berbew | 4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268a

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe
Size

60KB
MD5

e879e6c3017f1c97039cc8c2da2e46b0
SHA1

be8f2dac2e9a8ff01cc3f4e4960014c8e166b4db
SHA256

4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268a
SHA512

9d8e7cbac70424ad3d0ec7e3fbcc005d012e7e8f03eed7ddbfab320b1c8f02b837d88de2de59c4b41631cd97a79983ddab59a69814b88a7c911b7342ef2d1238
SSDEEP

1536:De6c1LIc1rKu9ElSdsYlZoNpAq3Vr/gtweEZ3Y5B86l1rU:S6uIc1rKu9El6sHAWVTgtwxZ3YB86l1Y

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 59 IoCs

pid	Process
4916	Pmannhhj.exe
3152	Pqmjog32.exe
1744	Pfjcgn32.exe
2664	Pjeoglgc.exe
2900	Pqpgdfnp.exe
3236	Pgioqq32.exe
4320	Pncgmkmj.exe
4416	Pqbdjfln.exe
1676	Pfolbmje.exe
3048	Pnfdcjkg.exe
4624	Pcbmka32.exe
4992	Pjmehkqk.exe
720	Qqfmde32.exe
1464	Qjoankoi.exe
648	Qgcbgo32.exe
968	Qffbbldm.exe
528	Ampkof32.exe
3596	Ageolo32.exe
2484	Aqncedbp.exe
4752	Ajfhnjhq.exe
4980	Aeklkchg.exe
1576	Ajhddjfn.exe
3808	Aglemn32.exe
1492	Aminee32.exe
116	Agoabn32.exe
2752	Bmkjkd32.exe
1060	Bcebhoii.exe
2824	Bfdodjhm.exe
876	Bjokdipf.exe
4608	Bchomn32.exe
64	Bffkij32.exe
4812	Beglgani.exe
3936	Bjddphlq.exe
2372	Banllbdn.exe
3336	Bclhhnca.exe
4172	Bjfaeh32.exe
1508	Belebq32.exe
1924	Bcoenmao.exe
2980	Cfmajipb.exe
5040	Cdabcm32.exe
808	Cnffqf32.exe
1740	Cjmgfgdf.exe
2068	Ceckcp32.exe
2024	Cfdhkhjj.exe
588	Cmnpgb32.exe
1996	Cdhhdlid.exe
4008	Cmqmma32.exe
2800	Cegdnopg.exe
1368	Dfiafg32.exe
4984	Dhhnpjmh.exe
4268	Djgjlelk.exe
1344	Daqbip32.exe
2120	Dodbbdbb.exe
1360	Deokon32.exe
1568	Dogogcpo.exe
2432	Daekdooc.exe
1432	Dhocqigp.exe
2920	Dknpmdfc.exe
4140	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	4140	WerFault.exe	143

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4916	4864	4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe	83
PID 4864 wrote to memory of 4916	4864	4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe	83
PID 4864 wrote to memory of 4916	4864	4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe	83
PID 4916 wrote to memory of 3152	4916	Pmannhhj.exe	84
PID 4916 wrote to memory of 3152	4916	Pmannhhj.exe	84
PID 4916 wrote to memory of 3152	4916	Pmannhhj.exe	84
PID 3152 wrote to memory of 1744	3152	Pqmjog32.exe	85
PID 3152 wrote to memory of 1744	3152	Pqmjog32.exe	85
PID 3152 wrote to memory of 1744	3152	Pqmjog32.exe	85
PID 1744 wrote to memory of 2664	1744	Pfjcgn32.exe	86
PID 1744 wrote to memory of 2664	1744	Pfjcgn32.exe	86
PID 1744 wrote to memory of 2664	1744	Pfjcgn32.exe	86
PID 2664 wrote to memory of 2900	2664	Pjeoglgc.exe	87
PID 2664 wrote to memory of 2900	2664	Pjeoglgc.exe	87
PID 2664 wrote to memory of 2900	2664	Pjeoglgc.exe	87
PID 2900 wrote to memory of 3236	2900	Pqpgdfnp.exe	88
PID 2900 wrote to memory of 3236	2900	Pqpgdfnp.exe	88
PID 2900 wrote to memory of 3236	2900	Pqpgdfnp.exe	88
PID 3236 wrote to memory of 4320	3236	Pgioqq32.exe	89
PID 3236 wrote to memory of 4320	3236	Pgioqq32.exe	89
PID 3236 wrote to memory of 4320	3236	Pgioqq32.exe	89
PID 4320 wrote to memory of 4416	4320	Pncgmkmj.exe	90
PID 4320 wrote to memory of 4416	4320	Pncgmkmj.exe	90
PID 4320 wrote to memory of 4416	4320	Pncgmkmj.exe	90
PID 4416 wrote to memory of 1676	4416	Pqbdjfln.exe	91
PID 4416 wrote to memory of 1676	4416	Pqbdjfln.exe	91
PID 4416 wrote to memory of 1676	4416	Pqbdjfln.exe	91
PID 1676 wrote to memory of 3048	1676	Pfolbmje.exe	92
PID 1676 wrote to memory of 3048	1676	Pfolbmje.exe	92
PID 1676 wrote to memory of 3048	1676	Pfolbmje.exe	92
PID 3048 wrote to memory of 4624	3048	Pnfdcjkg.exe	93
PID 3048 wrote to memory of 4624	3048	Pnfdcjkg.exe	93
PID 3048 wrote to memory of 4624	3048	Pnfdcjkg.exe	93
PID 4624 wrote to memory of 4992	4624	Pcbmka32.exe	94
PID 4624 wrote to memory of 4992	4624	Pcbmka32.exe	94
PID 4624 wrote to memory of 4992	4624	Pcbmka32.exe	94
PID 4992 wrote to memory of 720	4992	Pjmehkqk.exe	95
PID 4992 wrote to memory of 720	4992	Pjmehkqk.exe	95
PID 4992 wrote to memory of 720	4992	Pjmehkqk.exe	95
PID 720 wrote to memory of 1464	720	Qqfmde32.exe	96
PID 720 wrote to memory of 1464	720	Qqfmde32.exe	96
PID 720 wrote to memory of 1464	720	Qqfmde32.exe	96
PID 1464 wrote to memory of 648	1464	Qjoankoi.exe	97
PID 1464 wrote to memory of 648	1464	Qjoankoi.exe	97
PID 1464 wrote to memory of 648	1464	Qjoankoi.exe	97
PID 648 wrote to memory of 968	648	Qgcbgo32.exe	98
PID 648 wrote to memory of 968	648	Qgcbgo32.exe	98
PID 648 wrote to memory of 968	648	Qgcbgo32.exe	98
PID 968 wrote to memory of 528	968	Qffbbldm.exe	99
PID 968 wrote to memory of 528	968	Qffbbldm.exe	99
PID 968 wrote to memory of 528	968	Qffbbldm.exe	99
PID 528 wrote to memory of 3596	528	Ampkof32.exe	100
PID 528 wrote to memory of 3596	528	Ampkof32.exe	100
PID 528 wrote to memory of 3596	528	Ampkof32.exe	100
PID 3596 wrote to memory of 2484	3596	Ageolo32.exe	101
PID 3596 wrote to memory of 2484	3596	Ageolo32.exe	101
PID 3596 wrote to memory of 2484	3596	Ageolo32.exe	101
PID 2484 wrote to memory of 4752	2484	Aqncedbp.exe	102
PID 2484 wrote to memory of 4752	2484	Aqncedbp.exe	102
PID 2484 wrote to memory of 4752	2484	Aqncedbp.exe	102
PID 4752 wrote to memory of 4980	4752	Ajfhnjhq.exe	103
PID 4752 wrote to memory of 4980	4752	Ajfhnjhq.exe	103
PID 4752 wrote to memory of 4980	4752	Ajfhnjhq.exe	103
PID 4980 wrote to memory of 1576	4980	Aeklkchg.exe	104

C:\Users\Admin\AppData\Local\Temp\4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe
"C:\Users\Admin\AppData\Local\Temp\4ed6f246295e0fd33a3224f1e9e73b8efc9cb965b4994ecf6830db2860ef268aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\Pmannhhj.exe
  C:\Windows\system32\Pmannhhj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\SysWOW64\Pqmjog32.exe
    C:\Windows\system32\Pqmjog32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\SysWOW64\Pfjcgn32.exe
      C:\Windows\system32\Pfjcgn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 396
        62⤵
        Program crash
        
        PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4140 -ip 4140
1⤵
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
60KB

MD5
cd27f3b6bb2c329753b00776b8a477fd

SHA1
8ae33c6e0ec949bf8be88dbe14e896bf704b10e2

SHA256
dd320db835bcca9973babfef23d3c75c55c35df9eca578aa5f939d3140a49d33

SHA512
77da6276ddd550b6b6b0b5a7a123e47e72f6ed563cd6ef53457721c1e392fe7cb6a7534464f12900ae7519dcb1d4187b81a2b6be5e4a737be7bd9062ad6e98b2

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
60KB

MD5
828a3a90d1614fe5b7134da3bc15e5d2

SHA1
cfddccc2cf3f3a7439b745829c6c0c0c57234da7

SHA256
e970e0fae4c2859834bb1a5cf90346c4010848c22d9d5b6f8d24603e96beb542

SHA512
a67394fca2e32117d619f9ba682b840ed7e9268c648c45eb1e35a79b75b755b2c20c2da582017707d290a45fe4c3e4240ec70387f949faf986d12b8c494ce58f

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
60KB

MD5
0d5fb9f8ddcdaa3ab033530448eacfdc

SHA1
6fbfb27f0454379b0feea071c9e1b16d86a04c70

SHA256
ae55d6619fca49181edfaf9106133525d8383bb3f23e30c90e352f53bfa24bee

SHA512
b1b583de0aab7d0ff502d82911369a0d18430634e1d38cf5c1d420cfacb6f3bf6d6280c846f1f932da6db2034a7027421ff6511f2f4b1acb0a420363010ab754

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
60KB

MD5
f86965dbbff7120d2bbb3bdb155287d0

SHA1
f63caf3d9fbb3b2b0d4e33b5316fa522b882f3de

SHA256
18989cfe7bf35c3b72be575d5c38800eca87901087f535d4cc5b78feca1f8506

SHA512
5f495757f2ff492ef31931a1f310fadf13079b3fd24a672eb2c081806151e2df4f557ef485c219520d197c738bd5ff6674dcd14b897fe480a7005726f4504060

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
60KB

MD5
9438c899ea3b0283872f28117f89db89

SHA1
3b06bcb3fe628631f32264f1a1f0d7feb4aea6f4

SHA256
a31412053aa31cf8f3adb7d3daca63e4b6efaaf2aeecdaede20b509e06ad3adb

SHA512
b1f5c485ffdeb75d26b2792a2186964cfdd22f9db744d0b8c5e93558fa6084d4825407030cee426653b736f8aa2d7ee88b60db6e14aa4af9881a390bfd7b9c80

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
60KB

MD5
f9ba0b1139fbae347de0d85e01436fda

SHA1
24b9fa23de14913fcf6cb2e5f2817a89814fa3ce

SHA256
58f48e260badf00b2c0a0c0a5b5d8c67ab7adf8730ce8cf5f644c17bb71e62f5

SHA512
fe2894bcb982eb0a6064e1f269135e7fc7c3afc58c7b416c646dcb6fd2937bf6b7e62670b5665d9dde0f722021074c01dbd804d736baa3c8c0e3e6bcf8a58efe

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
60KB

MD5
682d2b03fe68573948a1d84777979a8a

SHA1
0ed2f71345079f5939f1fea05bf853827ae4f73c

SHA256
1700d53a8f4cba343d87d895cf4c182026a2312ae45943946c0bbf10e29d84fd

SHA512
19a94877ffa6c66713c0927e3833cb525ee5005b9c89ef6e925bd1b6ce9a69d965e430c47a079c00924ef4558d5c6530903ae0d0d6b6f542684833c08cfd242e

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
60KB

MD5
955150ed4a5838698a3c33a879b3bcb6

SHA1
dd6c2358bb61029b64503716ac9e6de3ce76eb97

SHA256
624441e606012a81cacd70788b89b6746fbf3aebe7532e5824ee083582a395fd

SHA512
f9221ea925f2a85c1d3f7cb309f2224103978c74c3e10241812ad7b5e565b47bccd2b4dc48346f7b5021543559a8e646ca4488353277f6bae113325bf7a13f0b

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
60KB

MD5
a7821b7dd423911d209d37bff75e802d

SHA1
fd3d1836c050707488fe4f419a7899d8c39117c4

SHA256
412b1e007d8e42fed7b5bdc1ecf1a60de5c0d9d8e942d535550fe0bc8442f115

SHA512
bb6777e0f8b9b9c354366ac958f7163f4dc299ae3c5e9f18421405acd7bee49c04f3d53d84b7846b4247826a63b352ec8cfb89621f7a3e1fd12c47524860e5ec

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
60KB

MD5
05ab5481c290adaf19d19f68ac47bed3

SHA1
298014c8d5db151a06840081ff983a0cdc4513de

SHA256
42782b93af1b5e024ab2b81dab6e0c4429b3bd845e9a91f55e94cc8a0d973041

SHA512
2a3e5a94dd6b0f85cffdfbcb6d6c6094af800b1ab2d04cbc746f8a633b7f3adb98d058303aea90f8ba21f70fe4c4a802535690b76412b81772af56978ff94e9d

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
60KB

MD5
7b95d3238dada587ef10b8ae50272973

SHA1
bee2b5d0b89eac70416a8d9e2b361652638a4ae4

SHA256
4375bf10e9c156d4f191f7a0e23d0cf59a0b178e38c5b9ce799a394bd179ed0c

SHA512
b25462f96a53cfe070749c35844eaa414f685f58cd072da18d46e71183f2fcf17c1380f2b3a88215368ec7bae45d078eabf7585b1887482a146f4a1d6530bef4

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
60KB

MD5
4354bb1685fa49a72b5a166ca9ac5576

SHA1
304c57055e735d0f0f06d21aa24bf9f10210de49

SHA256
bbc49c64afc86d8e33d79448615befae1ce5e14f9a56ae243bb153d68a58370a

SHA512
7ed0e501951b54b07d40147f44a4faae7cb5194f621ebdfa7546f14b6f3e0929209973ce789344d19b7a382a47f25aa38e9a9117012170be68d1c06a7a8b56b6

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
60KB

MD5
cb431bb513b69aa7dad3adc5528cd365

SHA1
1b7bdc7b8f6b5565fa28b9561829e57f5e085e89

SHA256
edf7fd9c7c43d2966a377ad0a082ae629802b74b25e9816a4e85b337f238ab7b

SHA512
097fc520e05a75d71b5bbf840874441469142491cf122a0c45e88a3c2b0c1f3e0f13b6c0021eabdd700ae807fe44594fe8fd7f2fb075afd2d5c547e2d67d5f69

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
60KB

MD5
531b9e746e380f41dca8d3a9b3953da1

SHA1
1524d9bc7b0c121ebb025c32ff26e825b8239a66

SHA256
996468a986c26c8f1db908c5b561b0dcbcc0fb3e0c9065dfb53a4b1a437e8c14

SHA512
f319bfd7deedebdf12b49eb94d89bbba586f1130b7b7a13de096423803603aba46abed8df75eec5fd8cf6fc8a9eee020f21ccbfe57da0fef42733c588713c59d

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
60KB

MD5
cafc31d47da36f039a7361416876fee8

SHA1
d7dc8017ed128e0599d803bbcc2769a26b6d83ff

SHA256
5654c02aff7cd79a0013662e8d9863f08f9156641310084f69029179771b692c

SHA512
598c7e67b7845ab45c49005f645dc8b264b5e90d9ebb6ed33efb6915aa323ecdbf592380418de35d012ed3c3d1378555ed22af4eeb288b562bc3b5e3f1a592ea

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
60KB

MD5
3315995db3d3e0caf94cafc665ce8082

SHA1
3d4454e716d983c62a2df6133b3990327069cacb

SHA256
558e9fcc9c47a58f5822d250c4374a6c8c30e62922fa427665addba071088590

SHA512
3d13b397b39221f8254effdcd24f66cc89bdbcaaf895ccc74adb1a0bd721ea1202bdf0afd53a078c26efc3862cd5fab23e311ee67b51c9c582f1c2f2842dd686

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
60KB

MD5
f640763421d9eb27a3e944d92e6213c7

SHA1
b422163918f49e7451d4920a01056f5bb08313a2

SHA256
224ec27e82dbd3d79ad2851edf3cd74a112fa738daf584524f143b72fc3cb284

SHA512
b575663325e4762e369b7f383d9e6b47ce4b6773707cad9bb176eb9b5962949fc78b7513c8eb3ce519348917a849be8aede99b51b9bc314fa120464fa0e3ed52

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
60KB

MD5
8aabe18edd6f0b4f88b7a57b8dd6be79

SHA1
137cd9e6b5360f7b5681d27802e1011929efa0ff

SHA256
7a2efedd12e14f2c5673e58045cb30b21e117b51936aea4fddff078c252952f9

SHA512
017247d84f95e0761b607ecd57fbbec54160ebf66e13957b1ff38e5e7506db5eed4284678d4c0ff1b21894abe0d235c770bd7d966350a7fc3b655c2bf8cdf36a

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
60KB

MD5
fb39628e4a65766f2f12f08c2ec9262f

SHA1
f237bcaf6af72198d40e1c4f10d172764a8f2f9c

SHA256
3b8f606c39368509e89282955d5135dd43dcfe4bf5bf399358d7fb4343935790

SHA512
0de7850ce2ed99cb19f489ae2614ae77fe4b36e3ab9c221a65872344136387229af633d0018ab89ce91b187e3ea71f0921861c3ebd53b7e43b276c61f537a8e3

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
60KB

MD5
2eed1649ee46dd4196fd3d476b50b1d7

SHA1
eff9bb6b0accf0db35169e4df57ac6496f4076b3

SHA256
b018cd51deb6989c01980be79ea4ec9a28e2c82d5c626ca5e0e183c380cc50e6

SHA512
7a8b6aaac83e9372d34e0b37ad3284d65c0d6fb7cd0b6e5abcff8a12f3f17fb6b75b941aa6c0da57e2bca2bb898a481f02e50f33fa6e142207555c13f72f292f

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
60KB

MD5
3b11281675a78f97cad05817b4c5ac36

SHA1
ea2541d54df07680cf28b1d2caaff6fa0d4a0176

SHA256
1b792d9c147994236960befc31d28064b2b55cd10e11d9d06f74f9a5c8b5eec6

SHA512
3bdc4eaef9ee2f003616892b15d08d679ab91383eccd9b1bf1ac4b1ba3ddaaeba2a462f69d7c1401571c75feea714d13d938304d03798163db55239fe9a8ac9c

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
60KB

MD5
82cc4772b5d9aa6d5b4db24741f6970c

SHA1
7943c18cd938884d8a3333ba086b2d4415c00adc

SHA256
2378301b579fbacc4dcd3fd3c9d6db2a447e220260015dd96b46726243a12375

SHA512
c0ec7139f801d8f1f15094186c96d75c18c2a5ec55cc08faa49c0349b01fac4bc79deccb53ba8d3310c33c06b105ecb8e347b5f2a9f0a3c19d84b6e18a69f793

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
60KB

MD5
047a4b8b3fb22551d90f496a407b6efa

SHA1
e9ee3e7e58995ee1495f199aeb12cdc0c591d3a7

SHA256
cf086815934e388c82a86a7440895d60d1fbcfd8ef439337895cacf6769574d1

SHA512
7f44e74711cb0cce25db684fede90fd7dbb94f29384828e47b7e9ed8207cf312e47f38b9a607ca20f99c0d3772a89f6564ee215ed505d39a7f922dbbd454a28a

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
60KB

MD5
d7d518d3f4276940f726cb4934523bbc

SHA1
7814203b1d2dd9f6b72bcbc2d94ffa2f5c2ba90d

SHA256
1c58552827a8b6b32d0db28d91a8925871d4e9ccc474ccdb91f1dedd7cacda04

SHA512
4af1921406abc4823e6080c7340501b286b5580d1e82d63bb9877708b4d7e9ff073d9fbc8b17b881ea21fc74c335fefcf5709461eae9fe3400b081e0217f6344

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
60KB

MD5
a3a9973832bdc19590ff213d1797d5dd

SHA1
0bd2d98c9b50b70ac5ce7c6b76c1fb135d565046

SHA256
daa038ec8f3310d5ed74df3feb4cb6a9562be555bac8a43d2f978458cae12650

SHA512
36ff761fd0d595e2d8e2a9d193d460338265b418b6ccba60fbadef44c916cfd56c7d0029fe16e73682d5821652039481eaf238d8011dcadbf1ac321b809a6c11

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
60KB

MD5
5b4a0b14bda792343815bea5e7f4f9c5

SHA1
067314edec712927dc62e7b22b675b79cc4b01c0

SHA256
8fda56ce7e21a08c84f4df8fd96b4b64124c37fdbcd1b0b7fc9cbabf94bb067a

SHA512
ffad7eda532f457882cfdbf55373e210ff511f74ac56f87085464133263802b9a6d334b60affedf4a95072cbad690dd366abcf1e5bb22ed0701a67e68a318062

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
60KB

MD5
19cfa6bc3ff3a7250b8f947522a84d5d

SHA1
7293bb720fde8d971b0c775c560747a12f14a23b

SHA256
f20552139a72a4c11b7dafe6533c7415639451bc370338f03cad989a3d068d49

SHA512
55012684c9fcfd3f0e21ec7eaac46acc0ea7f1a71877570304793282a12ad6116f6435e124e85d194fca68df6f006119f70f7cbb03a472e953cec8955211aaf8

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
60KB

MD5
f237342020ccc220ecf2cce52a5f8a59

SHA1
025617d8bb35f6ff97d82d13c3e8184e3dd25e66

SHA256
9d390d243e1a9730bf0c17b3a2687af6c2b02de96f9e4377ddabfab4f22e9d7f

SHA512
fee313c55551c50f72814f676f19ce17f38650fc9bd08de6f0c1c94b742a5308a821231575f410b6924fce68e976a3a752499bf8c201a053e7ff7b4354514495

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
60KB

MD5
2764acd14b3f7909ad9cb672c263f002

SHA1
88453d88b941f91e58b0c1b5fb99aa9e5fc1d4ff

SHA256
37fa3ad6c3295e7ee342f94c3e0b797ff1884a5fd285814832cd06d3b74d49c4

SHA512
e6c91d566749767cff6c3e7d596138a4d48d2480b7302fd4ec98fdbf0f706b52038289f0ad4f81f9182145e9406e3466c241a86955060d10b3729f3a91f04f49

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
60KB

MD5
44a91d8b6d91cd00bc4208d405515c8c

SHA1
f759410b472f53e5d0417fbb8114156b1b292794

SHA256
3c67fbb6fc4386e8a4d26190d6b7a060712a29e6d70415fd49a1f7f51e5499f8

SHA512
1212740cda8072733bcb84d4025b562cca671ccbd5bbf9751b4940d1d310568385258c0d4df8156968aebdb1907855283ad82213124ac6e51f6749413432b51f

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
60KB

MD5
a58f51e5021b7874193ccc66cc3d8514

SHA1
2e03d2193caf834e58a2d5bcaa9ac393c21eb85b

SHA256
ffd22bcca5e82dad344e5b954f3fab1d2f0461784a01442ae6f0d36004e7113c

SHA512
dc85f7c8e67ab24d58fac8a9f45b53a13b36a003e1cac35b68eca419c15d5e5911bd15449f2ceab30a8c8a58a295b390afc44d7b8efdaa1ed75c10051f130026

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
60KB

MD5
d3273d4ce441d16d12a22f92f1caa939

SHA1
a55bcebcf1bd755a2b64358390375dfa9c570752

SHA256
45506788086aabcdea8ba67821f37e4b54eb1f0c05113ed07b9a14edf0f1747d

SHA512
fda116417413e3225314615a98f8d0da1c0b92d1c8ea1be67c33a459184289de08d253b14264253d92e71ef2591c8f47492e3bab1cb0c50b0d1342a9034bc535

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
60KB

MD5
85bc6c49fe636f118f373db654b1f626

SHA1
485bd53831250a30d3d1f26d73385a4e5bd9770f

SHA256
f546d87724c462eb29c8a423c2214a1711196117cbb0e4f500943a1671b78f97

SHA512
00a5bdba2239f1f02809f3231efa161d0f33b22b0c7891a232bffcd0b9b898b6203f6813fe2d6691683ca7cdba0affa836a092ec85388c5565c879307f104351

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
60KB

MD5
5db60929dc94b0b3c0dd59f395a1c452

SHA1
1349d03df06455b007474672aea6e8b69c772dd9

SHA256
f20c7f5fd0aa4baeb61346c5f8bc8923e4386c1c5f464727a3fe2f3667223f72

SHA512
6661d99936d50097e67dd063cecb1aea07a745701d933f5576033bddc690b344225bca2436567600e0c58f10babddc172c51c265f7cccca77197b0a3c3fb3af6

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
60KB

MD5
87802052b9917e541df3a0a8a1483a2c

SHA1
46c2b1c02510d454e2df691094e7586907882bc2

SHA256
6da0167201bcdf773270cf02bdc6b69bda067948c10246b3602c812779bb1323

SHA512
bf8f1403cd186033290d80f45ac9f97ddc2a439cc79139eb09a04e00b0b425e6577ff7c62dc998bf331985efd3b40780e514c37aa0fe20b800af7825cf6a2280

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
60KB

MD5
064c5f4580725b6ae8841a723597a733

SHA1
0c149f598255b6c2c29dfecff9a9d10643edc17a

SHA256
f172fa14f5bfaca037d2977deb796ae390ec3c66b016b8317c7640799dbbc6b8

SHA512
ead149b9579da09022f1c2eeacdbdac195b5da7e464a06df13fd75065aa1316bf7ab90c4ea0b10cea381327cac0da40557f92de44ac756f5e9ec875b48e1d0b9

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
60KB

MD5
94fc56fe2c8c5c4361502a375c53e533

SHA1
b4599ba0997bb032f58fe6fc89a2aa93dff0e285

SHA256
2d36ebe46e26b66175501de5178d0f0154acf44ed09c8841b84eae037895e95b

SHA512
dab5db45fbb6453bfbf3c2b82e286ddea443b8ccf39cd0e562455c12f00cfe928f82b3092c3626e6bc56c1730ca0ef1a814527f8d5db9e3b430d85639701b8c7

Download Submit
memory/64-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/64-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/116-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/116-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/528-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/528-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/588-366-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/588-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/648-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/648-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/720-197-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/720-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/808-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/876-318-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/876-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/968-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1060-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1060-529-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1060-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1344-414-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1360-428-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1368-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1432-468-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1464-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1464-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1492-289-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1492-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1508-312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1508-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1576-189-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1576-273-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1676-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1676-74-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1740-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1740-413-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1744-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1744-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-506-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1996-373-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-493-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2068-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2068-420-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2120-421-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2372-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2484-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2484-162-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2800-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-503-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-393-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3152-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3152-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3336-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3336-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3596-153-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3596-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3808-198-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3808-277-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3920-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3936-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4008-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4172-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4172-372-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4268-407-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4320-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4320-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4320-569-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4416-568-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4416-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4416-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4608-259-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4608-325-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4624-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4624-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-258-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4812-527-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4812-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4864-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4864-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/4864-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4916-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4916-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4980-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4980-267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4984-481-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4984-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4992-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4992-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5040-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5040-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5040-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads