berbew | 58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53

Analysis

max time kernel
102s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe
Size

96KB
MD5

32a2d0dc3535fe75373bac8a3040c247
SHA1

00bbbf5f3527b6b7a9aecdfe0c905d621e70633c
SHA256

58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53
SHA512

fa90d4bea669826a5f310fea5e364f7d82210783190140423ce2943874d3661705e68d6a27e58c60948d01ed648c35f8ccbc1035b9b90f67258d38415d7a06ea
SSDEEP

1536:Tbma9tcd3pJjvEZz7+8+Uta2LZ7RZObZUUWaegPYAW:TV9ad3pJQzQyZClUUWaeF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 57 IoCs

pid	Process
3208	Pgllfp32.exe
4256	Pnfdcjkg.exe
1392	Pcbmka32.exe
4392	Pfaigm32.exe
1452	Qdbiedpa.exe
3624	Qjoankoi.exe
2652	Qqijje32.exe
1396	Qgcbgo32.exe
224	Anmjcieo.exe
1568	Acjclpcf.exe
3892	Ajckij32.exe
1400	Aclpap32.exe
1784	Ajfhnjhq.exe
3576	Aqppkd32.exe
4316	Afmhck32.exe
4332	Ajhddjfn.exe
2348	Acqimo32.exe
1588	Ajkaii32.exe
1084	Aepefb32.exe
4320	Bfabnjjp.exe
3992	Bnhjohkb.exe
832	Bcebhoii.exe
1132	Bnkgeg32.exe
2484	Baicac32.exe
4860	Bjagjhnc.exe
3224	Bcjlcn32.exe
3696	Bfhhoi32.exe
1884	Bclhhnca.exe
1220	Bnbmefbg.exe
2772	Bcoenmao.exe
860	Cndikf32.exe
2868	Cabfga32.exe
60	Cnffqf32.exe
3540	Caebma32.exe
3964	Chokikeb.exe
2432	Cnicfe32.exe
4324	Chagok32.exe
4920	Cnkplejl.exe
1352	Ceehho32.exe
3312	Chcddk32.exe
4520	Cnnlaehj.exe
3252	Djdmffnn.exe
464	Dmcibama.exe
2644	Dejacond.exe
4708	Ddmaok32.exe
4476	Djgjlelk.exe
4080	Daqbip32.exe
2816	Delnin32.exe
212	Dfnjafap.exe
1048	Dkifae32.exe
644	Deokon32.exe
4400	Ddakjkqi.exe
468	Dkkcge32.exe
2896	Daekdooc.exe
4044	Dhocqigp.exe
1416	Dgbdlf32.exe
2684	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2440	2684	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 3208	4172	58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe	85
PID 4172 wrote to memory of 3208	4172	58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe	85
PID 4172 wrote to memory of 3208	4172	58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe	85
PID 3208 wrote to memory of 4256	3208	Pgllfp32.exe	86
PID 3208 wrote to memory of 4256	3208	Pgllfp32.exe	86
PID 3208 wrote to memory of 4256	3208	Pgllfp32.exe	86
PID 4256 wrote to memory of 1392	4256	Pnfdcjkg.exe	87
PID 4256 wrote to memory of 1392	4256	Pnfdcjkg.exe	87
PID 4256 wrote to memory of 1392	4256	Pnfdcjkg.exe	87
PID 1392 wrote to memory of 4392	1392	Pcbmka32.exe	88
PID 1392 wrote to memory of 4392	1392	Pcbmka32.exe	88
PID 1392 wrote to memory of 4392	1392	Pcbmka32.exe	88
PID 4392 wrote to memory of 1452	4392	Pfaigm32.exe	90
PID 4392 wrote to memory of 1452	4392	Pfaigm32.exe	90
PID 4392 wrote to memory of 1452	4392	Pfaigm32.exe	90
PID 1452 wrote to memory of 3624	1452	Qdbiedpa.exe	92
PID 1452 wrote to memory of 3624	1452	Qdbiedpa.exe	92
PID 1452 wrote to memory of 3624	1452	Qdbiedpa.exe	92
PID 3624 wrote to memory of 2652	3624	Qjoankoi.exe	93
PID 3624 wrote to memory of 2652	3624	Qjoankoi.exe	93
PID 3624 wrote to memory of 2652	3624	Qjoankoi.exe	93
PID 2652 wrote to memory of 1396	2652	Qqijje32.exe	94
PID 2652 wrote to memory of 1396	2652	Qqijje32.exe	94
PID 2652 wrote to memory of 1396	2652	Qqijje32.exe	94
PID 1396 wrote to memory of 224	1396	Qgcbgo32.exe	95
PID 1396 wrote to memory of 224	1396	Qgcbgo32.exe	95
PID 1396 wrote to memory of 224	1396	Qgcbgo32.exe	95
PID 224 wrote to memory of 1568	224	Anmjcieo.exe	96
PID 224 wrote to memory of 1568	224	Anmjcieo.exe	96
PID 224 wrote to memory of 1568	224	Anmjcieo.exe	96
PID 1568 wrote to memory of 3892	1568	Acjclpcf.exe	97
PID 1568 wrote to memory of 3892	1568	Acjclpcf.exe	97
PID 1568 wrote to memory of 3892	1568	Acjclpcf.exe	97
PID 3892 wrote to memory of 1400	3892	Ajckij32.exe	99
PID 3892 wrote to memory of 1400	3892	Ajckij32.exe	99
PID 3892 wrote to memory of 1400	3892	Ajckij32.exe	99
PID 1400 wrote to memory of 1784	1400	Aclpap32.exe	100
PID 1400 wrote to memory of 1784	1400	Aclpap32.exe	100
PID 1400 wrote to memory of 1784	1400	Aclpap32.exe	100
PID 1784 wrote to memory of 3576	1784	Ajfhnjhq.exe	101
PID 1784 wrote to memory of 3576	1784	Ajfhnjhq.exe	101
PID 1784 wrote to memory of 3576	1784	Ajfhnjhq.exe	101
PID 3576 wrote to memory of 4316	3576	Aqppkd32.exe	102
PID 3576 wrote to memory of 4316	3576	Aqppkd32.exe	102
PID 3576 wrote to memory of 4316	3576	Aqppkd32.exe	102
PID 4316 wrote to memory of 4332	4316	Afmhck32.exe	103
PID 4316 wrote to memory of 4332	4316	Afmhck32.exe	103
PID 4316 wrote to memory of 4332	4316	Afmhck32.exe	103
PID 4332 wrote to memory of 2348	4332	Ajhddjfn.exe	104
PID 4332 wrote to memory of 2348	4332	Ajhddjfn.exe	104
PID 4332 wrote to memory of 2348	4332	Ajhddjfn.exe	104
PID 2348 wrote to memory of 1588	2348	Acqimo32.exe	105
PID 2348 wrote to memory of 1588	2348	Acqimo32.exe	105
PID 2348 wrote to memory of 1588	2348	Acqimo32.exe	105
PID 1588 wrote to memory of 1084	1588	Ajkaii32.exe	106
PID 1588 wrote to memory of 1084	1588	Ajkaii32.exe	106
PID 1588 wrote to memory of 1084	1588	Ajkaii32.exe	106
PID 1084 wrote to memory of 4320	1084	Aepefb32.exe	107
PID 1084 wrote to memory of 4320	1084	Aepefb32.exe	107
PID 1084 wrote to memory of 4320	1084	Aepefb32.exe	107
PID 4320 wrote to memory of 3992	4320	Bfabnjjp.exe	108
PID 4320 wrote to memory of 3992	4320	Bfabnjjp.exe	108
PID 4320 wrote to memory of 3992	4320	Bfabnjjp.exe	108
PID 3992 wrote to memory of 832	3992	Bnhjohkb.exe	109

C:\Users\Admin\AppData\Local\Temp\58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe
"C:\Users\Admin\AppData\Local\Temp\58a65a9f4735df0e88d7f1e5879c7000f3ebff02dfd8bca84032cb5da4914f53.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SysWOW64\Pgllfp32.exe
  C:\Windows\system32\Pgllfp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\SysWOW64\Pnfdcjkg.exe
    C:\Windows\system32\Pnfdcjkg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\SysWOW64\Pcbmka32.exe
      C:\Windows\system32\Pcbmka32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1392
    - - C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 396
        59⤵
        Program crash
        
        PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2684 -ip 2684
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
96KB

MD5
a8d65eb7d5de12ff72b870d790a8c3fd

SHA1
f340fa096020ec97f8fdd2fd341c1b8060f462c1

SHA256
b22f1bdfa93d3a13292499f2f71a2ba12330c7b71b09a2adb2a82bb3d12aae11

SHA512
47d4de3bf9dc6ddbd86870d64d6d8b2d2690e58a631c98ee253cd8eb807c7d3be14c756328a231c7daa3b58bf34cdc2a4269fe90ae8be52ecbcba4640698566a

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
96KB

MD5
6764e6c15a79215a3d7a4ed7cc70c6f5

SHA1
dc0de9bb59ddeb77faf4dc574e5a572f2284bb79

SHA256
f0013edae8918e6a106d4abac29ea329f1e5532c3d7551f374d1e80e3fab7ffc

SHA512
5516f37af95c48c181f67a73b902521907ea1a029de1c3c3c0bf9381cfd264f6f2a34339ea985a268fc1542cd4b5e5f2e148153e23caf575dd1c8b4cde156835

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
96KB

MD5
84141d7f6bdca57feab86564dd001066

SHA1
219716e39df865c5be19d1bbb528c4254cd318d5

SHA256
5a0fadefa29f901db8b2a679c9c39989ec79b3c7d389bd9c92f306bed3819190

SHA512
cf96ceffcc3f1627373f7d6c533b02dc8c06d6e489264e089d826052777b4ce14d1af4b8a990f7c8ebc1450b512e1d8350e9c31034a7273f96b1c70c358e4624

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
96KB

MD5
64c79ed018b405dc63df7ca74b2e74f0

SHA1
de6fcfd1d6cdaffce944c56a8c2805c1ebfdf2ea

SHA256
7846ed8d3be2701906da30e8173cd118c65eaee62c1ecfdf4fb97adf00bdde2f

SHA512
1c225d79e7d904078cf7eeb433ebcb53339d402a2aad2704b50d473127e899e0880ca05061a85b59935ea26fdafbdd9550184086347364bbd4858f69bc8a7a9b

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
32f9d23e8a81d55793b3d63cc2e4d754

SHA1
eae492100ef8456cfdb85e2fc483b1bf9da40d66

SHA256
af4e50ff776c97bc677fb2a223b6ec4836d60798291a7fced41501e621438d95

SHA512
84029caba50d8d0bb801057a054a41888f01b0ccf8080c24736e8738161ad55455ad9380da83f5ac7849764abeeebebdb739871e690ba307a2a15b46220df446

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
96KB

MD5
e49fa04b9e818952e0cd14307889f4f8

SHA1
1a934548639ce5a16bfa1fe1894085ee9cef71e5

SHA256
75f913e057bc9107d1f95c22182324469843a82242d78a00daccefaf13443d29

SHA512
303721316e4abf1159ae43e1d0728eb04e6ea6e49af8d72dc14e73c7207140003eb42b4bdb3571819cd5cc80c67d61c8f2eedf958e8eeac523657988f8124b2b

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
96KB

MD5
ac174dfde814a67f1d4c8437810603dc

SHA1
721e1fd18dd4ac1afc6d1ec724a173649ab8dae5

SHA256
0f77c3cc025b4e60391afd95b522e4b30bc63ed37e724173e0797a77e9e0dd32

SHA512
b656978490d27d3f358203887a30b142ba93fb010597bc1593a547f730a0ade842abf8d6a6b8d2914296f27da76a0c9f464db3039850dda82e17c3281797bed0

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
96KB

MD5
7ea43eaccc008e7c12cf83617f4e127e

SHA1
8a2f433928fc1165aa5f197492f120851a36eb01

SHA256
d81b673fbba7205d36e32ef65d26844cba0523b23379de6875463d090321fc48

SHA512
01fcf083069943438cca6f3e22477c40a03529a66d49925ce37af06f46fbd47208e7c6e2b42ae9d6dcb8234c88ee54be1503bf4746b72b01ef1b2d1f06948512

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
8e9dbbc116386cec45f755afa910596e

SHA1
199441829ae4a2b62f360bc31312b71457550f65

SHA256
202437d81f8a8cfbefe85bad05507f8660cf208ee8d641303c0982c05c8bf903

SHA512
d582d86018afe279b90279ed3eeaf3f70c56b9e97c457f9c81edc1dcd1df4857b56054fb6fcc10945f18887c5931cde599c4db207ddae232e42e808d826c42af

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
96KB

MD5
bf99cf3b1f325b34bf37ce91bb3f94a8

SHA1
b7825451e7a90e18aa6767ef40ab24cdb0613cc1

SHA256
614a0a1386820f80b1a0ecc3fbd339625240aeb7395a8ca4869cac3d838237e5

SHA512
bb277b52afc52eeb1541c93e19d04f8b1c7d81bbb04ecadee699e8345640951d051148748dd98bac2b57272760061e783d3a0f7f5460a52ccc3fd41f0296f45b

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
96KB

MD5
7258b67164bf2b82f899ebc7a741b950

SHA1
a203b2e524c9d169f185f68e21152cad460be157

SHA256
9a29181b874d895b4fcf25bbb2b43812a58a8f88fe649bc0d32d0dd970be125c

SHA512
63209aa0f8856cd1b395ff7db792bfa5c7cd202096cf4d7467b3473fe33e99d32237845b7a17259f22aede15ea00c86442b0a052ecad8e3b58cfcb8cf0b541bd

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
96KB

MD5
7899a66a2596707a41c031f9b122c95e

SHA1
9e96475e90d7ff1073e317f8f28aaeeb40ce8d24

SHA256
44125b865e4ce0824744c7cdde288d79ba0c8dcee1d88a62560acc06bde2539e

SHA512
509c4a1eedb7a3f26f2cea842bc18c05329a504286d86b88b2a1aed6e442c6543d6946aeb058424bc25adf78e1b9d1ae38666e97a3f00e7bcb143e526e973498

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
7bb25fbd83103a2f88acf29d2f185a7a

SHA1
f04693b682fb1eba814c9aae2d0067117edfc5c8

SHA256
c6130127b6c0630130c3bf99bae4b3d5b59bb9a8cad65db284e05f3fb1b5794d

SHA512
d22b6000b57292b1bbc2892184eae18eb079daf4ed641fa6c92bb6034c03100628a7fb865753ec20c734608c2a66e9365bf5b876776b63e722b036603a7f37d7

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
96KB

MD5
f4c649958fb77309e38b4ddb6a25a226

SHA1
0893f51a61d193cfef7eb8ac19c6cdef1a6dba2c

SHA256
7d38ba09ba6561a8622c74ca4cc3203ad1a7f9237da61213a72c1bfe19d901f6

SHA512
481824c12a754adccac599645705a699366213c9acabbb41111532385369a6da417db48126ba747e296bdc53590982ac0de48d5b9b5d323e7bb9dcddb148e5e0

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
6405b74d780e4f0438e66eca40b8fce8

SHA1
07f83c11a5e0ea1b3f60d6e305521ada4831eb72

SHA256
e3b596ff46036dd8627157e6697ac281431df93fea3080df3dc59df9c207d80b

SHA512
3c903fe8dd7317b078b781424f78ae5dd2382f7a61bdc68a4c4e00ff0b76f388c14de9d8219a190b192ac54e8679bba53a219eddf443aa73a7691951f71a6462

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
96KB

MD5
1ea7e02923342d1fe11d84184ee17d10

SHA1
b720e9f65e6a255593a2cd8f30cf04df9e8177de

SHA256
a4cac5dc63988396893bee8f299a34b2adf9d99f9c93f64003797582fed747fc

SHA512
720fb19a0ca32c680dee942afcd28655a443b96ad1cfe349d5fef31878059615a8a82300c468f34345b6425ec347fee0c562574ed38563144fe6370086a22b47

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
96KB

MD5
b0addcf9c990e39fb335e7041443314e

SHA1
dfcd9ea02d7790432d9758938ab0a15608cb5d11

SHA256
9d127487bdb2f55bb42d83d87ea8137d0c62ef6c9b822782d1c5a91950b73818

SHA512
12835271c6105e4b2edf9fda42d44e7fa69cdb357cf6c9cd6a16a80130326bb77500b13b38cdae241277460a3a1a749760f384d0173823c388acb0bf6f3ecf6d

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
3fcc7681bf585725934aa6877867fa7f

SHA1
c4357b7ee8f29a56fc895c2ec1da81caa71fd9f3

SHA256
9ad7417c5982075978a46642aefa68c249e423e98d2e348a859a2c362fc55bdf

SHA512
bb07a33e6e75f64a3c4114f55ee2af4c2a4d9718786de9c0e6ce7e558ef6bbb45fcd2a35730c7d322819774a9e87ca1164a701c9342b3ef8bea6e11fc06f8d3a

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
aa5b9cf2b44a6abb253ab0b249648873

SHA1
73613a64ee7f433227521414e317b300d320da1c

SHA256
45052e824c3ac3fe80f7a916175faafbb3cdf502f9a662aeb438a4e3b015f915

SHA512
bae1f53bcd2bdd8377034615a8c30e194a4a126fcd1552179dee7f191744e42b79b0ab55a411d34c8a6de77eb4f60d6591d0ecb69f1cf3cf5dbbdfead94a3943

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
96KB

MD5
65eec34eaa15a9b153b36815564e91ac

SHA1
1dace1fb1559680ff7a042c59e7337f068b90dda

SHA256
87f157bf6441614d818574f2b59f5965f0aff13ada97f91152edba61618e98da

SHA512
2510a44aa84400e095a03cc5194c0125944a6c5dc95eb2a082552f1cfdd9ba71efde56f0317f832d6dcc4777ef3e151075ebcfa38e647eecbc73eaeebe7986c3

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
96KB

MD5
5b325f637138f69441fba4ebb18150f8

SHA1
ff7feba2bf6de44fbe6a5f67c7cbd23fe2bb022c

SHA256
b104fc513fa85873146096325a70ba4032c1a35192889aeaf82128c24f5a5c54

SHA512
7ff22db5f0c2ab318c7dd8728e065bd93628c08124a05364c9bee871e093a4c8b868ad1bdebacff808bf4c238e9223a6296570c8d892052b84aab9f57bf5f726

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
96KB

MD5
dad2a31ace135702a9957d1a52357256

SHA1
a67db2e8185d3ae4d69e5cc69c9e99f9a02b6aed

SHA256
abeb497182ac7a1bedf8b38c907e9824f3c55e2b0643f5ba66e54fc1ff22ef7e

SHA512
0649078996ddf47f8cfcbaca5af00bffaca37a7fbfc38676f4f3173a98c9e55e209442e3e8d8a36b2fa1f16435f6d6e707e00765a930f426a982c78cde2500d8

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
96KB

MD5
276f20ae07dfe23bdbcd85aba1ca3782

SHA1
7c4d7f515ca37755ec388066eac34526ba4562cc

SHA256
80c2ef7f6a3a19d42d3d1b46a8405d7cd8adb5b635857c4613524cf06688449b

SHA512
291a05e8dfcb218bb42d8fff46917e24a054483b1e931b533ebf3b1e4831408cf8e941f8fcc920533c72926bbac9377add92a4e25ffcf03391086e4a5f2d205e

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
25421ea1076f7a87c8a4bbace7fd09bb

SHA1
0eb243ae02f0e5cf75aa41eca26864685ed6b000

SHA256
1c41535981b5153cb575e02074f5c97548879690ddccdcfcc40f04e39ca9301b

SHA512
38bb1a32dc4b1c941b53230f7fbe7280318d4d3691209e1c7a937019af6dac43b6a064cf1275e25ccacf2c83ca6fb7f111573f2cdbb351cd9c8d9c2def6f3aa6

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
23d6f1362ff820e77329235ffd997be1

SHA1
f2ac50a4cde3cba1a89e66f1efba5fc767346343

SHA256
cdaf37b74ee2cc47e5640ee833e358ecc35b0081c4d323939f64ebdec8ff8ab1

SHA512
8a562265c70f49f0da174d7562aa2c12d1879e1991a997d99eabb807a83f4c327a5895cd5f943b30306e296a8972a6fa5d99824e4c1653ea28104e3888bb0842

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
96KB

MD5
bfcccb533313a0a6cf3edd891f1c8b10

SHA1
89953e4424a9e242743686079c7d6f9823b40c11

SHA256
c1f452e91aa0ee82532646184f89b2962a5bc6a6487923560c39edbc36ad0241

SHA512
70b34b64738e951e2cb051e3c88cf01913f9fc4e3414c0644551d9b2fae0a2467ad69e8b9915e19f17c0170029c1cff66f1e0fa1b28cefeee8dd3de396963f87

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
96KB

MD5
47733650428fa84b0f72908762d1acb6

SHA1
711397a425c133f55e87789e8995ea888a04a517

SHA256
7fad454aaff66261b952f11831873d8515a47fcfb10e8bdefceb6a8cab2938b8

SHA512
0a7f765b8be2e8877b79810e50ac2275f23158c226aff0f5b9cfc05aedd7cc3cd32415df084f6cb1882cb770d2eee2c3327271a73eb4a0aa8382ae61671966ae

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
96KB

MD5
9289582347b68c9f32160ed7222ffa0b

SHA1
679ad2cf62c204e8b7fa2a6ff5cc3f80730f3b89

SHA256
2e13e5c6c4dc84bd8266e650f1254dfc032654b5613df40c333ece9437de9068

SHA512
68769b3bff5274d40850cb1d0b49d129acb69e93a3c18b23805b64cd3507248335d626a6d935730b46064756e05b04ba839e5cc25e7845e1c4b843b4ebe130bc

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
96KB

MD5
22d0839d6136209698d058efc5666e91

SHA1
7cd3795ea3cb5f2fd9ab800820092f15263bafae

SHA256
19b83c1a1fd7b1a8f49e084a0123075c1898fa74bc67d8b611a30f2eba745e69

SHA512
01f9d945cfc98f074bcc630f01936e8ab032af1d46894f84e8ff2afde5188fb46dd71f54175fa34a15654829173540232019fe0a156a029eb2c7377ecfadecf1

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
96KB

MD5
2d7377828701507f1185911b4c76d72c

SHA1
16fa6ae5ce5c10cef69a32efd636f242794b2e64

SHA256
3cb5bcd4e184e5e3f415f3f2c02dca4560962f4fb33e57932f0a113056f91e20

SHA512
80260227e06d0731176ae2f9cb3ff8aa6104619e3bf10a7e523f101549a0941b2c4bfe902d59dc21b6a328d5e5d5aba9672ea542e3bd25459aebdd384c901d48

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
96KB

MD5
0fba7ef1ce4b1164e598e1fa1ed0433b

SHA1
dce8c782e06c2d67519118d4a3b5e80b88eeb95a

SHA256
ab416b8f8ae990eb9884c7fdd934211e15e014759731d487715d4bb26b894ace

SHA512
9bb341dbc44723b9fa8132370c9d28106934499f80dad7aa13759c5b03141b1dc09442845772c7541ddd6f49bd011d20ad245bcc1f4e85caa7e45f1a8d57a713

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
0ee556420e3fc842506fc16a49895571

SHA1
95824c6419c0c7b46ea85e31dd7200a20a6b6cea

SHA256
89da7d6b835f5185eff92324a5fd6796745def193bcf93fa5bcf8ee8b88deb55

SHA512
5e8ad1d0eba2dc604b1cfe65161b430da4813ab9ead545bdc774277e21a410cf0cc4d1b42b7e7f3f6628b5ab31b740f66b73721f5161dbf397e9a57245f19f36

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
96KB

MD5
189f0de96bf5b0a19b7aeb2f19ec809c

SHA1
256d6cec3323aa0dd56327fe3dee26e5d4608a3f

SHA256
1860533ff6bec90b93b133220a2fbcb83c0c6a5652dead472edeb9eddbef3ef1

SHA512
53f710354ed1fc1a35b4dcceec041687914e4452b018ee892d91d1b81b4954be095981b2d74a04f14b5dd3c2edff82cb68dfab3a46bffdf6768648c09c729860

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
96KB

MD5
b7e7e85d58990305f3d8d5907f80785d

SHA1
f718b992b0177fc99af1617adfd03103587ecb6b

SHA256
8f45db562d64ca3dc0d6ae45d925e37432df8442aae492f12b1f7d7557331e15

SHA512
d6c638a84fb52a21eb7783b496addb676d2ff26d1f7f3d65ee4cbbbb6ebdd09deecdecaa7074e63691b82100b31ece7c69d42667c163220013b85f78d438a322

Download Submit
memory/60-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4256-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads