berbew | 97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c

Analysis

max time kernel
127s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c.exe
Size

207KB
MD5

99aa626d18c2a4e72891d8af113a9b4f
SHA1

1644a83210c7ec631f420f3b0863b253b357628c
SHA256

97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c
SHA512

19164dc76a62ff893fbb57e758ff3c4046d083d0d75f27ea9bdc5fc76c1274d965bbca293aa0f5fbffc374574aac33ca67a68d1b63315cdb1ef8a4663fa8c59c
SSDEEP

3072:dXdyjBPinPszm0VjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo2ASOvojoSb:dXdy9PiPim0Vjj+VPj92d62ASOwjx

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 59 IoCs

pid	Process
2108	Oqfdnhfk.exe
1284	Onjegled.exe
392	Ocgmpccl.exe
1364	Pmoahijl.exe
1872	Pgefeajb.exe
1512	Pmannhhj.exe
4736	Pggbkagp.exe
116	Pmdkch32.exe
5092	Pcncpbmd.exe
3484	Pflplnlg.exe
4556	Pmfhig32.exe
3300	Pgllfp32.exe
4028	Pmidog32.exe
5072	Pfaigm32.exe
448	Qnhahj32.exe
4256	Qdbiedpa.exe
468	Qfcfml32.exe
1644	Qmmnjfnl.exe
2776	Qffbbldm.exe
2736	Anmjcieo.exe
216	Ajckij32.exe
4812	Aqncedbp.exe
3104	Afjlnk32.exe
3912	Amddjegd.exe
952	Aeklkchg.exe
540	Agjhgngj.exe
3500	Ajhddjfn.exe
2368	Acqimo32.exe
4884	Aadifclh.exe
1556	Agoabn32.exe
4100	Bagflcje.exe
4324	Bjokdipf.exe
1784	Bffkij32.exe
2804	Balpgb32.exe
4092	Bcjlcn32.exe
4156	Bfhhoi32.exe
2244	Bnpppgdj.exe
5032	Cnicfe32.exe
4592	Cagobalc.exe
3728	Cjpckf32.exe
1972	Cajlhqjp.exe
2760	Cdhhdlid.exe
1036	Cffdpghg.exe
1464	Cmqmma32.exe
556	Cegdnopg.exe
1760	Ddjejl32.exe
3020	Dopigd32.exe
4264	Dejacond.exe
1944	Ddmaok32.exe
3724	Dfknkg32.exe
844	Daqbip32.exe
4016	Ddonekbl.exe
2432	Dkifae32.exe
1080	Dodbbdbb.exe
2200	Deokon32.exe
4704	Dmjocp32.exe
2768	Deagdn32.exe
3632	Dgbdlf32.exe
1540	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
812	1540	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnpppgdj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2108	2592	97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c.exe	89
PID 2592 wrote to memory of 2108	2592	97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c.exe	89
PID 2592 wrote to memory of 2108	2592	97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c.exe	89
PID 2108 wrote to memory of 1284	2108	Oqfdnhfk.exe	90
PID 2108 wrote to memory of 1284	2108	Oqfdnhfk.exe	90
PID 2108 wrote to memory of 1284	2108	Oqfdnhfk.exe	90
PID 1284 wrote to memory of 392	1284	Onjegled.exe	91
PID 1284 wrote to memory of 392	1284	Onjegled.exe	91
PID 1284 wrote to memory of 392	1284	Onjegled.exe	91
PID 392 wrote to memory of 1364	392	Ocgmpccl.exe	92
PID 392 wrote to memory of 1364	392	Ocgmpccl.exe	92
PID 392 wrote to memory of 1364	392	Ocgmpccl.exe	92
PID 1364 wrote to memory of 1872	1364	Pmoahijl.exe	93
PID 1364 wrote to memory of 1872	1364	Pmoahijl.exe	93
PID 1364 wrote to memory of 1872	1364	Pmoahijl.exe	93
PID 1872 wrote to memory of 1512	1872	Pgefeajb.exe	94
PID 1872 wrote to memory of 1512	1872	Pgefeajb.exe	94
PID 1872 wrote to memory of 1512	1872	Pgefeajb.exe	94
PID 1512 wrote to memory of 4736	1512	Pmannhhj.exe	95
PID 1512 wrote to memory of 4736	1512	Pmannhhj.exe	95
PID 1512 wrote to memory of 4736	1512	Pmannhhj.exe	95
PID 4736 wrote to memory of 116	4736	Pggbkagp.exe	96
PID 4736 wrote to memory of 116	4736	Pggbkagp.exe	96
PID 4736 wrote to memory of 116	4736	Pggbkagp.exe	96
PID 116 wrote to memory of 5092	116	Pmdkch32.exe	97
PID 116 wrote to memory of 5092	116	Pmdkch32.exe	97
PID 116 wrote to memory of 5092	116	Pmdkch32.exe	97
PID 5092 wrote to memory of 3484	5092	Pcncpbmd.exe	98
PID 5092 wrote to memory of 3484	5092	Pcncpbmd.exe	98
PID 5092 wrote to memory of 3484	5092	Pcncpbmd.exe	98
PID 3484 wrote to memory of 4556	3484	Pflplnlg.exe	99
PID 3484 wrote to memory of 4556	3484	Pflplnlg.exe	99
PID 3484 wrote to memory of 4556	3484	Pflplnlg.exe	99
PID 4556 wrote to memory of 3300	4556	Pmfhig32.exe	100
PID 4556 wrote to memory of 3300	4556	Pmfhig32.exe	100
PID 4556 wrote to memory of 3300	4556	Pmfhig32.exe	100
PID 3300 wrote to memory of 4028	3300	Pgllfp32.exe	101
PID 3300 wrote to memory of 4028	3300	Pgllfp32.exe	101
PID 3300 wrote to memory of 4028	3300	Pgllfp32.exe	101
PID 4028 wrote to memory of 5072	4028	Pmidog32.exe	102
PID 4028 wrote to memory of 5072	4028	Pmidog32.exe	102
PID 4028 wrote to memory of 5072	4028	Pmidog32.exe	102
PID 5072 wrote to memory of 448	5072	Pfaigm32.exe	103
PID 5072 wrote to memory of 448	5072	Pfaigm32.exe	103
PID 5072 wrote to memory of 448	5072	Pfaigm32.exe	103
PID 448 wrote to memory of 4256	448	Qnhahj32.exe	104
PID 448 wrote to memory of 4256	448	Qnhahj32.exe	104
PID 448 wrote to memory of 4256	448	Qnhahj32.exe	104
PID 4256 wrote to memory of 468	4256	Qdbiedpa.exe	105
PID 4256 wrote to memory of 468	4256	Qdbiedpa.exe	105
PID 4256 wrote to memory of 468	4256	Qdbiedpa.exe	105
PID 468 wrote to memory of 1644	468	Qfcfml32.exe	106
PID 468 wrote to memory of 1644	468	Qfcfml32.exe	106
PID 468 wrote to memory of 1644	468	Qfcfml32.exe	106
PID 1644 wrote to memory of 2776	1644	Qmmnjfnl.exe	107
PID 1644 wrote to memory of 2776	1644	Qmmnjfnl.exe	107
PID 1644 wrote to memory of 2776	1644	Qmmnjfnl.exe	107
PID 2776 wrote to memory of 2736	2776	Qffbbldm.exe	108
PID 2776 wrote to memory of 2736	2776	Qffbbldm.exe	108
PID 2776 wrote to memory of 2736	2776	Qffbbldm.exe	108
PID 2736 wrote to memory of 216	2736	Anmjcieo.exe	109
PID 2736 wrote to memory of 216	2736	Anmjcieo.exe	109
PID 2736 wrote to memory of 216	2736	Anmjcieo.exe	109
PID 216 wrote to memory of 4812	216	Ajckij32.exe	110

C:\Users\Admin\AppData\Local\Temp\97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c.exe
"C:\Users\Admin\AppData\Local\Temp\97b364c5f0566106447f99beb33f231f8df2eb367044ffe9aa49f4a587be6d2c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\Oqfdnhfk.exe
  C:\Windows\system32\Oqfdnhfk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\Onjegled.exe
    C:\Windows\system32\Onjegled.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\Ocgmpccl.exe
      C:\Windows\system32\Ocgmpccl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 220
        62⤵
        Program crash
        
        PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1540 -ip 1540
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
207KB

MD5
610680f8196bb160c9b7dfb13237d3bb

SHA1
058f410ccd3b6e0cc5f2900fe5ddf317c9c90aad

SHA256
951e3f8c329bd0f7ce1f4634a67620d3cfa3a5114963cf1f0cd57b570aea74d7

SHA512
4f7cc6d206815a9187a67559319b87d2f79d09066ed31f8b4d02d144ff225089d11bf8d2e131c3b32fc879df3aa1a16181f2a31194fb7bc81de79fb953ea34a3

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
207KB

MD5
65031c536c16b0d741610402cd0235db

SHA1
3a16e68087537f18596efe5ed8ed807a5508fe73

SHA256
2d072a2bf67c4e14d698c757e45ac26a6a7c0e9a6fc2aaa6166dcd0af362ebd1

SHA512
e7c6a41a13638bd9c67f88c79e96c4b7bd9800d5ab76d7acfd024970cf4252b6e73bd97e484809788c1ab918e538ccac136b2a9f374f46ea94f1d08f594a54f3

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
207KB

MD5
9c79849699aa558819f03c8d0ab427f4

SHA1
8d7c3567451f7b6c192b818f24acd21ea377239a

SHA256
4cfaf4432125f86bfefed0054adafbb525d7f84f513a71e3ff6118151ce51f60

SHA512
a14ac51700daffb7561878944af79f3985b39b0720c0c744e9a963dee1926a1a6d5fd5d116102a0df25923ad939452bc04f075e5e93478cb3fc760ca4792a3eb

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
207KB

MD5
b493495584e0ffa2d81624d021eb6310

SHA1
7384aebb93d4177f450b24cb216ace9d52c1324a

SHA256
ec5f470fc5dc3a6b7b513fa7562b6b2e76c188401e83110273b98186dfb20853

SHA512
73140c69b4644a05aa2ea5a31f11827474b4fa6562c72b3822b4260b90bb6d720427548e92b9808c62799f6371840a2e6c81113a2d3d4f11ea962d8b4896015d

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
207KB

MD5
03a45cd93531c78b4fb97ff768deab1a

SHA1
483ceb23f867e86493cdfcd632e48c8e0b5a42fb

SHA256
48ae50687569a14ce8e54d2796165774d15184f6ecb3e34ce76bac4e84c43e45

SHA512
a57d302a3906647dbdc89d0234a4a672aa27a76d45d0926dcf22f6985b0ee7cdfc5d0dbea3fedd7cf2bf6c1f0f007c97ff79d9dbf4f6d63bee1d2f232b71dc6f

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
207KB

MD5
976d80c92d01791f74790bced9c2b45c

SHA1
4f5853298cfd163bbac8c46f2bd6e430f1ee91d7

SHA256
5767d0f15ee4331c87f8ec2a76d574861b953ebd7d459f6f340b1bb57f0fb70d

SHA512
8cd6848a50ad60803e8789014f1c1df62ccee446129e08c2edfe675a394125f5729959327a76e1a9f35db3bc1ead76e557b64b7da6d1eeac077043c0af97af37

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
207KB

MD5
5c6cf4459b312315233d41f45c70394b

SHA1
34bf363cecb89d83b712e9b27a0af678c57cec66

SHA256
191fb2df0eeba017c253142e805afd1fbf7295197553d8e7eb2a7442c9a4b432

SHA512
1767c1a7f17def635f10df8c20c9e12226a14106d7af8c234f5017eabbd768809e3f6176fc6be41cf5fa78899b960dee2be9708adc641a169c201815a19e3b88

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
207KB

MD5
348300bd3386d769ab853b449fa5bc07

SHA1
1bafac044c235ab4b3b5ea54cf41163c25469ad4

SHA256
0b1c5fea0ecdbe994c8c886e07b4e3806e0a4c1124896639cc46e890e54c7ca2

SHA512
92e3e2f33da96dc81dd815f63ffd7e23167d2ac0b702edcd072458932352c8ac16a344fd5c5bc76c169ce5fb662b878ea0062672cb3f447958b423b7929f411f

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
207KB

MD5
0b4de73d4ff6a6c317135248e5a5b4a7

SHA1
0432a4ca39a8191dcaefd7aa364902aa1c36c3b5

SHA256
6fe0d63eeab29f47d90f02a7f093f407115987882a8441a7451545df267e55ee

SHA512
203afdbc8e40b8030ce248a9c8b9e3b5f2362e579397852b03e874a3f5a9718032ea0587d6804aab1806f412826955b0d84f7e55b37ae5d5fdaffde3cae04805

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
207KB

MD5
51a06622333629f49f1ddb2841dda52c

SHA1
ac44f5508fbc1fd9a62156ef364c28619ae008fe

SHA256
4985a44ab5580603f2b9d248a573075ff5245a3013203275e726e59a575fb253

SHA512
c62a24a519eb760a96e2a7faa720340a8642c38a1a6219c81d3752c892fa1a267221437774523a30bda64c1adea83a2e9bc8092f9784d8178db8b4ce9fd4a69b

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
207KB

MD5
71851dbf9532ac7810269f8d4047cf20

SHA1
4a6e2ff367d81b14289ca5dc993cf55028e463fa

SHA256
38f1513507d7cf9b81325f486f2f6df8569679172b98c3237c0b0083410aa64a

SHA512
4e0081ae69af0f30eb046ae19e3f80930a56db42dc720c3b217961d332cd64e1b62593d9ed90f12122d726b2b69198e79b1f33407f8e17cec5876684011d8340

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
207KB

MD5
f6b9e0bdbbbe46d6ebaf7f078d53a262

SHA1
9db4b1a473b8a2c52d3d946b7c5fc33131555bb7

SHA256
d7fd1c25a9da8184dfc66303e3ba7095400363d729fd665c8c53b8cd37857319

SHA512
6837c4aa1e1e7169aaff92a721ce923b1c6c0099f10ec1bd86226dff74b83ff0c4e58136bf95d13e2975c3bb304f46441cd3a18b87fa354b4bd5792699a05a3c

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
207KB

MD5
d4512d722c8cb0fab329cf143953e94d

SHA1
f5a2232e8e75b723fd7462d85eeb4daa756c35e7

SHA256
96064d40f2203caed8b8d71cd62fad4f399869625179c7723e8a949362d29444

SHA512
4e4aa5670efd8b4a0cd910d1bf928b717018c711b8450db7c04e6327ed9a17b5cb509673df7b9d14eaef61263043690b9de5edc4eae11ff5be8ffad878831e0e

Download Submit
C:\Windows\SysWOW64\Ejfenk32.dll

Filesize
7KB

MD5
b2cb8bf56d9d08404cf43ff27a568704

SHA1
4532fb6a419b57645c78f83e5eb92767aab75ac7

SHA256
1a6dc33c55e266dee1f31518b84744a7185e39ac6338f4cd49435c82d6b34632

SHA512
3024d95a893b50df4270c550c16083c88240476ab2c54e3e61dc5856cd0c4a7c63be29a13fd6104d6c76c0b326de26e0f5465210c46761e72d7e4156ed6eeddb

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
207KB

MD5
e82803afaa4246b826261b0a260ca37d

SHA1
5d22251611ff4f9e07f8b726b88f8881df0c637e

SHA256
70f5bd502b469f434c5de8a9c2771eabe70bb5b279f6eccf80816b7eed5cecf2

SHA512
a6af02282521cb424c039f16f8b5a4261b8a62deae2f513be6c3dce91bea2852a03181e35bfcb43141b3118ec49f0b6ce3544bbce5e430ee1c397e48db6362f8

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
207KB

MD5
3e730eec657d68f938f9b8485430e63a

SHA1
b615e6d59c410880840e1d981708275f8dc81de5

SHA256
d9cd08d298cdbc3b3a733aa49890a1c50a55a309b59eefc74b065785f20e655b

SHA512
3aa8dc97e0cacd44d2d6cdbe14558f2e6613b70b76212ac37b7bb2ca7bf7c2392f8a6305fa88fa6940c98b85409a0a3512b7a2a82476ccec54e212cdeaaf34b2

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
207KB

MD5
fd248e538564b48f257a02ac690dd6c0

SHA1
add9207e502e8dc8a4500c1cc6d1f88c6c3e9e0b

SHA256
9189527e891e2df8061375185a27f7f1efa81529251c3176ca1fbb3cec4514a5

SHA512
8fe5a198f527a7e535d5a6a571c07a2d4686348f47d6d9a0056a74b3f38856eb00185e2799c15389bf5b1e74bbb8bf9dab574b86f3512627de06279cad203122

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
207KB

MD5
8b2bab041e1cc28a0538600cfb4374a3

SHA1
37208afeeb7035ba9127acacfeff6757bd5b1738

SHA256
20100e1a3c7ccef21db8daec3f90ce7ae2b40ba13a31c4a65448024d61fc6811

SHA512
008c55d36a297c6615e0bc963a2b51e38d1d50d768ed310953c5bdbf2253117a261338ca09a171ab35ff5aa3e2e795653881403038a32c3c371a067956b96f09

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
207KB

MD5
c3e329f4374c4b8321e793df0e608f9c

SHA1
ffdd8e768b8d43edc4cc0ae506a1566f731cf7cf

SHA256
33764a3b64787b6fb6c0656b2f016240407c5496fe7a3a89018c3e66328e650d

SHA512
556e6660a63ee989e2242df328782adeb3be37d7108cc7702559832b8b8519df9501b5b42188b04b14caff7b570e1492991165a957be0d135a01730338daef43

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
207KB

MD5
43252effc505cd1fd1ad046107960438

SHA1
5442230a8ea312e25389274fa3d2a9b166f14749

SHA256
e7ce8553a45627382d041a9304ff6854fa105f522f82b2662e9a1ec4019362b1

SHA512
9ce871d4e0ebaee163494b5dcd745004c743fb7541a6ac96b11cb41d1dde4930251aec6619b5cf6ec795a58dbedb150e5268f380daedd20f787d5d1e38fd1f74

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
207KB

MD5
84feb2e8759f8b5e9421ac0fd4a98998

SHA1
f02f436a6286cddb59f22a3f5fe0a06b14f00c6a

SHA256
3b135cc0219c3765863a25bf4420a5a6180cd950a3eb04a71c4254f243c13938

SHA512
b0e27bfdd58728d9edfbc46fbacdbccb54346f282bbf085a315c0f821ff27d3c5842ce47ca0565c7f311cb1e517dae36deb8d75e103b67f6b5465d7869f09044

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
207KB

MD5
6846163b6c31c4d8519d7e17f8f302bc

SHA1
b66ae1e558944184570ee49f3f0285e5c8c3e384

SHA256
efa8df36b371df3b63d7a953e61acf85067cbe7c453f459b6edb5c5a31e70f56

SHA512
eafd6322a3e19f3469d89429499c9b3cf2a8bf7c2074996bda89fe89bfc5404d27d5be357b3b8bc304505d20af45f9fc2fec694e6d5a55522cd9eee72c738bbf

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
207KB

MD5
a16247c8afe27fd5a01c05d8f140e5f5

SHA1
766995e0171ba9ae6eabaf1fc1c820c67d7e144d

SHA256
50c91a684bcd19b2a42aa21fe0974eecab726844b051ca022a5d6e4ba9370bce

SHA512
8f4e4a5c54369759a3d094b200873523efa38e3ca565564bf3182138c9d5f9149837ee7c3506db5d011b6e523a15a4ade02dd91a923ce98c1230cba60fef4bce

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
207KB

MD5
f0ff27006b0f97849488e78c12ecb4c8

SHA1
583add4050b5356d01419e453ea76a285cff35ce

SHA256
881dfdeb367ea980cb91fe97faad8ce02e3d38589eeb102fc07407555a4c13b5

SHA512
d17c8856305928c7c79ec2a9a5dcf244193f8ebf304f1df325f2c5adef13806f9f8233ab00adb2c1507e284b5e21379a79f52d968a3ce691890c9c97af4e2e33

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
207KB

MD5
d0940f480d2713333436001f2f616bd0

SHA1
b9629fb1d02c728649b104011557e2dd281bea19

SHA256
e5d01bd69ca5b164e960105eebb385ffd87dd80560ec5d17e022b4b57c1683b5

SHA512
4e84082e9fb6a750161b5771cd1ef636f63dc6f7b180da962989f5cb7fb5e09a18fb6c1029a6bb44749befbb960ca6f52ca986c1aa130652868ac3a670107fc9

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
207KB

MD5
a0dc5abf972048a4fffe3bd49df2900a

SHA1
cf2c7595e698364d35064092859f1afabea35aa5

SHA256
91b0351fba49efe9d71b9885743c28fbd280a251423aea0560b953d66c9211bb

SHA512
3cdc7215ae411ddb2b158c915076b97b5359f609a0f8db340735e6939459a059f0e59afc8bd72dac9b3389f055522acf30081dd0f019aace4fd012f3a4717e03

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
207KB

MD5
1216fa0643cd172d896351e80c1e487c

SHA1
3cf72f450f40cfed31ffda8dc79c21e9d863f589

SHA256
1014a45ab0d46a132b61123c32f1f3389bba03357f19354d1c4cbb85aae63d62

SHA512
28d011ce3f063b522529378cbd55909f6bfa2d0660da01f90be8c4d67143da22225d7149056a40edf6c80ac23b0e897435d1a60e311beb68ab03b4572e71a5b1

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
207KB

MD5
771f750eac7d9d5220f04fbb5d4d3e22

SHA1
8b6a8f92517be5b540d77799f7c2321487b538b4

SHA256
070396f3fb5fdb7654387294647bbf180e0843bd84dca3bda991718dadd940eb

SHA512
8bab778f60afbd454cc4f14c1ce267be3ae59e7e140fb331163fd61104f26c3416b060bdf61491480579dee88b155abce08f70d2a13b2336271de2fd5ea67a9b

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
207KB

MD5
412e4399f8b50f76ddfe63dc0ad904a1

SHA1
5482b105a95d514c040032c9a51154a4cceee7f1

SHA256
38448ca27c6346f7b793bad8145dffc50549047e2a854955e50a90f1cb3ac09e

SHA512
4b392ada4a200fdcd955c39267aac591c53940a82c8606bd7631969388156888d7d7967e8e8c09c0534edaeb82b47ce5286dbc207ab0b6ce7e8e69db00e4e3a1

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
207KB

MD5
30919937d98173b1228c0d94ccbb981b

SHA1
58cfddc7ffe7c564b98e4b2446d850be38ee724f

SHA256
dae2bda955cb98ec615f8e7ef3e2c5e7766ffbdc150846e34de7b367afc358b1

SHA512
fc0bcae45e56bad22c0dcd7dc83c0ff92d88dac278cc0878a6ee4e2c3ed5f520a077c6c1af61e23dc099e1efa4f7c7e379aa21d7a73bee626c8564fb90e0458b

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
207KB

MD5
fcb06d1a301c574b32004889974211a1

SHA1
3b5ab95e2dce4b94ff4552c3ca982fd8b11e1040

SHA256
257d384fdf58bdbe33b8f46bd6f82e542ec2a4d7bedc64539c9534a0f3f4be05

SHA512
6124edbd0003ce24aeb904f37a667b92062654c94a8f413a5ded179f486d44f45b9b9b47aba1fb594f8d2d6023b8be5d79566ae1d712a2ebca2cb2b2d3568cd2

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
207KB

MD5
6e08ef49500b620600eb55d0479acff9

SHA1
aa8ca0012a915d98425534ea0c58b5f3fafbd71f

SHA256
a5c5a8e6b9b01f3a92b1654cbacbe6e9c2ee7de80b2c997ac1518a6025480d6e

SHA512
a265901d7e8044c22b474af2d0715c157e360839b6dadfcde45c77fb2b7269e026fb5b90a5c0120236e8acc245556de00b80f5e17cc849984dd09f318b439714

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
207KB

MD5
dbf68f64144a8e2879b73132e1c5e552

SHA1
dbec260f87878aab2ff28c57ae5449f502a7c672

SHA256
6ba60514f5281982a29cc8d48d8659a7a80ecceb5799777857d8fa62e69e3aee

SHA512
79dc082619d1b84444c676e4cdfe76a9d6814bf7feb62a393d87ea5cf70f620541bd44be64f27c8baab4be2b44f26b645e7850f30e8397af04100803dab03c45

Download Submit
memory/116-68-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/216-166-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/392-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/448-124-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/468-141-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/540-487-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/540-208-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/556-333-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/556-447-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/844-435-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/844-369-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/952-489-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/952-203-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1036-451-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1036-321-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1080-387-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1080-429-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1284-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1364-32-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1464-327-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1464-449-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1512-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1540-417-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1540-420-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1556-479-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1556-238-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1644-143-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1760-445-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1760-339-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1784-260-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1784-473-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1872-39-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1944-439-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1944-361-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1972-309-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1972-455-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2108-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2200-427-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2200-393-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2244-465-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2244-284-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2368-223-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2368-483-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2432-381-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2432-431-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2592-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2736-158-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2760-315-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2760-453-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2768-422-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2768-405-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2768-424-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2804-266-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2804-471-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3020-443-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3020-345-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3104-182-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3300-96-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3484-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3500-215-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3500-485-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3632-411-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3632-421-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3724-363-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3724-437-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3728-457-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3728-303-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3912-491-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3912-190-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4016-433-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4016-375-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4028-104-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4092-469-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4092-272-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4100-245-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4100-477-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4156-467-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4156-278-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4256-128-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4264-355-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4264-441-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4324-253-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4324-475-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4396-297-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4396-459-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4556-92-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4592-296-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4592-461-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4704-423-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4704-425-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4704-399-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4736-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4812-174-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4884-481-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5032-290-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5032-463-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5072-116-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5092-76-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads