berbew | 0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d

Analysis

max time kernel
95s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe
Size

128KB
MD5

2f04795288324fdc13445b9b7fa1f2c0
SHA1

d07453e94fa0e67a8a40598c472e2a24e2860346
SHA256

0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d
SHA512

a72173ad34c6003f4ea719f8a7861f097ea1e8a62b3d0dd035b63815b97a88ad56e6819683f8bd71e4e65a178a98b077b43e8fe797c24dd4e5fa688192781c52
SSDEEP

3072:c5da5ZazTL1neQTjIDrFDHZtOgxBOXXwwfBoD6N3h8N5Gg:nGTLkQTjA5tTDUZNSN57

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4736	Pqbdjfln.exe
4728	Pcppfaka.exe
940	Pgllfp32.exe
4344	Pjjhbl32.exe
5028	Pnfdcjkg.exe
1236	Pqdqof32.exe
2636	Pcbmka32.exe
4564	Pjmehkqk.exe
3960	Qmkadgpo.exe
1144	Qceiaa32.exe
3332	Qfcfml32.exe
3348	Qnjnnj32.exe
3580	Qqijje32.exe
4208	Qcgffqei.exe
916	Ajanck32.exe
2264	Aqkgpedc.exe
2732	Ageolo32.exe
2088	Ajckij32.exe
1932	Aeiofcji.exe
3732	Agglboim.exe
4448	Ajfhnjhq.exe
3748	Amddjegd.exe
3924	Aeklkchg.exe
3968	Agjhgngj.exe
1264	Andqdh32.exe
4372	Acqimo32.exe
1656	Afoeiklb.exe
1156	Aminee32.exe
4896	Aadifclh.exe
3456	Agoabn32.exe
3528	Bjmnoi32.exe
3740	Bagflcje.exe
1960	Bganhm32.exe
2036	Bjokdipf.exe
2956	Bnkgeg32.exe
4940	Baicac32.exe
2304	Bchomn32.exe
2352	Bgcknmop.exe
1936	Bjagjhnc.exe
2032	Bnmcjg32.exe
2356	Beglgani.exe
5040	Bgehcmmm.exe
4412	Bfhhoi32.exe
3160	Bnpppgdj.exe
1760	Cmiflbel.exe
3712	Ceqnmpfo.exe
1184	Cdcoim32.exe
3716	Cfbkeh32.exe
3184	Cjmgfgdf.exe
3668	Cmlcbbcj.exe
2300	Ceckcp32.exe
372	Chagok32.exe
5084	Cfdhkhjj.exe
4692	Cnkplejl.exe
4080	Cajlhqjp.exe
3868	Ceehho32.exe
1416	Chcddk32.exe
1676	Cegdnopg.exe
4144	Dhfajjoj.exe
2908	Djdmffnn.exe
2988	Dmcibama.exe
3232	Dhhnpjmh.exe
1776	Dfknkg32.exe
2320	Dobfld32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5412	5260	WerFault.exe	166

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 4736	1492	0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe	86
PID 1492 wrote to memory of 4736	1492	0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe	86
PID 1492 wrote to memory of 4736	1492	0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe	86
PID 4736 wrote to memory of 4728	4736	Pqbdjfln.exe	87
PID 4736 wrote to memory of 4728	4736	Pqbdjfln.exe	87
PID 4736 wrote to memory of 4728	4736	Pqbdjfln.exe	87
PID 4728 wrote to memory of 940	4728	Pcppfaka.exe	88
PID 4728 wrote to memory of 940	4728	Pcppfaka.exe	88
PID 4728 wrote to memory of 940	4728	Pcppfaka.exe	88
PID 940 wrote to memory of 4344	940	Pgllfp32.exe	89
PID 940 wrote to memory of 4344	940	Pgllfp32.exe	89
PID 940 wrote to memory of 4344	940	Pgllfp32.exe	89
PID 4344 wrote to memory of 5028	4344	Pjjhbl32.exe	90
PID 4344 wrote to memory of 5028	4344	Pjjhbl32.exe	90
PID 4344 wrote to memory of 5028	4344	Pjjhbl32.exe	90
PID 5028 wrote to memory of 1236	5028	Pnfdcjkg.exe	91
PID 5028 wrote to memory of 1236	5028	Pnfdcjkg.exe	91
PID 5028 wrote to memory of 1236	5028	Pnfdcjkg.exe	91
PID 1236 wrote to memory of 2636	1236	Pqdqof32.exe	92
PID 1236 wrote to memory of 2636	1236	Pqdqof32.exe	92
PID 1236 wrote to memory of 2636	1236	Pqdqof32.exe	92
PID 2636 wrote to memory of 4564	2636	Pcbmka32.exe	93
PID 2636 wrote to memory of 4564	2636	Pcbmka32.exe	93
PID 2636 wrote to memory of 4564	2636	Pcbmka32.exe	93
PID 4564 wrote to memory of 3960	4564	Pjmehkqk.exe	94
PID 4564 wrote to memory of 3960	4564	Pjmehkqk.exe	94
PID 4564 wrote to memory of 3960	4564	Pjmehkqk.exe	94
PID 3960 wrote to memory of 1144	3960	Qmkadgpo.exe	95
PID 3960 wrote to memory of 1144	3960	Qmkadgpo.exe	95
PID 3960 wrote to memory of 1144	3960	Qmkadgpo.exe	95
PID 1144 wrote to memory of 3332	1144	Qceiaa32.exe	96
PID 1144 wrote to memory of 3332	1144	Qceiaa32.exe	96
PID 1144 wrote to memory of 3332	1144	Qceiaa32.exe	96
PID 3332 wrote to memory of 3348	3332	Qfcfml32.exe	97
PID 3332 wrote to memory of 3348	3332	Qfcfml32.exe	97
PID 3332 wrote to memory of 3348	3332	Qfcfml32.exe	97
PID 3348 wrote to memory of 3580	3348	Qnjnnj32.exe	99
PID 3348 wrote to memory of 3580	3348	Qnjnnj32.exe	99
PID 3348 wrote to memory of 3580	3348	Qnjnnj32.exe	99
PID 3580 wrote to memory of 4208	3580	Qqijje32.exe	100
PID 3580 wrote to memory of 4208	3580	Qqijje32.exe	100
PID 3580 wrote to memory of 4208	3580	Qqijje32.exe	100
PID 4208 wrote to memory of 916	4208	Qcgffqei.exe	101
PID 4208 wrote to memory of 916	4208	Qcgffqei.exe	101
PID 4208 wrote to memory of 916	4208	Qcgffqei.exe	101
PID 916 wrote to memory of 2264	916	Ajanck32.exe	102
PID 916 wrote to memory of 2264	916	Ajanck32.exe	102
PID 916 wrote to memory of 2264	916	Ajanck32.exe	102
PID 2264 wrote to memory of 2732	2264	Aqkgpedc.exe	103
PID 2264 wrote to memory of 2732	2264	Aqkgpedc.exe	103
PID 2264 wrote to memory of 2732	2264	Aqkgpedc.exe	103
PID 2732 wrote to memory of 2088	2732	Ageolo32.exe	104
PID 2732 wrote to memory of 2088	2732	Ageolo32.exe	104
PID 2732 wrote to memory of 2088	2732	Ageolo32.exe	104
PID 2088 wrote to memory of 1932	2088	Ajckij32.exe	105
PID 2088 wrote to memory of 1932	2088	Ajckij32.exe	105
PID 2088 wrote to memory of 1932	2088	Ajckij32.exe	105
PID 1932 wrote to memory of 3732	1932	Aeiofcji.exe	107
PID 1932 wrote to memory of 3732	1932	Aeiofcji.exe	107
PID 1932 wrote to memory of 3732	1932	Aeiofcji.exe	107
PID 3732 wrote to memory of 4448	3732	Agglboim.exe	108
PID 3732 wrote to memory of 4448	3732	Agglboim.exe	108
PID 3732 wrote to memory of 4448	3732	Agglboim.exe	108
PID 4448 wrote to memory of 3748	4448	Ajfhnjhq.exe	109

C:\Users\Admin\AppData\Local\Temp\0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe
"C:\Users\Admin\AppData\Local\Temp\0668529c0bc720c0c41f20d235a8323b8e55190b806705734f8077a975c77f5d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\Pqbdjfln.exe
  C:\Windows\system32\Pqbdjfln.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\Pcppfaka.exe
    C:\Windows\system32\Pcppfaka.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\SysWOW64\Pgllfp32.exe
      C:\Windows\system32\Pgllfp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        31⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        46⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 404
        80⤵
        Program crash
        
        PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5260 -ip 5260
1⤵
PID:5356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
128KB

MD5
37977b52c0b88f675fd9c703300751c6

SHA1
bbed60a779cda57ab419246620fe7237c4aa5ae2

SHA256
2da403ff6b339de6bc9d1de48aa957f6800266429af195418991fe3b2954a6f0

SHA512
c1d9bba5ccdcf71ac9472fd614830387b6ec35a342e542e2121604ffd41930d371c2f078c01f0055ee7f1c8d3691de69d3ab53952913644c38bb38ed788828b2

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
128KB

MD5
4513d4274cd05f01e3a4ad6bb51e1755

SHA1
79107d645b72da3f5c8f562cf72be5597ec7df54

SHA256
12f237d1b755e78848f416009849a6ae94d3fec949e7454029a78c3f8123b92f

SHA512
20c682d050c6668cbea72b69d33709b019042fe70d1e0b0fa6200a0149fcdd26d1995d02df04be2f9ffe1a5a71bcedd5e3949ab8a5d3099bab84c7d6fec6fe91

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
128KB

MD5
46a6eba1c7d6e11c7aed6a388dfa17c0

SHA1
2f7aff1b8f0c27a335277f2715fff4cc9cd07be0

SHA256
74cb923c22798d558fed32102bd7ce87863c7b474c7bee885b5cd6a5c37f8893

SHA512
468aa5acf44c95e7e22b2e7ae8a63d73ce5ea33261a67f6f4f6def8ad84a5d6e9a3fcc7c6d192f7f25cde0e1d58590c78c24ffaead8e1d6df3e87e063dedf747

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
128KB

MD5
23a0106844d93b38bca5ae29a63ab942

SHA1
1c2ff388264e55362f578352957b1a1ce249f3ba

SHA256
457b8e05287a28ebf778f45459e61b070cc587879c8e9ef62a9ee2ec260a438b

SHA512
f3f6c7836736d840ecfc47454f0b17ef5a434fb2589be53c1b9d3d721a95e7b52116483b30df31aafa39031e4c0ffddf76f849ba7996cd911dd97cba3a89d2dc

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
128KB

MD5
c0c9beb99487096a954bd5e5beac1297

SHA1
972a075df89f47cf953e1732f82fc823adaf9afe

SHA256
973ac280d260b011be175e16e21a5e346e9fe147e90ae6133f1ea3a94ecacbc7

SHA512
600e9c98b945662c699dbcdec086eda15d2a9aa8ab003380e7c29d51386730574b4d5e0e937a4855d909d0fe297d48f98b09d5f841bed0673851c4e0fc18ad15

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
128KB

MD5
215c36bed3902b5bbea8a504f9aab3fc

SHA1
30599b2514ea610609ff4e24907bccaed3cc9b56

SHA256
ed436a6031118aa68967933ff3f4e79b15172dc7bbc6558283abe2b4cad49aee

SHA512
2b729661c9344615bbffcf8e85c55d69f7047a15c105f575fac129ce69bae0003e84c0c40d684552247a1b02f987154b4cbcac2aa8da504f8f7f576832eb33e4

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
128KB

MD5
8eaece27e63d9c73e02b49a86bf7eb79

SHA1
2f02f656723f84b4428096e9f635482c8106809b

SHA256
0e4268bbcbb2c5b465657878c9bf57db01a4947cb624a21b66702d5cccbf9196

SHA512
63c07ca35d869ef4a76d2c6118f8e089abbb75c168ac45851cee4b3b92574645c02d4b66d95bf301fde60b54f43b69a09be460444e58b9eec7745bd37e85fef5

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
128KB

MD5
a7e2d0ed4481f01c1b43193a31019e37

SHA1
3e854107bd31b6344339f1e2afeb53e5b9775f3f

SHA256
a8b55ec01c25389d8ba1dba0d848fe65a8b31139cf7d45b1003dc0b9730c5bff

SHA512
f3e45ba9891b38cebcaa9fa31a61727f0feb1b90a0ac8b0d242a949a6162f863f85b2ad75778094c385241ca7f56573426ecd99a469ae6b23854f58e55f41c94

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
128KB

MD5
f673e8f61d29c10ba081b9b0404b6f54

SHA1
908d7a829662f3c184c8784eaf513e5324b684b8

SHA256
b2e4c1904934471874df252d3583222c025ef298e743a43743a4d6a00d7c0537

SHA512
53d2bfdf8b3ee41b0e136997297fa2cabd322e70a6ddb2570dd8c3324c40978030669bf549d78f3653681d6427ad8cfb1d9103d6ade4482086362f4c305dbaef

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
128KB

MD5
e39b1c55d9c9b96f44ffdcce708d8301

SHA1
332ab7b0099038860eda816cd48bd1bc356c6eab

SHA256
ef3778cafb5f00546dd73e4d82b5746ccbcd60eba4e9d5eb0968d27951ce5f33

SHA512
4fb55c033681bc355dda3af889e1b732ea6d5f539857a93efd5c615cbbde14d1612f4f5f8413fc2f54c9475c86316e75289f8367f8681d7d96a5cbbd6fe83758

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
128KB

MD5
cabdd6d1163c60bbdd90da7c138417d0

SHA1
41eefbf5ff26ae84cc6213b92a5cd7c8dbacf8f7

SHA256
1dfcbb6711a5f61fed0a9c8e724abbf4c7c9deeb4ee996b9ea54b13462df5955

SHA512
8dd9cb2a01e7c6476a92fc2ef12e58333640f279603fa546423b6abfdd83fe24e5cfbe6057835870fcfb4cd33a52af5eb3c70daeca4f078074576a7112143284

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
128KB

MD5
6796a854fc212c0ebe4ae71b5b1ce6b0

SHA1
6aaf43c666a570f3b8184333cd0a7fe88f5a6c0a

SHA256
78cf52e392de3b00f29bc96aaf8dbdc8c5f6b3d759ff9a8e6ace8a6d89746613

SHA512
11a19038d0fb1f9578c70c4ee8dca864a14aa34543c254e6fc7d16aefa132525427908789a60469b21c14d6172d333c0b2423bd57f00a9f95e1eb28510618d22

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
128KB

MD5
5a8da3c095d93cccc57534801d8128ba

SHA1
3ec4cf7f0850d9c1438c6caee89176c5481db4a4

SHA256
9ba42560d5922a0b77d5f7abe43a4d055abd70dede42a8801a9386e25f62a290

SHA512
7bcd5962c6dcad09610302cc53db61916cb79c3d854fe4f07b9bbf5feb292fc777c4eaa7b6a36332fac42e2292260ff59ed797ae995d8f50eac4eb071d2d6777

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
128KB

MD5
a16f9e6d37758a57d75e8513fc967df2

SHA1
d7fe6daba759c65ae902051a08546b824c3b5e54

SHA256
d9a7f0ed48049118c4ce03573b48710c322e953f42ff1fabec33e1443b966934

SHA512
54c877a9c258a1051820fe28b07e3ed03b7a862c0beb32372637da519cdfb04c6c721e819cd33cdf67b29c12dd7c51a356be595bcbe9be1e47d8a79a1214fd48

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
128KB

MD5
0f215069a69dd511b6c37d0b7b60913f

SHA1
111fa0a18ad18268092b3d3403ada113083a3656

SHA256
85a3c15cb3e0218b2f9506d179bf14ed332ae46b121af7014e658ec66e36089d

SHA512
308919c2dcc00f2c918e27248f2d6978e92920b0b059d249e05a84aec40f071e34a39c0e48c72c37a54186cf972ebcc906dc248473615561d186333f4b609371

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
128KB

MD5
66dc5400bf0e9417adeab626998376cd

SHA1
7ba25ec573f70bf10029df03594193fb9d079b73

SHA256
b6dda895fad692eb7f7d2a51ad3d456636fc03e4ec2ed1dd2d88e711d4f14c1a

SHA512
3a0b7050b2b3db83e7e9749db2f03eb2514e270fdc7b264ac92b279d897622a67cfad180eaa00d18b9420dfea3778436f0e6882dc0e76960486cb43d293bafe7

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
128KB

MD5
56abd6c1f6ea69e02c99b3fb275ae686

SHA1
547f6d1a5c6b97f31516d928296bb55fa4d72453

SHA256
074b9cc05740487121b10efbb2b9043e5f96c46233ebf1ee046c97b679da7348

SHA512
6f258145a6a506ae21844e26e067eb370ba7c4081d4aa2547f9dae8be536be6a43993f2cf94dfe16e774cbda65efedc3783c667ee17625752c48e876326b28d7

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
128KB

MD5
654e7652995a4c58a4e675431a1f8fd4

SHA1
d1c9b2933e6d48fd7e29c333dad1010a265a6077

SHA256
b4328d7198ce405c67d2157361a410e01e9fd08cf3ef58e47f6aa449cb5f88ff

SHA512
373036d331aace0296ba3ac1a2100b2063f7c24bb0e9d913f70fb3ac66fef508e6bcef97cb218c25e397b0380a99cbf67e104cd60b2d1575c73654e1b112c316

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
128KB

MD5
4705e26e498429685c62c1adc3841a0d

SHA1
579aff3158c0ecc7ae83c0113cc788e5b16e96f3

SHA256
99165320ef71c1194e101bfd26a1524fb276031cb063b30f6f3d1a741a83b82f

SHA512
884502c3103d0e83cd0fb5f3ed1e311b2dff426075e8e203316f0d09897c3d8b203557c50c9b2a66eb62d653431bd0385a830eaa91a7f892d032e4212a4eac2a

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
128KB

MD5
9b2cc49b66f5f3b6a8158be409c69d6d

SHA1
fa1bd357df01be816b71e6be6f03c3d7fdf60a1e

SHA256
ddd4f14931faa95fe119da3417ff81731619194c726c05a18a80d18ca6c2ac60

SHA512
dabdacd8443a5eed1cf40ac1d1c29d4467de72eb2868d540ba5f300c405e4c2275732e077ad98d522053f42189855646a1c0bf2340049ac87bb60b6abe9b9cfd

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
128KB

MD5
831cc8ed1c85d274f8461145779c46cd

SHA1
6c3c6e65bc608468612e8a70dee31606160d83e2

SHA256
7acd34679ed3089bec453bf738a90f4fba3ada6d7c93b8b3a32b129493eae9e0

SHA512
b97f7cb9064d6da8b71501d1d69428216696bc142660d50c1c359631a0f6dd3a587f647e0979f1c3233431006198b4fdd794bf31085d00ed84ca268d0219b81b

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
128KB

MD5
ff53e613d111d82e25456fca80e10630

SHA1
1270ec073db4c731309efadb80ac768497920dd7

SHA256
7b26860a67b1e07103ef3ce38ec0ea295ac8cc70a23264395da0ed1d27c1287b

SHA512
42279c4a30cc7160cf71bac1621e0bf1d8a1db96aa819dc369280adbf96fbea04a9986e2719ddc1992c180335151b4b04d9875b74710fd62dda7b83023645445

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
128KB

MD5
7c90e6a622cd2bff3abd78d6ed408dee

SHA1
84016c68b88099bc5e540f8696862f32d916ecaa

SHA256
fee3c46776b1902bff3fac631f1ac6a26f3ec21faa002ffcb37c7c2cc4d45f9c

SHA512
54937346c29a4a93ef300529b8af403a44a597db7566c3cf32784e58cd252523260972813bbb4e9c46b7988ea977f7b4655e4ae57eaccd5caf431f011634cc7e

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
128KB

MD5
ebef270969bfbdafac327136a0814ce7

SHA1
2c243b3cff85fea9dfde4bbd7733dbf6f9a62004

SHA256
3a51e0b19ee82fc66e26304f2244df6d6afd1b747b0ffddcc29d0342d892c35b

SHA512
f9b65a92b83b3892eef8f3494f7a2fb887bc1ab57ddf4490432db63b994c47386c18e22ce93af75592e3c46c10430a419e9dbe7aa7965d497208f581bbdddbbe

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
128KB

MD5
402dadf90b0b78dcc8a7b3524bdb7743

SHA1
77ee164b1389d3e0e6306609f8c32a31355da2a1

SHA256
ed633780efc80105ed83de5d9a278cef2d6632346890fe0fe56f27f6e46428db

SHA512
151def957107309d36b77ffd5c4aa7561d5a5c4ecd89ab324c9af1da2d058c5a08aa21fa60c4123b13c5f9bab3369fb61d2206b15784a85180600c9f7a0838d9

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
128KB

MD5
c0fe1f20cd73243e8e8fe79f6a591f33

SHA1
f12bddca028a27e647b0015caa47212b74fae89d

SHA256
a4877718f483e3f7ae75173fd8042228ef4c51e7d2fdf5b957156ef91c27c36b

SHA512
73dcf0fb9770be2b79c936cfd65f172c0163af4a1538e528cf2d41c68ee3851fd384ecc20e5f3bcc905fa6d329b22567a50e3ce279fc72524f9d7da2b69e3556

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
128KB

MD5
018e853c89033574753ca947842d5a21

SHA1
7150ae69c34127020356558a2de87149aea31caf

SHA256
7f3987ce921ead09007041b7d0b53b6ec93a54451ec6f09f0e381cb853d1337c

SHA512
f8b044c57a45f562ca487c85e50b47f480d517080e8735b9a4c9c63ff7e843966cd8f38410eb3fa07d4dcc6489887557528212cbd5b8e0bd5e53e05b2397bab1

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
128KB

MD5
f1587299d86d0455bdb712ad929e7674

SHA1
0214b5c56d04317bf2cd67de3ba61da41bb9f9cb

SHA256
e589f7498dead77679e53d04d77114f4b74e0df839b60ab87f11689a714e5f42

SHA512
01cd50ff3357ae67e15a996b8f5ff409f457a51375a82f790acf83d10ba4ff5e09f0609eeba2b7cf22efb021d07119417d3b2cc572774128fc63607da1dfe142

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
128KB

MD5
30a6e9b4e4b60e071f86289e4f1d258c

SHA1
09789027a56117e242764467f78c57b7d4b39aef

SHA256
5911c755db2e6bf5e2cb2fe7b401ab0dd600610aeced6e2f497c3b771aa0ff73

SHA512
075f4118d5ceddbec6d2bbbac21cc77929b606250ab39a8fc8083fc395fd24df6fbf36e030af8ec682b80d2338275c013e6d3e62f6cd37ba25d5efe8aea8b9e3

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
128KB

MD5
792d02d319cf654040d31337a3a4f4b7

SHA1
deae14b779fccbb3e5a1c2a9d225013f6056e477

SHA256
47243243f406a858fc829ca6cb893ecdcc89b6dfba13413ded551528428d2fb5

SHA512
67cfcfdd1c0420cd521b8b1a51620039a3141e9b2671cd80e72f1d172c6e326fa013ca1ba5671552776b50882101fab3ec458ba67eabf34a604e2b307d15c69b

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
128KB

MD5
240dd69afe9fb84eec715740fa14ea1f

SHA1
5e1586c1c18cf9402adb25a6a75c252dc993cc66

SHA256
1e58058df314aec7e5d598fd83b1e4ecf989b99fa297829623b77009f6925a8e

SHA512
f3fa1d5743901ed396d6f800ba427c4b2405c728d19df0b062eae272805c3992ca8a8763d5d13287f0f0661f458c9101f2b989152d9bf36a5bc34f87a528cccf

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
128KB

MD5
ee21b1c7f0f3a2d5cd720c9d90e97add

SHA1
d806a09869967b516414a3a41046e1f318634ea8

SHA256
65fe129a0e72c5f0b839205db32c8afab7db190e99cd810a01e2b3bdf58df984

SHA512
d7489cfc004bbc8bb02294d35df82aeb9d79fbbe847ca158332184d056068d8381d34e6a27447ae86e8ba5bf2fd98521ad3a2673275aaf5e2dbbc151ce0f622d

Download Submit
memory/372-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/916-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/940-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1000-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1000-543-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1236-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1688-541-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1688-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-645-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3160-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3184-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3332-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3564-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3564-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3580-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3668-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-639-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3868-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4736-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5136-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5136-535-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5176-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5176-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5216-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5216-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5260-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5260-529-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads