote to memory of 2248	4440	Ojoign32.exe	85
PID 2248 wrote to memory of 3168	2248	Oqhacgdh.exe	86
PID 2248 wrote to memory of 3168	2248	Oqhacgdh.exe	86
PID 2248 wrote to memory of 3168	2248	Oqhacgdh.exe	86
PID 3168 wrote to memory of 4780	3168	Ojaelm32.exe	87
PID 3168 wrote to memory of 4780	3168	Ojaelm32.exe	87
PID 3168 wrote to memory of 4780	3168	Ojaelm32.exe	87
PID 4780 wrote to memory of 2860	4780	Pdfjifjo.exe	88
PID 4780 wrote to memory of 2860	4780	Pdfjifjo.exe	88
PID 4780 wrote to memory of 2860	4780	Pdfjifjo.exe	88
PID 2860 wrote to memory of 1276	2860	Pnonbk32.exe	89
PID 2860 wrote to memory of 1276	2860	Pnonbk32.exe	89
PID 2860 wrote to memory of 1276	2860	Pnonbk32.exe	89
PID 1276 wrote to memory of 4768	1276	Pdifoehl.exe	90
PID 1276 wrote to memory of 4768	1276	Pdifoehl.exe	90
PID 1276 wrote to memory of 4768	1276	Pdifoehl.exe	90
PID 4768 wrote to memory of 1444	4768	Pjeoglgc.exe	91
PID 4768 wrote to memory of 1444	4768	Pjeoglgc.exe	91
PID 4768 wrote to memory of 1444	4768	Pjeoglgc.exe	91
PID 1444 wrote to memory of 2972	1444	Pcncpbmd.exe	92
PID 1444 wrote to memory of 2972	1444	Pcncpbmd.exe	92
PID 1444 wrote to memory of 2972	1444	Pcncpbmd.exe	92
PID 2972 wrote to memory of 4696	2972	Pflplnlg.exe	93
PID 2972 wrote to memory of 4696	2972	Pflplnlg.exe	93
PID 2972 wrote to memory of 4696	2972	Pflplnlg.exe	93
PID 4696 wrote to memory of 3400	4696	Pqbdjfln.exe	94
PID 4696 wrote to memory of 3400	4696	Pqbdjfln.exe	94
PID 4696 wrote to memory of 3400	4696	Pqbdjfln.exe	94
PID 3400 wrote to memory of 412	3400	Pfolbmje.exe	95
PID 3400 wrote to memory of 412	3400	Pfolbmje.exe	95
PID 3400 wrote to memory of 412	3400	Pfolbmje.exe	95
PID 412 wrote to memory of 2748	412	Pmidog32.exe	96
PID 412 wrote to memory of 2748	412	Pmidog32.exe	96
PID 412 wrote to memory of 2748	412	Pmidog32.exe	96
PID 2748 wrote to memory of 2364	2748	Pgnilpah.exe	97
PID 2748 wrote to memory of 2364	2748	Pgnilpah.exe	97
PID 2748 wrote to memory of 2364	2748	Pgnilpah.exe	97
PID 2364 wrote to memory of 1304	2364	Pjmehkqk.exe	98
PID 2364 wrote to memory of 1304	2364	Pjmehkqk.exe	98
PID 2364 wrote to memory of 1304	2364	Pjmehkqk.exe	98
PID 1304 wrote to memory of 756	1304	Qdbiedpa.exe	99
PID 1304 wrote to memory of 756	1304	Qdbiedpa.exe	99
PID 1304 wrote to memory of 756	1304	Qdbiedpa.exe	99
PID 756 wrote to memory of 2352	756	Qfcfml32.exe	100
PID 756 wrote to memory of 2352	756	Qfcfml32.exe	100
PID 756 wrote to memory of 2352	756	Qfcfml32.exe	100
PID 2352 wrote to memory of 3584	2352	Ambgef32.exe	101
PID 2352 wrote to memory of 3584	2352	Ambgef32.exe	101
PID 2352 wrote to memory of 3584	2352	Ambgef32.exe	101
PID 3584 wrote to memory of 2920	3584	Aclpap32.exe	102
PID 3584 wrote to memory of 2920	3584	Aclpap32.exe	102
PID 3584 wrote to memory of 2920	3584	Aclpap32.exe	102
PID 2920 wrote to memory of 1476	2920	Ajfhnjhq.exe	103
PID 2920 wrote to memory of 1476	2920	Ajfhnjhq.exe	103
PID 2920 wrote to memory of 1476	2920	Ajfhnjhq.exe	103
PID 1476 wrote to memory of 1696	1476	Amddjegd.exe	104

C:\Users\Admin\AppData\Local\Temp\f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe
"C:\Users\Admin\AppData\Local\Temp\f83497ce6df88020b5d4b15cb7cfac94ec4aa68682ece78d98a291831ababcb6N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\Oqfdnhfk.exe
  C:\Windows\system32\Oqfdnhfk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\Ojoign32.exe
    C:\Windows\system32\Ojoign32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\Oqhacgdh.exe
      C:\Windows\system32\Oqhacgdh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3168
      - C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 396
        63⤵
        Program crash
        
        PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1912 -ip 1912
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
320KB

MD5
bd20a19f3ebb5678d2fdbb7decbef067

SHA1
5e49b9290685e7909353f2a47ae49bc35679873d

SHA256
ef35fb396a8887ae72d3a01690b1f6d4e639f236b8ebb70ad8aefb3582c79fbf

SHA512
5c10855b6f3b26e0295c9db16224ef1ee6913d290f3cba2b9a189e48922b4aa02766fc4c518b788c8e6973bd3412800b68c8d2183e3e84c07a7049849a71288b

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
320KB

MD5
85268fd947899860c5c75a5b1ca4d0bc

SHA1
421ac940646d145bf509999eafb5e96fc6a450d1

SHA256
a5988fc78d0afce40058c765cb3f865e431902e8fa07cad8a9365766453e7b5f

SHA512
a9c24800f59872b15891db42f7e23a01570c6ed0c9a2a7e3c68001a9676118074e800b870fe86d9e505ba220cbd8771d4b580afa2adfa404e44a281b17482709

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
320KB

MD5
d2040f1e7dfe993f4b77332a9b3851b2

SHA1
36bd5ec4f74824c17aa2cd41eba7fa1d49b4418d

SHA256
2aab0eaf27c3ae6840e8c5cdaf16566a8b6f99eebc36c11377e78a536baa97ef

SHA512
cd27aec4dbc312b47e2d113fc994b30152ddfa66306bea689755e22b3a9aaa24effa79903e04a8ed108ac6a8db7177b4fc9562c8ecb21c0614379e0cca265387

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
320KB

MD5
f28f1151c9d964feb4e8239615227833

SHA1
f90ffc3214758f167a793e69de74f4ca08124ca5

SHA256
db613accf79944ecf6f23133e07c271cf9f7af0537ec558462474802a852989c

SHA512
2633965f810cf4ff067d3f029ac1a46a471002540966e5286fae362b28a12f959def7981dc6dad6ca99242030a60843a236f09451668b09925d8b07f2375ea7e

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
320KB

MD5
9a3d2960ec69a3b410296ad52d688c66

SHA1
50c4115eb797107aaea8b6f132d78ab22ec3352f

SHA256
a1daeacd5617ac2d410b75098fd8e69396e9b779c8392bfd74649a6e86e8f967

SHA512
b105c29913c338b03f9bc61ad76df65df3f4288cb26271c782de86bad9f8c2eed4f6bf4a08410b8ccd7be066376a5b8e8a30893acc3367546d4bba71c997b28a

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
320KB

MD5
e70d4f190702964faad5500524b385b5

SHA1
7f74bfc7593e06a747e2fee750279942566fe72a

SHA256
0b312a1ad6b15b642ae5ea9356917e2dcc3bcce29c08b3d4881ba7bd9b5eee12

SHA512
2271f602625c0084d70ca3025758a1f5f4c4f4db81451ab7316c5d57084523ed97047f20f5d0ab61af2905150ff7a7a1c50040aa8804b635617ff1d120437a84

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
320KB

MD5
00d9e693577ce007665e69f65c3942d8

SHA1
d7d45e291c1e50f9f422a2d8ef4ee5460ccf51db

SHA256
6ecd0ddaf28fd49cf197559fbe117ae8a16607fd816fd23287f4b3133e819064

SHA512
5c2a71eca61cff5ff02bca122a10d3c20a75908ecc0ec266cfeebcc7248e7a79369042b95a677a9360f80cddd70fcabe3fb350f8774cadf741b7fe8f3215464a

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
320KB

MD5
2f2086db37f78454c0dfcbbfa830ecc6

SHA1
8fab905ae26f7f1a5fca586091eaa347f15dc4fb

SHA256
e08161b31cc44a088fe11ca2b6bdb11936539dfe6be98de21575417327a0ee2c

SHA512
ffd2739a1fb73bf1f644afda542e5e9ba680b70181d4d04ddeda8f6e9893c54d468fc423df9d833a8c377ba0240f7a399d749a6c6a79c357201fc1746cb347a6

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
320KB

MD5
b3c7222ad78317d4d9be68f4f6b0e7fb

SHA1
f8e87a917b5b3ae1dbdd63c9f260eb1be91f7e28

SHA256
171f3a6a0141a8716ea455684e7f96369876168be1a657752ec3272863e707fc

SHA512
3c8f29532619672c3edeecf5028d5da8163b9806611c38c98a99f267ae6d433d94c331cceb9a1582c5689310e1098817c3417e85f97329d51940ce987c14d923

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
320KB

MD5
b295aeba602bc88e1e9390c39ab6f6b0

SHA1
2db011479deafdc54c0298e0a53bef41fc716e16

SHA256
44bdb4510b58b6bccf1d566727248c21a8bc04cde434a32bc98ceadf5e3094ad

SHA512
6e36a25f7e4d75fd761a15c9581aa664c274f4927ca20d71033d072e17dd4afd4ec1184c9ea9cf6c548fa9db14e221cf70cae01b14f3e78bfb064768c3c01c0e

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
320KB

MD5
58b9a5dd67bacc3b0e06e482c1491cd8

SHA1
2d5ed8b273b8cc40596ffb605796ab541d8d5466

SHA256
071ea6942c0545b5867d7ef2d0fb230f71c0975e656e378c751d4e8d817481b9

SHA512
ebd88764742ab5707e21986ad1563f99e490f20f0c2bb6b870cac179917706cb36fa876c4979a3c438443c73f2f2f11b1bf15774db6e607cafc852a209813c19

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
320KB

MD5
d3877dc1a8390640b35beb9d7ea86eed

SHA1
3306b739c97f2b481ef2b9f212b5552a7bffdf69

SHA256
5af52c0f801404f5a6dedbee4a1cb66871886b74559f632664ca3addc8abdf24

SHA512
ca49ff120fc8d604c80a2fdef5e88297b1b200c4c022213287746b81a777c3dadd4369159cf9d0fb8c5ce74da8671374394d8269d658500064f2c47ad3fdc73b

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
320KB

MD5
5b35e581fa2f73755fce75db71e5c408

SHA1
9f1b012b675633399f85bea9f86a5ed39a52d1e4

SHA256
60388eeb94b6ca37c5ed680791dda25191e728c872b48166044fe185094712b8

SHA512
c653a2ed4cf708dfeb229405cdf931a5cbf00fe4da8b64d71de1f9089a0cacb3433c457bd5f19a753e2b31fcb9466437594cad1c492993a9058bb65b5552a819

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
320KB

MD5
88bcae792d51b3143eb3f387dc06c9a8

SHA1
0490a9fd72cc4210adb137855ae21a2172b5e668

SHA256
7479168931166be78b32ceb90df598447c4829da32cdbf5e728b53b291f06bcc

SHA512
1eca84e64cb78c217cdf198278e859c49d4c42ad0290691e51d90f8336cc25ef88ce50c60df2fa23f3947d3e952b7b2f3882640c741d504beeaa1de4a4778599

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
320KB

MD5
e691cc5ed172b1e06379b5d178f39e65

SHA1
edc5a92697def97b3d99d3fd9fcf3f6d04370075

SHA256
c642c88500d2969d4b37c5d8b345675bf5f5b2dc37c5f454da9b10d43521affd

SHA512
43eeba44ffb3c199512895a6975c61fda0c7f4c13a0e371c8151eeba3738b77454ae346248269c46c0c8c100142514b3350f3bfa64f5f6c1b8903ee3ece04951

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
320KB

MD5
62474e11f5900e0cc77f0173bd154266

SHA1
5e95b3043b6cff72933109a3b273a78c54015a37

SHA256
4fcb441a57f18f835411bf426a855cab4881ccc2c6f596f2fce397b0e8574920

SHA512
84d2d046353bde2b7447cf4445f3a4eda15ff1f624ec56053d369f4228e2a24d6fba218c09f6021231937e42748ca93c4ccf110689f257dbee32e87dd5be4a4f

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
320KB

MD5
b70a680f365aefd1f354324bd8218a17

SHA1
7b3d1643697f07522806b8f83b124333f72637a9

SHA256
804c0ece431fec1ee027c3ee5f00380dbb7df6601b3da6aea95437f2d6a359ae

SHA512
19de16b583dbfb48dc1ce055f0d181c8523e6958ef1da2964a86f4299b140746fa5ccd07e57275f4eddf572d54e3fc09cd3300549c103b69cec1119c45ac2d7a

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
320KB

MD5
6971c19ae9e60e1e1fda1cefdf24e7c9

SHA1
8ebfb4cb172dffef57a0c0ac60431f73528b609c

SHA256
6586803420a204e3a4572af12c01bf18c191afa109723af3c305010b9e93080c

SHA512
dfa13312f08be9cff429a0f3a1bbeb5deb666b216317a303e324caeaf2ce08e47366cf5dec341b02f8cca2ee84f0fe267c70c11a41632a913bd880b59ec1430c

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
320KB

MD5
56aaa6080ae2dd89274e98d976aa4075

SHA1
bf336ff46f3448ceda7bac4771aace657f5f4f1f

SHA256
8dadaaaa9a9160ac2e458f9fa63dca259c848fe85e8f8b575e6684789d9cb032

SHA512
8d0d0c50c594ed0cf36e8bf66fc8846c4fbe2a8c8b1cf731989efa93e11d465f27b08f832a2fe30cbbca16653d0ecd05b74e8dc956677e997a3dc94e1fcbfd67

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
320KB

MD5
d2bb9c4cf08e4cbdf7169960bd742a6a

SHA1
79093b3ac315b11a45122b2622b58418df6cdc9f

SHA256
edcec01c8ebde992ac3e815bd6ad98d562a3eb6a4ef76e6ec8f302d0b08b9ca2

SHA512
2cd32cb8ebc1ff6e379b04c7c81beb4e0157012e6ad69866eb53c2c36b6004cf04ee5f1455177a01cedf788fcba2fcd1c2aab65c8dfe327024c0a402a4e87c3a

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
320KB

MD5
b9f80e551b921950d24584ed5c132cd5

SHA1
2b7790a681d8661996258b77cfb4f9ab4717fcbb

SHA256
e28c0bf33d2d0ad2c86c931b027e499e3f50618c25a2edc07bae4a8ac70fabfe

SHA512
1599eb363a72182a466c10c5b4a4dc895da7797ced32c989623a52318d6be86b282461a491a7653d18b4c7aefa0b8d164730a7f201fb4b673204f0f9e97c67ef

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
320KB

MD5
a05768989d5cfd995dc938ab1f9c44ba

SHA1
7aef45fad3de7becc8546c012853fc0426cf8f7f

SHA256
4e563b4b556cd47776bde960f6f1d2865b99f50483c762facbd772ecdf733e28

SHA512
a299ed2543737e9a3e43fe5586c356e421afa964f375d600ca8dd2b6ae1f49d668786355b9acb45f98cdd57a48e899ce88f5c0400965551455b72e127d30f777

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
320KB

MD5
f014431f271161bdc276c44decee9f1a

SHA1
07459724551cccb3e448e11425a992fd0dd844b2

SHA256
e2ee06407fd5fda5adcea1d38f18c6ec13e81329c6d54e1e4d86f79296e38d0c

SHA512
4da540e3ee1d4abcaad598fefec43bcd4ea98d16f5434d104361779cba235f1d573b790f51c8d303821f8c02ebea4082a0cf0d66c94a4e1107666dc38bfbfeba

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
320KB

MD5
f7baffa7bd81784f5bff52386b101ca6

SHA1
17de03f7ae0431f7717e4e14bdf999c268eed4cf

SHA256
24f0b0c897bfd44e768af632fe96b73e637eaa6edab16112a5a739d66e95496c

SHA512
6116f45179b927c97f463dc344c74d879a47637cb5869e64895e6b325ff49bf22cedd4bb94615296a9fe2e60479a3bf38372e488ff8d48ea61c1f767b48f0b4e

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
320KB

MD5
4be0f4c286c103e3ded9851c894e3c82

SHA1
b7aa83df7bab3b17a6f6bbd6d0d682bdce0c45d0

SHA256
03a882902c7f2bb2a6caf8bc9c1247f755d4d308e2903f2f111adca67ae19f19

SHA512
cb130fe3be592353debe4c80429e0a4766e6b97aac9fe914cb9d8c18ea72182796fd30fe5617b0c0ce7391fb64de9cdab0c5b988a0bceee31e8f909fb9236bd4

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
320KB

MD5
b0cf21ab28895ba775038b07084904c7

SHA1
80f106f8c9ffd5d5609ebd48237a18dbe5ef783d

SHA256
39a371d333933c3d1ff3f989c889beca37c9f0e2c8c4c81a513db97f6d63b4fe

SHA512
2a909c9ab35b7182b0e4e61f25d85d9d6fa5086ce57ae3dccf307cb28065ac4bbf91e1a952257387048b0d0d3b55666cb12a2c57088d65a84f5db970c4077de5

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
320KB

MD5
b0bc074859429142f6a65e305c8dc7e4

SHA1
cf551532c9ca43532e7e03c097cd5afe17a96036

SHA256
ccc08851015d07ac2c427caea9cf70ac5a5db2238f820bd42a52170c7453e4b2

SHA512
0edc380bad7314349ad7f4a0a74179bf4ad734427364ffd972105db501d6da73b8e1998a7387d47f4c54990dd1f49cd1a346ef54e827433cef993a0ce2506d2d

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
320KB

MD5
ea8b47a02c704ba025ed44abb2b4e1d6

SHA1
0550d0dd4aacc8587630b44921ef10e77275cdff

SHA256
24998b0503484f2a4851df42c4c1395c76292ad0d5ee2500923e2af1df3c32a7

SHA512
f2306a3950248fef33db15c422b4ccbfd1b29990b49e7c3fffa497cc01cac4c426db246df3f9ef7011a147c7d0da489d9fc7240ee6a0aff84e36d51fb1f6f79f

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
320KB

MD5
a265c39423f4e241e10171702520c8f1

SHA1
5bcc458b0b817ebb5df1b49d1631710068f9c7ea

SHA256
73e4afb2a20cbdc5e2833206f5f5bf35a4bdf82fdf1310bbe3959690a4f559c4

SHA512
bdb9782c5850a8bb10d3ade986bff7228db3aeb6e0c32a81438357cae4543bb9a8ecae22d59852d3f2888a5b620c4e6e006c33399ccad6b2abcc8851cb4942e9

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
320KB

MD5
cd156fbc553617466a8d487885cf7b5e

SHA1
8d47208b58556547e0132d59577a30c8d6d90dfc

SHA256
955526ab6f963585156ffb1b8a675dcb95efb89345f9825a91d299362ea66756

SHA512
6541018377250db11620cffd2827eae34c0b96b6a9b65963044d8976ddce0c7c2deebcea28e3f049db4973f96f36208476704d481a391f2841e7f0ccfd903afa

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
320KB

MD5
c956076b2fc44c89696c1d8589f59f23

SHA1
034fe9d6368950a9535dfb74cbb948aa25eda316

SHA256
baa7ef9b179a6a6f797ba5bce8579757e53644e3c41405ebcf84a77d247f95cb

SHA512
69c01ccc59b067692802d5b7193e73d57bab3cdc50eb0780b22c7ab36a4d73a0164be81946fc840c66b1a253fa18f82ac6d6bff0fc4f4427034cf842104d7873

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
320KB

MD5
950a339f5578f2d45bce759a3186920e

SHA1
9e9112ea653656a42c9aa474637551d672d6c016

SHA256
244aa8ecc865d329ab98b8968ba48bf60cc38b08f7b146dc13e6f90d20964b4c

SHA512
697b2ba8fcd8d4155174761802919bcba805d981f463c091a738feb0c4c28d08c0319423f4f365da96521d208002cb08deb302801c09b03c8ab77964af0b2417

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
320KB

MD5
dddde755c3d607f038ee019d94338196

SHA1
b9615ea34dfc4e8414a3187c6199546385ef8ab2

SHA256
6d48509c6b159295b8b388417ff3b366fd9c57859986cfef7b2cad384824d2c3

SHA512
358151807ae0102b0a24b8647f54df4efa642fa7f4ea8f08a0f88b914dece28e46078d8853a73031474ec5f86fe3a21bd1f0ebd9c038d5f19e99108c0726692b

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
320KB

MD5
41979b238b0c86255cc7880022a542f6

SHA1
7d54ae51663a53799ff996faffc7cbdd5217c12c

SHA256
6fbce5c45d8a1daf2279568e2d9b49de661d951caf7b1e17744960c9e4fe4acd

SHA512
e135444239491476dbcaffc2a3a633ea7d4fa9f0a7dd02e3180cb0424606825bfff6f977c970526344a3caf4b87a38dc189d99bbdd98a5d5cb60f690a1f089e3

Download Submit
memory/412-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2780-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads