berbew | 7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd

Analysis

max time kernel
131s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe
Size

552KB
MD5

8a70917a310403aa80a8a1f0704457a7
SHA1

ed16bad68fc0a6966692caba6204e8a8e95a4bf8
SHA256

7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd
SHA512

c5107da8991d6e480c2a8e22720d01e7aaf6141645c1e81a2ecb3cf2be27c7078f827bc960ac4ac8a454c8876b03c83612bcbb43517c1a4fd1c17a4d8c1ca50d
SSDEEP

6144:N+C5W7z1ubi+F8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqX:Nt0zE+287g7/VycgE81lgxaa8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dajbaika.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aibibp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Egegjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aibibp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eddnic32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 59 IoCs

pid	Process
4268	Aibibp32.exe
3392	Aplaoj32.exe
2880	Abjmkf32.exe
5080	Ajdbac32.exe
5084	Bmbnnn32.exe
1940	Banjnm32.exe
3340	Bfmolc32.exe
2144	Biklho32.exe
540	Bmidnm32.exe
4084	Bfaigclq.exe
3668	Bpjmph32.exe
5092	Cibain32.exe
5072	Cajjjk32.exe
5024	Ckbncapd.exe
3540	Cmpjoloh.exe
4512	Ckdkhq32.exe
1720	Cancekeo.exe
4352	Ciihjmcj.exe
2488	Cmgqpkip.exe
1440	Cpfmlghd.exe
2776	Dcffnbee.exe
1208	Dknnoofg.exe
4360	Dickplko.exe
2288	Dajbaika.exe
4536	Ddhomdje.exe
1956	Dpopbepi.exe
4712	Dcnlnaom.exe
4884	Dkedonpo.exe
3108	Edoencdm.exe
3300	Ekimjn32.exe
5044	Edaaccbj.exe
220	Ekljpm32.exe
1560	Enjfli32.exe
1844	Eddnic32.exe
3468	Egbken32.exe
4080	Ecikjoep.exe
1696	Egegjn32.exe
4232	Enopghee.exe
4204	Edihdb32.exe
1376	Fclhpo32.exe
3508	Fkcpql32.exe
4384	Fnalmh32.exe
804	Famhmfkl.exe
2952	Fgiaemic.exe
4676	Fjhmbihg.exe
1352	Fboecfii.exe
2100	Fdmaoahm.exe
2904	Fcpakn32.exe
1948	Fkgillpj.exe
3048	Fjjjgh32.exe
3912	Fdpnda32.exe
3624	Fcbnpnme.exe
640	Fkjfakng.exe
3920	Fnhbmgmk.exe
3088	Fbdnne32.exe
2108	Fcekfnkb.exe
4924	Fklcgk32.exe
396	Fbfkceca.exe
4932	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Adbofa32.dll	Fjhmbihg.exe
File opened for modification	C:\Windows\SysWOW64\Bfmolc32.exe	Banjnm32.exe
File created	C:\Windows\SysWOW64\Iponmakp.dll	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Cmgqpkip.exe	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Egegjn32.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Fboecfii.exe	Fjhmbihg.exe
File opened for modification	C:\Windows\SysWOW64\Fjjjgh32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Bhkhop32.dll	Aibibp32.exe
File created	C:\Windows\SysWOW64\Abjmkf32.exe	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Dkedonpo.exe	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Cnidqf32.dll	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Fkgillpj.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Abjmkf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Pjcblekh.dll	Dajbaika.exe
File opened for modification	C:\Windows\SysWOW64\Dpopbepi.exe	Ddhomdje.exe
File opened for modification	C:\Windows\SysWOW64\Fkjfakng.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fachkklb.dll	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Aibibp32.exe	7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe
File opened for modification	C:\Windows\SysWOW64\Aibibp32.exe	7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe
File opened for modification	C:\Windows\SysWOW64\Aplaoj32.exe	Aibibp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgqpkip.exe	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Cajjjk32.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Ddhomdje.exe	Dajbaika.exe
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Nhbjnc32.dll	Eddnic32.exe
File created	C:\Windows\SysWOW64\Eclbio32.dll	Edihdb32.exe
File created	C:\Windows\SysWOW64\Pbfbkfaa.dll	Fkcpql32.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmbihg.exe	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Apmpkall.dll	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Cmpjoloh.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Enjfli32.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Egbken32.exe
File created	C:\Windows\SysWOW64\Fnalmh32.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Fcpakn32.exe	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Bejceb32.dll	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fdpnda32.exe
File opened for modification	C:\Windows\SysWOW64\Banjnm32.exe	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Bfaigclq.exe	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Kdfepi32.dll	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Egbken32.exe
File opened for modification	C:\Windows\SysWOW64\Fkcpql32.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Fjjjgh32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fkjfakng.exe
File opened for modification	C:\Windows\SysWOW64\Enopghee.exe	Egegjn32.exe
File created	C:\Windows\SysWOW64\Fhgmqghl.dll	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Mmebednk.dll	7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe
File opened for modification	C:\Windows\SysWOW64\Abjmkf32.exe	Aplaoj32.exe
File opened for modification	C:\Windows\SysWOW64\Dickplko.exe	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Dkedonpo.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Binfdh32.dll	Ekljpm32.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Engdno32.dll	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Bpjmph32.exe	Bfaigclq.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Ilpgfc32.dll	Banjnm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1348	4932	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpjoloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbncapd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edihdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbnnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfaigclq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknnoofg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aplaoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajbaika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjhmbihg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmidnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fboecfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biklho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egbken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgqpkip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aibibp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkcpql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnalmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbdnne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmolc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkedonpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjmkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdbac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdeeipfp.dll"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll"	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmojj32.dll"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engdno32.dll"	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgilho32.dll"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakcc32.dll"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpcgc32.dll"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Biklho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkodmbe.dll"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpgfc32.dll"	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgqpkip.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 4268	3344	7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe	88
PID 3344 wrote to memory of 4268	3344	7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe	88
PID 3344 wrote to memory of 4268	3344	7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe	88
PID 4268 wrote to memory of 3392	4268	Aibibp32.exe	89
PID 4268 wrote to memory of 3392	4268	Aibibp32.exe	89
PID 4268 wrote to memory of 3392	4268	Aibibp32.exe	89
PID 3392 wrote to memory of 2880	3392	Aplaoj32.exe	90
PID 3392 wrote to memory of 2880	3392	Aplaoj32.exe	90
PID 3392 wrote to memory of 2880	3392	Aplaoj32.exe	90
PID 2880 wrote to memory of 5080	2880	Abjmkf32.exe	91
PID 2880 wrote to memory of 5080	2880	Abjmkf32.exe	91
PID 2880 wrote to memory of 5080	2880	Abjmkf32.exe	91
PID 5080 wrote to memory of 5084	5080	Ajdbac32.exe	92
PID 5080 wrote to memory of 5084	5080	Ajdbac32.exe	92
PID 5080 wrote to memory of 5084	5080	Ajdbac32.exe	92
PID 5084 wrote to memory of 1940	5084	Bmbnnn32.exe	93
PID 5084 wrote to memory of 1940	5084	Bmbnnn32.exe	93
PID 5084 wrote to memory of 1940	5084	Bmbnnn32.exe	93
PID 1940 wrote to memory of 3340	1940	Banjnm32.exe	94
PID 1940 wrote to memory of 3340	1940	Banjnm32.exe	94
PID 1940 wrote to memory of 3340	1940	Banjnm32.exe	94
PID 3340 wrote to memory of 2144	3340	Bfmolc32.exe	95
PID 3340 wrote to memory of 2144	3340	Bfmolc32.exe	95
PID 3340 wrote to memory of 2144	3340	Bfmolc32.exe	95
PID 2144 wrote to memory of 540	2144	Biklho32.exe	98
PID 2144 wrote to memory of 540	2144	Biklho32.exe	98
PID 2144 wrote to memory of 540	2144	Biklho32.exe	98
PID 540 wrote to memory of 4084	540	Bmidnm32.exe	99
PID 540 wrote to memory of 4084	540	Bmidnm32.exe	99
PID 540 wrote to memory of 4084	540	Bmidnm32.exe	99
PID 4084 wrote to memory of 3668	4084	Bfaigclq.exe	100
PID 4084 wrote to memory of 3668	4084	Bfaigclq.exe	100
PID 4084 wrote to memory of 3668	4084	Bfaigclq.exe	100
PID 3668 wrote to memory of 5092	3668	Bpjmph32.exe	101
PID 3668 wrote to memory of 5092	3668	Bpjmph32.exe	101
PID 3668 wrote to memory of 5092	3668	Bpjmph32.exe	101
PID 5092 wrote to memory of 5072	5092	Cibain32.exe	102
PID 5092 wrote to memory of 5072	5092	Cibain32.exe	102
PID 5092 wrote to memory of 5072	5092	Cibain32.exe	102
PID 5072 wrote to memory of 5024	5072	Cajjjk32.exe	103
PID 5072 wrote to memory of 5024	5072	Cajjjk32.exe	103
PID 5072 wrote to memory of 5024	5072	Cajjjk32.exe	103
PID 5024 wrote to memory of 3540	5024	Ckbncapd.exe	104
PID 5024 wrote to memory of 3540	5024	Ckbncapd.exe	104
PID 5024 wrote to memory of 3540	5024	Ckbncapd.exe	104
PID 3540 wrote to memory of 4512	3540	Cmpjoloh.exe	105
PID 3540 wrote to memory of 4512	3540	Cmpjoloh.exe	105
PID 3540 wrote to memory of 4512	3540	Cmpjoloh.exe	105
PID 4512 wrote to memory of 1720	4512	Ckdkhq32.exe	106
PID 4512 wrote to memory of 1720	4512	Ckdkhq32.exe	106
PID 4512 wrote to memory of 1720	4512	Ckdkhq32.exe	106
PID 1720 wrote to memory of 4352	1720	Cancekeo.exe	107
PID 1720 wrote to memory of 4352	1720	Cancekeo.exe	107
PID 1720 wrote to memory of 4352	1720	Cancekeo.exe	107
PID 4352 wrote to memory of 2488	4352	Ciihjmcj.exe	108
PID 4352 wrote to memory of 2488	4352	Ciihjmcj.exe	108
PID 4352 wrote to memory of 2488	4352	Ciihjmcj.exe	108
PID 2488 wrote to memory of 1440	2488	Cmgqpkip.exe	109
PID 2488 wrote to memory of 1440	2488	Cmgqpkip.exe	109
PID 2488 wrote to memory of 1440	2488	Cmgqpkip.exe	109
PID 1440 wrote to memory of 2776	1440	Cpfmlghd.exe	110
PID 1440 wrote to memory of 2776	1440	Cpfmlghd.exe	110
PID 1440 wrote to memory of 2776	1440	Cpfmlghd.exe	110
PID 2776 wrote to memory of 1208	2776	Dcffnbee.exe	111

C:\Users\Admin\AppData\Local\Temp\7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe
"C:\Users\Admin\AppData\Local\Temp\7a3b9853231f9cc02e6a5fa7a9c38c6d8f38b63047a4d23673c089349fb8c7dd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\SysWOW64\Aibibp32.exe
  C:\Windows\system32\Aibibp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\SysWOW64\Aplaoj32.exe
    C:\Windows\system32\Aplaoj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\SysWOW64\Abjmkf32.exe
      C:\Windows\system32\Abjmkf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 428
        61⤵
        Program crash
        
        PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 4932
1⤵
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
552KB

MD5
5844eda22d6c74105b49893af26b9d88

SHA1
c06ea1cb3fbf7822b069a0f2212c23aed4fae1a0

SHA256
89c377af54fc568028bd709fabed4d378c7f6a7b81cc6bc0270d60b850c3cc97

SHA512
5883a54fcf7e3bac1590247ddbdefcff55255c7aa61d0b2d39e448c791e7e22abd422c27551b4c90be70cbd53eaab323d3fa70d85769fe836e716b973ce47d7d

Download Submit
C:\Windows\SysWOW64\Aibibp32.exe

Filesize
552KB

MD5
dae171cb752a8dc5fc31d9563cb16d28

SHA1
1aa3e234170682caabcdcee79b52bad544b40776

SHA256
3a2450a3d6a1ec5577d05918d6c3dd93d1dd4ea572f6992e6e1b08a004eac494

SHA512
d806e26aee2b3a2fad3bb5b1770ba82861ff54fe2a7d39b6076fd4b6cf8cb754fe90b01f4c9ed8cd4eda92d472e774690e668a7b7432ebcdf9184e0e1003fae5

Download Submit
C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
552KB

MD5
3c29eda4a5a9e80a058e1390cb451f4b

SHA1
a4324d0faabc607f265dcf5f3d58f8a30903cfa3

SHA256
07ae30151f05f26425398a0410d3e74ae01f0b0464569bdba419cabf093939c1

SHA512
252575cf3a4412d1936380310f8c2f287a7a914ec59e4c713050002b5912c2d60bf03e138a31ecc0d849fae332613d7d79d733f273a23670ae00de48d4232910

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
552KB

MD5
21ff08db8cbb5872c1b59adbddf5c140

SHA1
57dc2f97bcb8da36bade4d9dffc7ed3d4becf869

SHA256
cf13c431086fa227f9e1e0c3b5a8c908608d30c2e5fe8c77368a2d0adf6b1796

SHA512
d20ebc6e04a85066fd62f3be5d009157a469cfef88ddfa3cdfd246ef2e0abc125554b4615abba7cacec587d4c881aa9ac8a3722cc473a3f5910fae81e740201e

Download Submit
C:\Windows\SysWOW64\Banjnm32.exe

Filesize
552KB

MD5
2ede5935ac232855b09defc9c78a605c

SHA1
ec4eddc1ea2f3899db268196fda313aa0b09828b

SHA256
124d579d15a331166203914ee77e01bb00c1acd925fd54b7c13bd30707daff03

SHA512
f0d5d159ef5b0180ac37edd4031cca9fde0ac9af9c798515111f79ac475ea31645b9f62ef305782aceaa0e2a921f4b5b5ed9c5645aaeea62783df1dd5acc702a

Download Submit
C:\Windows\SysWOW64\Bfaigclq.exe

Filesize
552KB

MD5
6ad7e8ca43bf34683563958cd24a12cf

SHA1
fd4d5c4f356a9f46af181334a68a521b3f7ac71d

SHA256
1ac1ce2b9740e182baadb97595b8ee93dd05232f6ecda7f6895b80cd8188fd85

SHA512
d504c7083c00b58b29b90ceabd6f15d7e9b006b9c711eb6f2bffaec9eda1a4d424ad4130fed4f8ea2cf2c337964937c60f26df70b90979dd3c625ea00e04b259

Download Submit
C:\Windows\SysWOW64\Bfmolc32.exe

Filesize
552KB

MD5
519dbcde9cec56f202fe88e771323fe5

SHA1
ee752fa5aada723c11717af34606a5695cc317e5

SHA256
e043debb0353ca3343f6a4b9f9801f2d8c68e481f1b5efddb64680c403f112f4

SHA512
13ac3f9947bef3e8fd2ea80c1709d26fc500fa4f81d69389c5fe20924390810f834ab8a5f39827f39b83dacc7197e08a91bbe6377f97d6eefaa6aaf8a05eb69b

Download Submit
C:\Windows\SysWOW64\Biklho32.exe

Filesize
552KB

MD5
2fee00c1ca57c351f47687b31877e1c0

SHA1
0102f0244b7430879adb0145e063037cef85082e

SHA256
908106e255b1421defdf88da0b6130b457e644d5b90ecd8e6d78389b8ee5b206

SHA512
7f1516b109eba74d9b238fdf072f7cb7fdaa66c2d9bde5a11160ed5f0993888a0220f18fc56df036e63233bab381f1430b9830506d1484a9ac4a41e72111d16a

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
552KB

MD5
552688711407fbcb1b2a590e96aefa4f

SHA1
81a95c983434a25dcf60f13b91b1587629d66874

SHA256
9ffae09124377128fe27a14489cdafd261e7e46ebcc3074abdd02e57bc168a9e

SHA512
c1b31abf8c491c6157a3dd1b8111659bca85d7bbc63a4142d74f6cfcd96285e0de1bc559e76193e03dff8e55e2869a62d1f2cc92962ff352cd6ba523630c8366

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
552KB

MD5
a277cc0e3b18a132de7af974a4a799cb

SHA1
0b3800aca29bca364df7eb8a3e443b199c74b1af

SHA256
2639b3d95836b38a4907b4552ca34a3f9641d34a0574d94d6adfdd30bd341538

SHA512
84e97dc2fbcb4e4e956fe1ad99d7fb37c58d64406ab0a0e6f097609ac3f543e53d18911cc51dd7893bc21853e9a072f84920c2d31f63c3a023b7173e76ff3743

Download Submit
C:\Windows\SysWOW64\Bpjmph32.exe

Filesize
552KB

MD5
f7b2a6356cd4b58ae6c65725716a34d9

SHA1
14d223d252d014627252f361bbbaf1303abe98b6

SHA256
05a9457ba9f75bde07cfceb833a76bedb7eb4a0f08269b8ef27564f9bb1e8747

SHA512
7b094b0d5285a2ce72b6d035cfc1223cf68a86ed60f3f86bb5a136e7b739ff98923ee306a1f7922d5c54dd36e320668aa5fc2bf76d5644cff5c3a9aaddebd344

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
552KB

MD5
22ba2594d41045e6529460d4aa4da711

SHA1
925df0aa940efde2508afad38f7cab718d3b0804

SHA256
758302316cc3a9c80bd450d8530dcafad413578753514543f8300694e4c77594

SHA512
385406b7c2e6bbde4cf635c443e1f7d5d9abea06c32c617e00393c176f2447046079d74db78449cbeb3de57f1cf1189551114f26e2a8348c0eee7919b8b047fb

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
552KB

MD5
d1f3d8d5df1fb729f095249c53391a2d

SHA1
4464c3908d0b81a2fd73a12b73dae6c334f32bb2

SHA256
9cd4438073440f7f9414b85c5fe652fdfbd65000016f2ffd6e8781240bb588b5

SHA512
55aa7e8e9fbec08628102c9e904ae1b657bb01e6bd151f5b4ea01dd9d1180aa6f91799233e0f54b99321360e2f88cb1b278335cc30f9b16ebe31f9e0112c68a6

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
552KB

MD5
f0028407ac675a142bf6c2e841ea5cff

SHA1
542caa8ed0ac1fa04b0a230d74f305b4cfb40250

SHA256
185ed70adb332932e4a1944dffa6efdc86cc61d44aa673543660d5c0f0105b57

SHA512
f86dea6e85554a3ce81b6f45393bf4310d49cf210836aa48d1003eb9e45561a481f76385897eeb34ce0ff140f7d1bd7e149e2430055544b710704d7c93db34ab

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
552KB

MD5
4fd3bda29ad95ccf160458124330687c

SHA1
233bb2670dfa62f84454323425958e7e060d373a

SHA256
84793af256822e0e2a4c6f9835ff9bf750142d90e3c12d148d8d408a590bfa11

SHA512
eeefe881fb2493f8eb9872963182cf042f1645aa96f50ae21b783dc55c5efd36cd811ef4a897cc8c9dcc66379ceb9a56ab36583287f525c91489d5f6539de908

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
552KB

MD5
2ff496b15929ffb66705ef533c4aee59

SHA1
012876d9f7f687aab7709d6f168547400e607c53

SHA256
2bd18885c8c599f8c53a62e0ba072289fd347c045f716d977d59aecbf76f2227

SHA512
8ea48b6864cb0fa487693804d19801532186377d35d5762cc2324e94a9fb8860269bc51e56951215b07d20778a3bf639a6f6b02c9b06ce76be96b9cd358f5b52

Download Submit
C:\Windows\SysWOW64\Ckbncapd.exe

Filesize
552KB

MD5
c6f32bfcc93a027e271d9dde61667e56

SHA1
9f927a2fd996ba1e37b5b0287085a68f749e590d

SHA256
fcb1d05bb95571075217bc473d5a34f083ad0394343f66e4756df0a2007d5c1a

SHA512
bdbc33ace82049b9bd9cb6b7021e25480b860ebd87641d23495a2bfbcbbc0cff57c76bf9caa9c424cb373f963c7550803e5f9fdc88e0faf4bff5695b6a6cd856

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
552KB

MD5
48fcce0a5f64d8dffdf600b35c369168

SHA1
677ef5a8629f993f55c8e91ebb06aec927aca184

SHA256
2b8cee118a90799caa4a72a54bce499b3785ca6dd287147f0965c69c4c9a61ae

SHA512
5ac57db899ea269fbbaed07ba7fce4eb0b61c30f90fea25d771c95a88bd02280be21cd2e074e7bd0465a81053ccc21efdbd6a50a899ea150a1338db285213c22

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
552KB

MD5
e89c58d45e3023cb45942ad2eac4d966

SHA1
85459354950ad7cdfdb339bd006210219c7d567e

SHA256
3815e4f008dee154d5c1e9532759ad416dd3afa705b25652a500eca58b8c3fa0

SHA512
ebbe7cff1e0d38792f5d9d6b9e54c191080c09dfc6587357a0d26407096dc4e7a41737facc37f4b1f0c09708f5bb84875fbf34c5c6f1acac0eaa366dde37308b

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
552KB

MD5
8f717d564836baae60c532680a86e0c4

SHA1
8b7a4be20f5deec06570ca2922ce2cc813662a82

SHA256
b995729fa5c5fce8c52dd625af9f8430a47ee4fdffafc1721734ef9b853b220d

SHA512
c3e92eea8d3c3bdbd65fe98c8db705a509d79607a11c2c4d7db7f919d1b9920f2a8003ef768fae8582617780b578a3ddfbb767f067454c6ea6134700fc23efcc

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
552KB

MD5
aa2879025cdc5e96bdf2d6b1a4059e9d

SHA1
9e141b1751fa880e38095416a6d58ef1c6ec2fe3

SHA256
b75be8e3c29b32ebadb16a0568693bf43bea26c0b56fd17e8194d40f9345d437

SHA512
829e0c7dbb814a81d667e35fd71756eddcbd367b352efd8b8e2ed669e84d0ef4f6acfc747446b61791957602c1839df085d6d1a18985a165a33ca05f0b1d67eb

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
552KB

MD5
9e5d931017f3b4622078343ba1451e5a

SHA1
cb30bf6c34372b4a2ed299f341e9e375f4ac9c2f

SHA256
4aced303cc4b41c0b87850014634dfb09f92a481c9505eb056de8098c1eb78ff

SHA512
eb29c42182d15dbb90be0729a665333374869975b1d22ad5b752e6ded0f9ea2e9dbab1ab98dba93dda883f3e7fe9a26cdb87f6728ec086068e88a165cdd2c7bf

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
552KB

MD5
615954bb099c9c73d33bd600f5a937e4

SHA1
0e31fe05106f8816f966ed38faa97c9f929ecfe9

SHA256
e809e9549b11d0818ad00f1b58fec93fb536f3c4656876796c9039f9a38404f6

SHA512
08e6fc5725ad00706a9d8673f09d4e79f84cd8fca054fab2efa3fe3ab052dac078ed5bd40b6565b82a68bc94ee2892f068038439691e7603b90ddc5a818582ca

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
552KB

MD5
8dfb080a5a27bc3373f66279e653f201

SHA1
9cdda36d3a70dcac8c1e5b8ee3f62d4d1dbb1d8e

SHA256
0fd6776dc8b417966de2c806734dc57adb48dfc1027f77f134842206651d11ef

SHA512
1325e5e634467544a5d912c49f2493e8b11598ce3ba6d6f5e4c3dad6baf17359bd1b452353b7f96b524a7c04a4b3ab4ddee3fcbee990917578ada09a50a1c990

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
552KB

MD5
9f2a651c0fe43c2bafe9ed3c0d31ba21

SHA1
ddc4bd425f7038fe152af0cdbdbc8ca9efec34fc

SHA256
0b405d22b5e7c240735328d7a7a3a6a31e649385b0cabd03707bfeac0e9da2fb

SHA512
cc700bb049ba412ea0c68cf7ee628bee39d68b8ecaea9b8bf7ed941da45f89b635bb9a249eb913ac4e06bc94a35ac5f8c4987084aef1f4e2b81b8332bfe984df

Download Submit
C:\Windows\SysWOW64\Dfbjkg32.dll

Filesize
7KB

MD5
51dd56676c85c56b9599d48d601072b6

SHA1
ede8212f5eb312350752d67b97488abde574322d

SHA256
1c8b36c9f3c3b40170c3593ff8065a07c816f6955638e44a04553000d0c7b915

SHA512
2a3fd5028ea88da76e89f00066ff04cfd7c939645bb870e9850ac7bef95cd98074cff8bad0d05bbc4f221d68ff525cb915606082b52a31125e6009e2ac288b50

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
552KB

MD5
1feee921202a31a15f308665fb6183c6

SHA1
7465dbded3f7c2601817b575b3e81368747ced83

SHA256
09516539083b8c0d206d82d08bd3495067e256d9f807bceff11122488c224852

SHA512
ff5952e5c921fd62516e1f69044a7ee414092e3d80541a65c5e7c40e46a3757140e157c4d043e85af028efc9c89a8771e0ab1aba6e60cefc2881d9169b70df7a

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
552KB

MD5
1887f09a1f2ced5b0f0193be188ac90c

SHA1
efaaa200473ab836977a35bdf9439f5fb3d3cf7a

SHA256
8858bed4b01bcd443ef3c3a80edbdbdf4aba219d696055829b4d0fc864784b9a

SHA512
67f3395360357ba0f8cd165e55e8ec0786d75c891da0703d4dcf48c42337e00788ec462d8ded5c578a9cc13e9e0339fedb818e8c5600f160d35c2d71c16fec44

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
552KB

MD5
6eb6321709870cc548d86f82951e6ab1

SHA1
7778666c77c5fcd86627cb0b750a4ef195ff5a72

SHA256
bd11019a5d4cc85aad3da73b1aa883ac1409c3c4eb19cf9ac63f30d3b2076d6b

SHA512
8e1ea3627e7188719503f7eb7841b467a1d743970fbd34d4bb4994f0ce362b8a2db43c5bb548b05d850db7fd716d72ac1c676901430927bd1af396255d3d9225

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
552KB

MD5
e0f97a34d2cb9e83c060c1fcc51b29b3

SHA1
ee658c0054c3ccf8ff683029c127dff5dddaec58

SHA256
0b4b088090e78659eee65877b92246d05c05ff3831d49cb27d6d04d46264b894

SHA512
dcd7c255b24df77cd70cb22e563626f620ceb6410ae6ef4cfea5cfcd0138d40c9c578253bd1ef2fff8eec4af9c6a55654af22df5885be724fcce0f4a6e58747b

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
552KB

MD5
4b8a80b3b06b8e5f2a2df7577f62701c

SHA1
76673719e9b2404b7b8fdc4376dbed66a1aa88b0

SHA256
8e54e34ba89d25be5d0995a7b5f496d2dbeca4484e984d08c536233c3708802c

SHA512
b049e56c6e6f484dcc30c348db0afaac47245c2e6e4bd46076f7e0ee871a6589df12457612aaf2b91e6065cad942f920628912ebf3be103e2c20c8bc66229bc0

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
552KB

MD5
160047d84d3032490eb8d59acf23bff9

SHA1
44c31c70de46aca7f5745167c1d50c5fb001d891

SHA256
2b6c6e633463976c9693f208ced3bafecc7daef0be76685e2c4c4a7e1bce7222

SHA512
a645a2a50b7c19a8400ec04c293c936109a5c753777e9910385817b88180daca584ea9810cc0a0c697ef74ab6ad124ba82e548ae199f28298276bc44be210e22

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
552KB

MD5
aaa1b17844cfc8f718805c91b1d1773c

SHA1
18fbd0e097868f28ae830b799dab35f0251d2c4d

SHA256
1e605ae1735072f0b1959b2a3d6fb10b75806baecabbfd90fff2ba339f932157

SHA512
660d85a1b548004c2d1589dc36490c3fc1beda458c0a3a551baf4d6a2dcb7cd9698a58dfe8a30207c06e83d9dc9dd8e752b5fd542549431a66c5c8b3dcad6c83

Download Submit
C:\Windows\SysWOW64\Egbken32.exe

Filesize
552KB

MD5
80bc3afed3658c155f9dd1abdd0840be

SHA1
e18b8e4bf056e62c087aef419024de3bf328d12a

SHA256
0dbb1c414792c58816ab47fea8edc8388089876d581ad5d8f5ca15a6b6bb1053

SHA512
1ba6ad43df9d6ded04cf10a752f4653192d327ca945d9abeb436cff9973e261cc2112892c9f88b51d2c4a9d684c3213a56f352f950a93581392b3cc20f24f9ad

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
552KB

MD5
b7d689921e7cb46d790b193820f4a526

SHA1
1da6e92e9463272e7691bafc2a87a9850908c2d5

SHA256
f483aca04b7446a6f90f273f245d06a855e87cd00c974bc312b103caffed878d

SHA512
46219f1e5b5ef0f11b6876cc3017f1dfbd5fdcf985be1a2455ee2c20799ba0bef4262a2009eb93490d912cf1cb6aafb6922feb86a7cab0fae82777dbff25fae9

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
552KB

MD5
4e311f1c0ee583e3eb37786ac23f18ea

SHA1
51aaac0eaec1cfe2347bb584871d2c5135112436

SHA256
a0a9de3a63a07ffb01c375e398b11fef07fbf6feddb42daa3dbf7e46903eacc3

SHA512
1fc139c0112393a7638f743fa7c4d3e30b944f5582af0854c47b1d9fa885de2cb81754dd70488475529d46974713c561f6a3793b213bec737d427e1157a95659

Download Submit
C:\Windows\SysWOW64\Fbdnne32.exe

Filesize
552KB

MD5
809d4ebd6577083da065d656632bfc54

SHA1
a440b5a13a15f09f29f5b963feac4d400b303e05

SHA256
a23cf20d0cd3153d92ebc14bdc71ba891112d43c8f2b11511b56402c896422d3

SHA512
bffbee32451e03738c64cb3d07a174cdf62d0fbff3b6458c871608f03062e9670ed198b4d4f8f7d495577f52d9ce1a6a431ae15cdbf5d00cba91467fd75808d0

Download Submit
C:\Windows\SysWOW64\Fcekfnkb.exe

Filesize
552KB

MD5
0fcc87e70c5f50ca3c25e2403bc24af4

SHA1
1d13d056a8ba4013beae1ea54aa0d4b7f912d22d

SHA256
e375832ef9adc766e01cc9896f22193b469d25c412f69f8445fed9c037bace97

SHA512
3cafa2ef42cbd415d41b07cb143369e2d7d9273a171287a8d291058663b88cdd0a62da70b6aaa3c4ce5a8768a7acb94b8d9a6b20e722ed8054c3ab568ff7e9c7

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
552KB

MD5
88b7d72e8baf31759c5a6e36350310ba

SHA1
6bbff81a0f57ad9e8bf630aa5db41ff55e84a602

SHA256
3bd6435a5da779edb874ef14ae38dca822162d57af171ccb740d9d146b4371f5

SHA512
314a11a486a5034049764cad4750a36ce6027d6f570221ba62026c6bf501cc7368da7a6c6603bb2ca322d1817f16653e74da2388d517b72e21d78fa9d7a8dcb6

Download Submit
C:\Windows\SysWOW64\Fjjjgh32.exe

Filesize
552KB

MD5
80297db84d7ea18011a89384c1c6ea52

SHA1
b94d428da5f16497e03231b5d755bba8cb8280b3

SHA256
c45bff09bbc1af5c714236edd5d6137ea3cd096d9a08aa45dffd1d8d032afaf0

SHA512
6742b0757a497aed0d8111dc95f9485bae7c085402bcc540e4b5eaef651b8712c8d9f5819d162f3432f46b9b4e8d79176fd6d24d04a80b40920703848d781217

Download Submit
C:\Windows\SysWOW64\Fkcpql32.exe

Filesize
552KB

MD5
5ca379c0ca764a2a38f66d485b331df3

SHA1
de8daab752091cc6b545af64855e3290b6167c75

SHA256
3ea12f35b5f31765747f99c2baf56c7895ad6bc4bdedfb4d60d1cb041eef04e9

SHA512
602809eb154c25644a8b863fdb2b21c5c957c012539b3a9e26cd4aff740249c95ea9036fcec26f59021ae5ed2c923d0c8e9c1626dc9ebef6f4ef53dfb6595c53

Download Submit
memory/220-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads