berbew | e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37

Analysis

max time kernel
93s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe
Size

89KB
MD5

a7a2d62c764e5261abca92bfa587d248
SHA1

38d5a669bc3005dfc0206718ca21b6b44e17710d
SHA256

e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37
SHA512

1e22fa8873162bdffaa7f1c376987805619be79b4fb6453ba23dbb9aad6083004e214954a3546c2d89aefb4ef3cf7914f700ea9ce3aab5de186cc3158e4909f7
SSDEEP

1536:eIM0TH3Y/qJxPjJ4OUlt9h33DPZedMeUu2NUOZX3XXzzzPpgP5c/lExkg8Fk:o4+qJP+lbh33d5ju2NUapghc/lakgwk

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgihop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enemaimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggepalof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdime32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjaphgpl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 59 IoCs

pid	Process
2564	Dmjmekgn.exe
808	Dcffnbee.exe
392	Dknnoofg.exe
3364	Dnljkk32.exe
4220	Ddfbgelh.exe
1440	Dkpjdo32.exe
2752	Dickplko.exe
208	Dajbaika.exe
3520	Dckoia32.exe
3768	Dkbgjo32.exe
4368	Dnqcfjae.exe
4648	Dpopbepi.exe
1220	Dgihop32.exe
4276	Djgdkk32.exe
1044	Dpalgenf.exe
1648	Dcphdqmj.exe
3548	Egkddo32.exe
3028	Enemaimp.exe
2156	Epdime32.exe
4032	Egnajocq.exe
1324	Eaceghcg.exe
5052	Edaaccbj.exe
3144	Egpnooan.exe
3996	Enjfli32.exe
4696	Ephbhd32.exe
4228	Ecgodpgb.exe
2000	Ejagaj32.exe
3232	Edfknb32.exe
3908	Egegjn32.exe
4736	Ekqckmfb.exe
2528	Eajlhg32.exe
2280	Fclhpo32.exe
4608	Fkcpql32.exe
264	Famhmfkl.exe
4124	Fdkdibjp.exe
1736	Fcneeo32.exe
832	Fkemfl32.exe
688	Fncibg32.exe
1088	Fqbeoc32.exe
3500	Fcpakn32.exe
3780	Fkgillpj.exe
2040	Fjjjgh32.exe
2964	Fbaahf32.exe
3960	Fcbnpnme.exe
4712	Fjmfmh32.exe
1924	Fnhbmgmk.exe
1180	Fdbkja32.exe
4880	Fgqgfl32.exe
1328	Fjocbhbo.exe
3712	Fqikob32.exe
4336	Gcghkm32.exe
3480	Gjaphgpl.exe
2772	Gqkhda32.exe
1948	Ggepalof.exe
1460	Gnohnffc.exe
1796	Gqnejaff.exe
4832	Gggmgk32.exe
4308	Gjficg32.exe
4416	Gbmadd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Egnajocq.exe	Epdime32.exe
File created	C:\Windows\SysWOW64\Egnelfnm.dll	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Qjfpkhpm.dll	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Gnohnffc.exe	Ggepalof.exe
File created	C:\Windows\SysWOW64\Dknnoofg.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Dknnoofg.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Dickplko.exe	Dkpjdo32.exe
File created	C:\Windows\SysWOW64\Flpbbbdk.dll	Egnajocq.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Eajlhg32.exe	Ekqckmfb.exe
File opened for modification	C:\Windows\SysWOW64\Fjocbhbo.exe	Fgqgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Eaceghcg.exe	Egnajocq.exe
File created	C:\Windows\SysWOW64\Egegjn32.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Eclhcj32.dll	Egegjn32.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Hmcipf32.dll	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Gjficg32.exe	Gggmgk32.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gjficg32.exe
File created	C:\Windows\SysWOW64\Eaceghcg.exe	Egnajocq.exe
File created	C:\Windows\SysWOW64\Ephbhd32.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Nailkcbb.dll	Fcneeo32.exe
File opened for modification	C:\Windows\SysWOW64\Fcpakn32.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fbaahf32.exe
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fjmfmh32.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Eaceghcg.exe
File created	C:\Windows\SysWOW64\Kojkgebl.dll	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Glkkmjeh.dll	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Gcghkm32.exe	Fqikob32.exe
File opened for modification	C:\Windows\SysWOW64\Ddfbgelh.exe	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Dpalgenf.exe	Djgdkk32.exe
File created	C:\Windows\SysWOW64\Qmofmb32.dll	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Ckfaapfi.dll	Gnohnffc.exe
File opened for modification	C:\Windows\SysWOW64\Dickplko.exe	Dkpjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Dajbaika.exe	Dickplko.exe
File created	C:\Windows\SysWOW64\Imhcpepk.dll	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Odanidih.dll	Fclhpo32.exe
File opened for modification	C:\Windows\SysWOW64\Fqbeoc32.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Jfqqddpi.dll	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Fjinnekj.dll	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Hdeeipfp.dll	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Npgqep32.dll	Egkddo32.exe
File created	C:\Windows\SysWOW64\Efehkimj.dll	Dajbaika.exe
File opened for modification	C:\Windows\SysWOW64\Dkbgjo32.exe	Dckoia32.exe
File created	C:\Windows\SysWOW64\Dpalgenf.exe	Djgdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Dcphdqmj.exe	Dpalgenf.exe
File opened for modification	C:\Windows\SysWOW64\Eajlhg32.exe	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Ajgqdaoi.dll	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Mkhpmopi.dll	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Dnqcfjae.exe
File opened for modification	C:\Windows\SysWOW64\Egpnooan.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Kfkklk32.dll	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Enemaimp.exe	Egkddo32.exe
File opened for modification	C:\Windows\SysWOW64\Epdime32.exe	Enemaimp.exe
File created	C:\Windows\SysWOW64\Nnoefe32.dll	Enemaimp.exe
File opened for modification	C:\Windows\SysWOW64\Gjaphgpl.exe	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Bhnbgoib.dll	Gqnejaff.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gjficg32.exe
File created	C:\Windows\SysWOW64\Kdfepi32.dll	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Egegjn32.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Ppkjigdd.dll	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gjficg32.exe
File created	C:\Windows\SysWOW64\Egkddo32.exe	Dcphdqmj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3124	4416	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjaphgpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dckoia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnohnffc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjficg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpalgenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ephbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epdime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddfbgelh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gggmgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknnoofg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcneeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggepalof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajbaika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgodpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgihop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egnajocq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqnejaff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkcpql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eajlhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkddo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gjficg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojkgebl.dll"	Ephbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foolmeif.dll"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfaapfi.dll"	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgohiia.dll"	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbaohka.dll"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abocgb32.dll"	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ggepalof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkacq32.dll"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjfeo32.dll"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egpnooan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfpkhpm.dll"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifcnk32.dll"	Gjaphgpl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 2564	3840	e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe	88
PID 3840 wrote to memory of 2564	3840	e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe	88
PID 3840 wrote to memory of 2564	3840	e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe	88
PID 2564 wrote to memory of 808	2564	Dmjmekgn.exe	89
PID 2564 wrote to memory of 808	2564	Dmjmekgn.exe	89
PID 2564 wrote to memory of 808	2564	Dmjmekgn.exe	89
PID 808 wrote to memory of 392	808	Dcffnbee.exe	90
PID 808 wrote to memory of 392	808	Dcffnbee.exe	90
PID 808 wrote to memory of 392	808	Dcffnbee.exe	90
PID 392 wrote to memory of 3364	392	Dknnoofg.exe	91
PID 392 wrote to memory of 3364	392	Dknnoofg.exe	91
PID 392 wrote to memory of 3364	392	Dknnoofg.exe	91
PID 3364 wrote to memory of 4220	3364	Dnljkk32.exe	92
PID 3364 wrote to memory of 4220	3364	Dnljkk32.exe	92
PID 3364 wrote to memory of 4220	3364	Dnljkk32.exe	92
PID 4220 wrote to memory of 1440	4220	Ddfbgelh.exe	93
PID 4220 wrote to memory of 1440	4220	Ddfbgelh.exe	93
PID 4220 wrote to memory of 1440	4220	Ddfbgelh.exe	93
PID 1440 wrote to memory of 2752	1440	Dkpjdo32.exe	94
PID 1440 wrote to memory of 2752	1440	Dkpjdo32.exe	94
PID 1440 wrote to memory of 2752	1440	Dkpjdo32.exe	94
PID 2752 wrote to memory of 208	2752	Dickplko.exe	96
PID 2752 wrote to memory of 208	2752	Dickplko.exe	96
PID 2752 wrote to memory of 208	2752	Dickplko.exe	96
PID 208 wrote to memory of 3520	208	Dajbaika.exe	97
PID 208 wrote to memory of 3520	208	Dajbaika.exe	97
PID 208 wrote to memory of 3520	208	Dajbaika.exe	97
PID 3520 wrote to memory of 3768	3520	Dckoia32.exe	98
PID 3520 wrote to memory of 3768	3520	Dckoia32.exe	98
PID 3520 wrote to memory of 3768	3520	Dckoia32.exe	98
PID 3768 wrote to memory of 4368	3768	Dkbgjo32.exe	99
PID 3768 wrote to memory of 4368	3768	Dkbgjo32.exe	99
PID 3768 wrote to memory of 4368	3768	Dkbgjo32.exe	99
PID 4368 wrote to memory of 4648	4368	Dnqcfjae.exe	100
PID 4368 wrote to memory of 4648	4368	Dnqcfjae.exe	100
PID 4368 wrote to memory of 4648	4368	Dnqcfjae.exe	100
PID 4648 wrote to memory of 1220	4648	Dpopbepi.exe	101
PID 4648 wrote to memory of 1220	4648	Dpopbepi.exe	101
PID 4648 wrote to memory of 1220	4648	Dpopbepi.exe	101
PID 1220 wrote to memory of 4276	1220	Dgihop32.exe	102
PID 1220 wrote to memory of 4276	1220	Dgihop32.exe	102
PID 1220 wrote to memory of 4276	1220	Dgihop32.exe	102
PID 4276 wrote to memory of 1044	4276	Djgdkk32.exe	103
PID 4276 wrote to memory of 1044	4276	Djgdkk32.exe	103
PID 4276 wrote to memory of 1044	4276	Djgdkk32.exe	103
PID 1044 wrote to memory of 1648	1044	Dpalgenf.exe	104
PID 1044 wrote to memory of 1648	1044	Dpalgenf.exe	104
PID 1044 wrote to memory of 1648	1044	Dpalgenf.exe	104
PID 1648 wrote to memory of 3548	1648	Dcphdqmj.exe	105
PID 1648 wrote to memory of 3548	1648	Dcphdqmj.exe	105
PID 1648 wrote to memory of 3548	1648	Dcphdqmj.exe	105
PID 3548 wrote to memory of 3028	3548	Egkddo32.exe	106
PID 3548 wrote to memory of 3028	3548	Egkddo32.exe	106
PID 3548 wrote to memory of 3028	3548	Egkddo32.exe	106
PID 3028 wrote to memory of 2156	3028	Enemaimp.exe	107
PID 3028 wrote to memory of 2156	3028	Enemaimp.exe	107
PID 3028 wrote to memory of 2156	3028	Enemaimp.exe	107
PID 2156 wrote to memory of 4032	2156	Epdime32.exe	108
PID 2156 wrote to memory of 4032	2156	Epdime32.exe	108
PID 2156 wrote to memory of 4032	2156	Epdime32.exe	108
PID 4032 wrote to memory of 1324	4032	Egnajocq.exe	109
PID 4032 wrote to memory of 1324	4032	Egnajocq.exe	109
PID 4032 wrote to memory of 1324	4032	Egnajocq.exe	109
PID 1324 wrote to memory of 5052	1324	Eaceghcg.exe	110

C:\Users\Admin\AppData\Local\Temp\e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe
"C:\Users\Admin\AppData\Local\Temp\e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\SysWOW64\Dmjmekgn.exe
  C:\Windows\system32\Dmjmekgn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\Dcffnbee.exe
    C:\Windows\system32\Dcffnbee.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\SysWOW64\Dknnoofg.exe
      C:\Windows\system32\Dknnoofg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
      - C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 420
        61⤵
        Program crash
        
        PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4416 -ip 4416
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agecdgmk.dll

Filesize
7KB

MD5
b649f56595c29d61fb2365b54465b9b1

SHA1
ebb1a6476e2e22b6e6f3f7630b4c5a8621ed914c

SHA256
94a5d9971e3525dc10883bc40551654cdc36099a42d93bc27b26dbc716f2a9d1

SHA512
0c855275a49349b33ec979bf4dbfe345880b26b0a2516e00cbd14bac2d84f4776a7dd84c598a08be9e250e15b2f61d3a91d1bcfe8bf3f9122310c23e4ec6e992

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
89KB

MD5
a8f367a37ecc1af0ba4fceb84ad68adb

SHA1
efa5b4cb4c230419f5a715a8ea497887bff5b747

SHA256
7a654689e7bddc43ec466a2b6f1a3c9213a93b5f3f1b87fe983cfacddf263f27

SHA512
9ccf4be335aa41fd45800a8fb788aa83bc3df38cd76b03642b301500bea3dd92b240d0f895bc8716940e0ac33df668a2afbd0b2549f426b098acce5190d1c295

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
89KB

MD5
a68db2afc2867f08b6a6eb6eeecdb041

SHA1
10f139430845c1a2a8b893a2e0441144e7d39cd5

SHA256
99808b50a8096eb18bd0dda86b013775778d891cc7bd4988f2d32bc249ef96ad

SHA512
b8bf7d18101a674a97f2069475e838dc43d526e6fe2f1fabb86841817d46030adff14012d2b8b3d78c92d87888c42d7880de11f090e54afdfcd21177cece80fa

Download Submit
C:\Windows\SysWOW64\Dckoia32.exe

Filesize
89KB

MD5
f986c5670550121bb62e1c97a0eec798

SHA1
cfd3af7f63ecb828c5e367f45b495354f01c44b6

SHA256
6d8f4b25c55a333e8ba8e4c86dc083b36df28781ac9cfe52669862013a77e400

SHA512
235250ebf0a2d30b79381fb26c6195902d50adaa47356a3dbcbb5e806e72c62c18d402a49faf0edcdf65f2f13c3244909836c07a97c67db1aeb449c022f8198d

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
89KB

MD5
aea3b38d50759e3abeece7d34877f1a6

SHA1
cbbc6461cef3a0036479bb8e4b9f01ea960aba92

SHA256
b89e0219ca761a7cffb12957d470c2af3d55f47e58f0b66109d35220e1d95eb5

SHA512
fb1fbf5d9e0c529279fbeb6f0ea660c561ac13669fb086cbfd7996e973cb0e27ca02f802d53a10363ae20cf6fc64b9dfe5cbe5ce94082641ba3c07b9d6069177

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
89KB

MD5
48a3c46de899de09a32614e39187caa7

SHA1
31c19edf6601decc0b1f8e3404e79db0cb00d3d5

SHA256
db94554e1fec8576b75362d73432b609f55db212d78d9370f046a48ca6d74fd4

SHA512
353d2cd48f51301ae4ea4397425a8172d0534c67194bde929b8c794075683e24a16d7c8e6f12ee0e713cfe4b0aedcc0c6f3c7939d1ea898373fcb1e7d38d60ac

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
89KB

MD5
a5d9314f6d338a37aadb6e2e8e6ed148

SHA1
24cbdaf7ea567b71c9f0b93d727029af9f66af35

SHA256
989a49961d9304c4f7b71f44ec67151fd6f6fbdac523d1d37de9a3aa7662e937

SHA512
98b418aaba2b9b809100e48879785cc9c5bb9efc869a0b7440f53505a71a1fd38beffe68585a97fb9d1df1b5f7292d50b17cc24aeef366f4360e77d81e49b8a2

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
89KB

MD5
afa3f36f636f504a3acdabac2b0c07fd

SHA1
7e8d07c976476fb7e3f83ee25657f74b200eca4c

SHA256
71805b567c911a875af450f93fbf58fe08a2d4a35cb60c3761d9c5f5d78b1a2c

SHA512
0ce22e38d9c2c0e7b8fe5df46c87297a4cd5e2a9c774a5fb2e13a9119db521c21430617888608cd278f0bd9b4bc36a573f0238453072a85a11a1e6441c61170b

Download Submit
C:\Windows\SysWOW64\Djgdkk32.exe

Filesize
89KB

MD5
25a343e8262bc732ff80d45aa0410863

SHA1
02f738eacf294ab72a7760a80d9056907f5ce1ba

SHA256
02c61457a580bb8f28160e5ca9440a8dd8dee7edea4a7ad99aebfe65f04b7cc7

SHA512
65502fbfeb4faff6e20bbc8f1a0b801fdb82355bd54f2c8d97dbf94ff4f019aed1df34b25229015268d14bc5e6fd3aca87cba9b17072e952172fec2ad5a418fa

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
89KB

MD5
523426b5c71bde927785a5bd94fc906f

SHA1
6947c806377fb732d78ff12c0c5f419420f193d7

SHA256
645940d8b91f29a5c76acbc5ade0cf3f3f7fcc70534ec92eb43a805110f06bc4

SHA512
cfa4c51ede1c357201b0902d8dec96b753c48ae51d5f3daa894e0f6326c8641a172ec4e268e8b1a78b9922ccaecf1cf88b29af168b2a190d040ad55f47143c64

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
89KB

MD5
44c138f148d0828cc314df97fb0e0b71

SHA1
b4e67f1ab273776d69d056f2cc9dc34cecdcf85a

SHA256
e21ad758c8f7c6eb75afada4a0d51a77a4c59bed692221c7564ef2835dc71b1c

SHA512
64ca288cbd4b4940c899da18b9e52244085633f363c7c1ffc565ed6a6c79371ca8c99405b46fa5f6ae734c3977d0f72352aa805c1d773c79535e69dc94ac3b10

Download Submit
C:\Windows\SysWOW64\Dkpjdo32.exe

Filesize
89KB

MD5
36f54920d80f4ed7cc62c3e8a1122ff9

SHA1
d4bdd668a2fac77f146d721c64f634f6bca55e20

SHA256
e391c9deb29f824a453a423fdda75cc7c2e0e610bcbdcfd5dfac36abd25b8231

SHA512
a520f6b5478a7857bf31bf83165ef6613f33ca254e628f38c195a2c715e7fda5381ade9786319928e119ad1e288555be3331a096fa708a15d08ba53c7fb6e4ee

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
89KB

MD5
c01ed045ad027104e10920e310611ad2

SHA1
1112cfa273002c122b2d762cb09cf8abd5d791a2

SHA256
7df4ae24bb7e2e509bf8678f98db1615b1a01cfa98b735059a7cb9ba78f48153

SHA512
5667eecd12a4dba7162d26966b8142c3c0bbbbaa9a70c01b1d562f83bf852dbacfdf72e213150ea04673a3482229371ec2f87649a8e314195a92d3239d4a7033

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
89KB

MD5
f96d6116b25d5ad660140f2ba9bd61a8

SHA1
1813dfd6ed2becf450ad0f694ffca958bdc9dcdb

SHA256
772a9e674e8750dd867a1af33bd4cb7dafdba8ed56f8a6414f1f198c6d002b67

SHA512
13429a3f92d8cc565d43713b2ba2288b7a78ce2e5bd4e7e95d120901498eb04d9fbc417527b9845fb59f9c4ef61970ccfeba8af6bccd5d6cb54a28faa80b6326

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
89KB

MD5
53bffe838ad7953893758c8937180898

SHA1
fe0ab22092df709dd8463bf59f75c4f1f0cb2546

SHA256
e2f9d05624967e80734acfcce5d0415b30b5d53b883f70a677f2cc9002c73651

SHA512
17c1cf3318ea9f6fb06b99338c5834baa58db53ace3f477ba35cbe8fe69456dff5e0ea87cb6a9d99db961160b2584e8843cf38628ceea0b7f51a8b4556135d4a

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
89KB

MD5
9d3ba1adbc8beedcd748a150dff84713

SHA1
b88d14772cb86edb09e74b0ce2b6a8937f45eb8a

SHA256
7dbbafa54e764f15ad120230cc268db81367e5d8f0eff0a7b70565fa4fac99ce

SHA512
af83334c12727e2c04b5cc86e0a0bffc91e33e9568654ceda0cd725a6f17bc904ad092b7a34ff51f355fef08fafc00973416727e9f3578cbde553db3501bfc49

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
89KB

MD5
988c08e4e2be7d6e274a1321a082dd7c

SHA1
2ab3b212903dbb67ef9ebe86c5560a4a55809fcd

SHA256
31347b262e2ec1bc95ff7254a0c70ec4218035591a4671d12417e32894b16590

SHA512
333190b355c84b95df6d06a072e4e0a2c39a1f96c4228f09daa323d2a1a5dad10064a63f4d293c3ab7e98873f3439e9ea960ff0d10f15f3619d98caa9250b726

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
89KB

MD5
38531cb7f64c21902aeead96b738ab1e

SHA1
9430beed3e40221635d6c7b6d2ebba899d8062dd

SHA256
e7b50437855dec985011dba2cb125489100a3c29ef5c0d7f9e24cfd7684030a0

SHA512
bda35a0487d06326ef9cf4ed3c13d0cbac4cb5596ca33d86a2d42ea1d13a3bffe32ed164ccaedbd58d3c8fa90f1e0aaa003b8f7969fcece6d0917de3dbb3a2bf

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
89KB

MD5
b77288db76332a3fef030575c6bcc321

SHA1
6828ff4123ea6392175c336d830a1834e1b54094

SHA256
2e68fe6f4e1d3244520d7adcd44951e2f935d6fb4030889f596ce16cc605d791

SHA512
ae987450e4386555c07652019e1cac9a562de76aab02da2e99d117d1654937292df5a2c8cc26239b0e422a6fc55e423191282d8240a1f62bbd794fe4b82f1c01

Download Submit
C:\Windows\SysWOW64\Ecgodpgb.exe

Filesize
89KB

MD5
d8c2f94c048a52623954d1d9ea6ba048

SHA1
6d310a16aec9f8a03fa56f7c5f6a41e3e3856237

SHA256
ace86266c5dae734a1a7b3e28f71cda29054cbf97be8756611143cc8b3f3b171

SHA512
edb1e791fe89e5e01f900bb193dae1d3da686b65132260152e41844d3ab407d1defca242be5444c604e6629d3e6a15a449707231abfe8c5e2f217d175ebb59a5

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
89KB

MD5
a1c26aaf2e7e8f3c1005e2e9d6560c96

SHA1
bac90df6445861d2a87397f9f847a3b48ef41c91

SHA256
8a6f4116b18e88b3dd18ca44bca3f54748ad8a37adc441aa4402054becc00f3c

SHA512
5583fe1720b19d856fccdfafd4d53c3149e77f9030d710ed3db4a82be6f105654e2fac2781357555fe20425761e53319078950718869ffcbacaf520f4b1b5311

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe

Filesize
89KB

MD5
64471dabedd949d8fc24cec6c10dffc3

SHA1
ccc1df76f1a949970f0fc63cd3dfa37ce776cdbc

SHA256
1faeea6aca29088621c7934b126fb97c7b9440d6392b3d33da0563f012fbb972

SHA512
eefeab1d47502a3a4017c122b39329e4e3b9085a4e540fb5d676333e83b6662d9c922ff8e4270fc30a1f7affaa1c6d1be7f48b953d36696bd87bbf62f04c5bc4

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
89KB

MD5
ba434b62184eed6f1e26b11521e21442

SHA1
be9bd2e96c68621b826e58678cb016631432d645

SHA256
d3e9487dcca2d4a7db81ef4f8de33f797af4c09db6b3775b0919dafa0839cca4

SHA512
946511fa118f17363bfe2adcdb6384fc718d25b6f2cac60090c62ba68684903db43f8ecbe14afb307e0a0d7c96202df6e9fa64625d5b3b214ba879489277b648

Download Submit
C:\Windows\SysWOW64\Egkddo32.exe

Filesize
89KB

MD5
66da9ea1045f9d3ce7153afed41fd7a0

SHA1
73afb28f5eb93b2c4ff8963feff5504fba70996a

SHA256
81fa3399e341aac4f7095caf1d4003c9990108fe882b183c2bfeb08c3d428891

SHA512
4ea0b8847c5d4ce73089ae69ec45c9de421b5127625850cedc8982059cc7184967da17412cef7928d8a4edcc41ee798561a23c6c0395a3a948076d1d286186dd

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
89KB

MD5
9446cf9c507e6891d7e7aa4f6682b4c4

SHA1
8d1996cf878edfc9f74374f3434272eb515dc8f7

SHA256
1cfefc79c6174ab72d1609c7fcd0859e567e7f5af9a191cd3450daf9300bb8ac

SHA512
4689737915c47e5701de3b249b46b57561cf0b5a46ea9cbcdf9634397765aeb8a383da540a7b9efe832dc1ded6c3e1338eba42fe25f495020f2dc36f4ff5039a

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
89KB

MD5
6def4ed42f2cc44387c65952dd0124e0

SHA1
83b58e6fab8a358e7ef36c5c4ccf81dcce9da0ab

SHA256
d48dd2a0032eab28f50def2e074030eefb6a150e7eee06919f01140672c62139

SHA512
cfb3bce621420d6bf29d619d1806502616c6a85a5179bcf0726715f058ffb073c9b80df3549191e56c0f462ead32990cb3cabd73507e0fe60fb792c40bed2a2d

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
89KB

MD5
2ef4bf4bfa23f938b047d31a56bfaca5

SHA1
13798b39e41e27e50bba2641b37a9a9b83cabfb2

SHA256
207bc5e7d56904c13704a3e5e71dd574482d25c6aed74fc63084fcce52aa227c

SHA512
d69681475199664c9dd35187cef3ab4710d3a92640194b610784f44bf0fab85b9c05d5965aeb2edd273ac77ff33e71e630aa6e7c422afab51cbd8236db2270b8

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
89KB

MD5
bb468cbcb6429c956b5ee42ddd8ef373

SHA1
ea1bac20c2fe239a6c7ec056d3db00e4553cc322

SHA256
d75ed36ce1fdcba2d9ab52978feb263f1f606752a15c8b824f0e01e0ca8b1f33

SHA512
14ac66c2397bb8f909982c4536613959de0bee9c47002d324575a9f0caf22f7f4d524cfbe4dec02f07bd5aa969083cedc30b8fe41d87bf8e6f8f5576f5dfbb38

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
89KB

MD5
c8cec1b17646134d7be075b1340f871a

SHA1
e8bec0e94a426c56ed9ed041e08ce2cbbb284ae3

SHA256
cc1e18dfb68b024bbf80dee8b8611ffcad4f717487510bf7b6f3382508ee5f1a

SHA512
ecc846ba31751814442312bc89f46b36dae14ac077ff059610f780751609b8a1dadd8f310cae9e9b6e52bdb4bf175ad22580db9b243ef7f994f7480e0699b260

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
89KB

MD5
6caa5395eebbc83c78c8112828f696bc

SHA1
dbaffcfa326d791e0c214e67467e8c5bb4fc208c

SHA256
7abbbe08dd780c240edd2d9969d23bada8489bb86ee2de56d210f26bc1e8ee47

SHA512
76e0ab9d5e456b6627362e288cd84547df7ef622ae3b270c3b0d15f14ed4902d82ac3df57c64df43012c2d3fa48de2a3a63b8e7edd222554a959599bdc02b6b6

Download Submit
C:\Windows\SysWOW64\Epdime32.exe

Filesize
89KB

MD5
25f75296dea29618b188f23cc41face1

SHA1
7582903f53e51205a296756d9785a79b6dbf0716

SHA256
9c209ac9ab1da1b80ee6b37db28174c648ef09c0c9cfe9f601127f4ff629bfff

SHA512
cc02dfbcd2cac427c9d0018df2e67141cb6d0cd7657aed1f4c26e113271fcdd92e8d5dc688a666b171006f53886816f299f7fa59110edab25373d5afb5894084

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
89KB

MD5
f44a75971b0d830e1c5631b69a0d9765

SHA1
44ad7de95f2fbde1462ca645647446b0815c1084

SHA256
9bfe9768e56dc83661a6aa88f4b9c004693e618ac60416030da46b86382b95b8

SHA512
4b60181a9ef6c89a9d1bbbe19cebb8b327f5c1906876d049088f14b6c4c4745caf5e80de573518af08f04fc4b8d6c11ee293dbc68b422e6c139cccfddf1f7748

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
89KB

MD5
e502a893ae268dfad18588e52da47939

SHA1
e68156a65d9c3fa44b865086b99ea6d74c4728b7

SHA256
81f952f828e67c07b0cf0c6ba2112ad1471eaba589c28048d8c8a6afe2c117be

SHA512
1dd57451ad95d616dc02be598c3fcf02d3c2a8034382a086ae5bb39491bf0f37be9564ab7c39f7fe19a64868f9ae2fcb6ac2bec17f6ae299d9357178ca82f8bf

Download Submit
C:\Windows\SysWOW64\Ggepalof.exe

Filesize
89KB

MD5
68201040fe5f1acfbbba63f2be515989

SHA1
82a1bb6e599ad3a4326cde3590bd9ba82d68469b

SHA256
f3c371eab08156c78b7bccf1b0a03b7b69a23c297d8772c1df844befe3938828

SHA512
44938b4cce9aec7f78ffd2a03aa6f93bb30cb085d7c3efad41a2924f30b7e630ee19a5a5d3d253edb090571269cf2eba5441a8923fa721ff9e126510625658fc

Download Submit
memory/208-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/264-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/264-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/688-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/688-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1220-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3232-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3232-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3364-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3768-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3780-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3780-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3840-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3996-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3996-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4124-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4124-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4416-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4416-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads