berbew | dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Size

81KB
MD5

adcad37a9967766cd82498c33d3a0614
SHA1

00075be62d7fc8d253f833e1044420ce0fa289b3
SHA256

dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8
SHA512

e256f189158fa2c383fdefcb3c7c12f3679b277ef2df0b9b820f8069e54c356ea188ce3ac035c24987e1fd8426f12582cf896b065079a5afe290567608aea5af
SSDEEP

1536:BeQ3BLytzMNbeUIl25qEWtN27m4LO++/+1m6KadhYxU33HX0L:hR0MNKUIo5qEWtE/LrCimBaH8UH30L

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 55 IoCs

pid	Process
4608	Qqijje32.exe
3156	Qgcbgo32.exe
2780	Ajanck32.exe
4828	Aqkgpedc.exe
4004	Afhohlbj.exe
4868	Anogiicl.exe
1464	Aeiofcji.exe
4516	Agglboim.exe
2912	Anadoi32.exe
1920	Aeklkchg.exe
2364	Afmhck32.exe
1848	Andqdh32.exe
4560	Acqimo32.exe
4812	Aminee32.exe
432	Bmkjkd32.exe
4984	Bcebhoii.exe
4232	Bjokdipf.exe
2224	Bmngqdpj.exe
4344	Bchomn32.exe
2132	Bjagjhnc.exe
3140	Balpgb32.exe
1316	Bgehcmmm.exe
4000	Bnpppgdj.exe
2168	Banllbdn.exe
2816	Bclhhnca.exe
3108	Bjfaeh32.exe
1568	Bapiabak.exe
3668	Bcoenmao.exe
5040	Cndikf32.exe
4224	Cenahpha.exe
920	Chmndlge.exe
4064	Cjkjpgfi.exe
2592	Ceqnmpfo.exe
2736	Chokikeb.exe
4360	Cfbkeh32.exe
1692	Ceckcp32.exe
3520	Cjpckf32.exe
4624	Cajlhqjp.exe
3548	Cdhhdlid.exe
1800	Cjbpaf32.exe
3208	Calhnpgn.exe
3788	Dhfajjoj.exe
2648	Djdmffnn.exe
4524	Dmcibama.exe
1168	Dhhnpjmh.exe
5016	Djgjlelk.exe
1396	Dmefhako.exe
3296	Ddonekbl.exe
5000	Dfnjafap.exe
4568	Dmgbnq32.exe
4860	Daconoae.exe
400	Dhmgki32.exe
1996	Dogogcpo.exe
3288	Dgbdlf32.exe
4536	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3148	4536	WerFault.exe	136

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 4608	4144	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe	82
PID 4144 wrote to memory of 4608	4144	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe	82
PID 4144 wrote to memory of 4608	4144	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe	82
PID 4608 wrote to memory of 3156	4608	Qqijje32.exe	83
PID 4608 wrote to memory of 3156	4608	Qqijje32.exe	83
PID 4608 wrote to memory of 3156	4608	Qqijje32.exe	83
PID 3156 wrote to memory of 2780	3156	Qgcbgo32.exe	84
PID 3156 wrote to memory of 2780	3156	Qgcbgo32.exe	84
PID 3156 wrote to memory of 2780	3156	Qgcbgo32.exe	84
PID 2780 wrote to memory of 4828	2780	Ajanck32.exe	85
PID 2780 wrote to memory of 4828	2780	Ajanck32.exe	85
PID 2780 wrote to memory of 4828	2780	Ajanck32.exe	85
PID 4828 wrote to memory of 4004	4828	Aqkgpedc.exe	86
PID 4828 wrote to memory of 4004	4828	Aqkgpedc.exe	86
PID 4828 wrote to memory of 4004	4828	Aqkgpedc.exe	86
PID 4004 wrote to memory of 4868	4004	Afhohlbj.exe	87
PID 4004 wrote to memory of 4868	4004	Afhohlbj.exe	87
PID 4004 wrote to memory of 4868	4004	Afhohlbj.exe	87
PID 4868 wrote to memory of 1464	4868	Anogiicl.exe	88
PID 4868 wrote to memory of 1464	4868	Anogiicl.exe	88
PID 4868 wrote to memory of 1464	4868	Anogiicl.exe	88
PID 1464 wrote to memory of 4516	1464	Aeiofcji.exe	89
PID 1464 wrote to memory of 4516	1464	Aeiofcji.exe	89
PID 1464 wrote to memory of 4516	1464	Aeiofcji.exe	89
PID 4516 wrote to memory of 2912	4516	Agglboim.exe	90
PID 4516 wrote to memory of 2912	4516	Agglboim.exe	90
PID 4516 wrote to memory of 2912	4516	Agglboim.exe	90
PID 2912 wrote to memory of 1920	2912	Anadoi32.exe	91
PID 2912 wrote to memory of 1920	2912	Anadoi32.exe	91
PID 2912 wrote to memory of 1920	2912	Anadoi32.exe	91
PID 1920 wrote to memory of 2364	1920	Aeklkchg.exe	92
PID 1920 wrote to memory of 2364	1920	Aeklkchg.exe	92
PID 1920 wrote to memory of 2364	1920	Aeklkchg.exe	92
PID 2364 wrote to memory of 1848	2364	Afmhck32.exe	93
PID 2364 wrote to memory of 1848	2364	Afmhck32.exe	93
PID 2364 wrote to memory of 1848	2364	Afmhck32.exe	93
PID 1848 wrote to memory of 4560	1848	Andqdh32.exe	94
PID 1848 wrote to memory of 4560	1848	Andqdh32.exe	94
PID 1848 wrote to memory of 4560	1848	Andqdh32.exe	94
PID 4560 wrote to memory of 4812	4560	Acqimo32.exe	95
PID 4560 wrote to memory of 4812	4560	Acqimo32.exe	95
PID 4560 wrote to memory of 4812	4560	Acqimo32.exe	95
PID 4812 wrote to memory of 432	4812	Aminee32.exe	96
PID 4812 wrote to memory of 432	4812	Aminee32.exe	96
PID 4812 wrote to memory of 432	4812	Aminee32.exe	96
PID 432 wrote to memory of 4984	432	Bmkjkd32.exe	97
PID 432 wrote to memory of 4984	432	Bmkjkd32.exe	97
PID 432 wrote to memory of 4984	432	Bmkjkd32.exe	97
PID 4984 wrote to memory of 4232	4984	Bcebhoii.exe	98
PID 4984 wrote to memory of 4232	4984	Bcebhoii.exe	98
PID 4984 wrote to memory of 4232	4984	Bcebhoii.exe	98
PID 4232 wrote to memory of 2224	4232	Bjokdipf.exe	99
PID 4232 wrote to memory of 2224	4232	Bjokdipf.exe	99
PID 4232 wrote to memory of 2224	4232	Bjokdipf.exe	99
PID 2224 wrote to memory of 4344	2224	Bmngqdpj.exe	100
PID 2224 wrote to memory of 4344	2224	Bmngqdpj.exe	100
PID 2224 wrote to memory of 4344	2224	Bmngqdpj.exe	100
PID 4344 wrote to memory of 2132	4344	Bchomn32.exe	101
PID 4344 wrote to memory of 2132	4344	Bchomn32.exe	101
PID 4344 wrote to memory of 2132	4344	Bchomn32.exe	101
PID 2132 wrote to memory of 3140	2132	Bjagjhnc.exe	102
PID 2132 wrote to memory of 3140	2132	Bjagjhnc.exe	102
PID 2132 wrote to memory of 3140	2132	Bjagjhnc.exe	102
PID 3140 wrote to memory of 1316	3140	Balpgb32.exe	103

C:\Users\Admin\AppData\Local\Temp\dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
"C:\Users\Admin\AppData\Local\Temp\dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\SysWOW64\Qqijje32.exe
  C:\Windows\system32\Qqijje32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\Qgcbgo32.exe
    C:\Windows\system32\Qgcbgo32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\SysWOW64\Ajanck32.exe
      C:\Windows\system32\Ajanck32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 396
        57⤵
        Program crash
        
        PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4536 -ip 4536
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
81KB

MD5
88706cee95febf71fdeec2072a7aa035

SHA1
bf9b041b4e6931c861b5e03ba8000fb85de82c23

SHA256
40be0b404c0245a1c69c6a7947515b857f2840531ab58c9fa0f4101af0c7864d

SHA512
9c37854270a63723f98a8bcbda881b2a313874a450c16f275745c2f89922003d8c0ecd471f4f600464ddf566191d081babceee8102d0e49f3ca72617e9c95c39

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
81KB

MD5
aabba2289bd2cfaa1b3b8d49d506bd0d

SHA1
0f1d067251865632261fdf31d1855a20146f027f

SHA256
b1305755079e99233df9d603e64e6441484da20560c1f07421bec5a923f0332f

SHA512
f45dbdfe66fe54e9ffbb17c0b6d9cda7495ffa42561899d29e00f014e49c560ac4db1d56a4d93ee264488f5bc535b451d7592f1e407363a53841036a74d4ad43

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
81KB

MD5
651e48125fb39e4cf6588d9d4d4000dd

SHA1
0add8638f6d71ebc9b6768db507209a767007a01

SHA256
b0d87eeb5b12b9c3e676dcecd5d4e61cc0e1f1fa53014b4b0969881c8a38e092

SHA512
56bceddb4dba3f8ed083e354c3cae2e38fe46a2104f494127d57f736638b4952322fae5a496d4133763b0506ef8b6c57ce4e5a363f024c7dfac871366910d57b

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
81KB

MD5
1cf0370899cb48bae5972003f6e1a0f4

SHA1
823367bc22b6eb1f8f6f05bc12637d1a7010a7c1

SHA256
0b56b5a6ac78f90f2b54eab7a33a2c4f1c8542c0650806659d96017b90603563

SHA512
d95aa0f7276064c4aa5ed16d2096dce3e6a6f2c184c1acc9fa211d5c3327c5f2f46ef3c777c80935d097c0c3cb35a99c3c1f2d7acf82ab149ecb7578ad3456d6

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
81KB

MD5
cb41e2bc256a93a39b51758a3dc3cc6c

SHA1
6372e91950d4c95797faf400ab2dae417848a7c7

SHA256
993bdbc6b09eacfee0ad87879296fccb7addb51c8abfb18f76423fbbfc687312

SHA512
0568160938e8f9c5d785eff1dcb6b82155528cd4694ebadb35a9d1f5795be13e4668f59a8fc678873c9bf580eda33471211f8ed704f1e2864de386f245524033

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
81KB

MD5
32e15f9285e1143b48440148b767a137

SHA1
fe96484ca69cd0b457c6bb2c3de83c844b6de590

SHA256
abc2744911908caf4c2ec96e4f799f26a47676d3d71f55d5fdcadf8855ae91bb

SHA512
ef3c6bfd802570584b30a60b97be3d6058982df3b7060a91eeebbd76bee81cd207bb7d730cbb442ebf81d92ffb357fe242345ec6e374b2998b17059758cdcec9

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
81KB

MD5
12f8d667d5431f1093a3062b4b3962bd

SHA1
4e000eb27cc8073d254e7738a6a4dcf07821971d

SHA256
b4ac46afa70bd22f8b6a64f29ee94b0deec1aca1840f305c13d217f36f7d0faa

SHA512
6f5c7d04726483c5d3b7a13f4ac35579f513d2862986239f64621df6bc254b4f9ed08d10ab47abf2265ec5e0c573eb344d3d1132d94aafa402a48cd2e83a47c2

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
81KB

MD5
b610e1686907339a83fc449a011f3421

SHA1
437fb81cee322ffcae8242bde62143fb4d0439e8

SHA256
528594406793c0cab6608903554e08c67f989c12a333fe34e231e659c052da7a

SHA512
ca38437dc55966fe0ec4970145c140311b4b1d5c8a811e37c61c60c7edf71cf1b7a02d6701f684c7a472d68966abc90c8ecd21f08728dd29710f2346781e7089

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
81KB

MD5
5373ce307b2c5a0b3f0a1ee216da1861

SHA1
f813f4812d6b01873a989157faf43b7f2bb8c621

SHA256
207794821a608cd1ca5a07709042d375b9f4c038173b3ed37e509bd574d8513f

SHA512
a566c2ce1cbfa595c239a52a8a5afe831d9bcb9ba88241f2c36661269ae8da19dd61712a585ba06c3a983c5ac364a2c85b97d5eb4d10c0e0e058f7e25d877db5

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
81KB

MD5
b6d450d3a521c20633782ea3f857d19b

SHA1
e231ea117be30c477f4121ea5de683b91f8f2941

SHA256
2680ed650010bfdb0f43c5299dac2c88e190a7f2abdd1f6caaa29da9cafa762b

SHA512
e2ba2c5d027de518059ca1fc388077e42030995a143e829f3f80304bed251d3d36ce0f34080ad23320a25742d0d5956babc1fb931ecbd707590bb0f789c63206

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
81KB

MD5
295aeb776f972f2f00b10adcac088830

SHA1
357d7e55d548bc754f90dadae5064c351e16a436

SHA256
8a3c5792914317f84dd958a153a83e4d99b1754e4e077e8490f4d8272e6d4602

SHA512
00a4ec9931e6de6f6c88822ac8b8300bf8c7c131c22acf247bbe544bd390c4d6eb3494c63fc34b04b25690cd25efc6afc01a0c32684eca267b06035ee29fd427

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
81KB

MD5
5f20a73149de377c2f1b79b4de6e1983

SHA1
0d7aef2f1e48e24b04290af42018acca87fce428

SHA256
f75eb69c5c83947a29706f4b02c9479cb0b5b046a0d64afb925bd1107bc42f50

SHA512
eac8c67740cbc9429f0ecff5ec66e623b706a90106a0228fa7f067b3a19348d282d02b0890169f0dc34e165e4399c25934a763a2847e58fa68952be3ff373bbb

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
81KB

MD5
211cff468ae8b0bb689deb6f1712d7eb

SHA1
b4e24e488bc0f385b86e18e9f764cc80373430c5

SHA256
2e8a8b9f370c51df2483776335e2fd8ee9a6deb2cc5199954c8445a9c09df463

SHA512
3fceb3c188edc9ecff1077967a365b8b0251613ea1a4585682bedd5b21c9f012e82e03885c1b43dd97b6c322388bb673611ebf7c59707b0f8c5bf0267ad91a4f

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
81KB

MD5
50e2cefee75c7bed630945b08c641544

SHA1
732cfc5fd28e8ba14c00a7c5bcb05da2779c769e

SHA256
ea3d7a8f7466e47a25b2a30f2f41866f94477e6edf2e71ac2674e2b839c91895

SHA512
613ae281f60bb1642a948570c143f1796893508554fa804709979052d6a26a1e64170a2d448cc390376182d41207b5bcf282a3ccda52cf6a0b6d5d3d78df4df1

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
81KB

MD5
be01dfaea1eeb01ec41486f1c07238be

SHA1
45caba299048ac400c9905b30b8ffcbd88d2ce2d

SHA256
6461672d2d0ae755061f3f88796c5ef2d1f9624a556a6296ad39d336a4d29346

SHA512
8635812329387035671c2234f5dac5e63d721736681132959515534071b71ac9e8ad576522af856aa3fb183d36fba497554dbcab9fb53e4398af1c5eb7456df8

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
81KB

MD5
83318050e497739aec65311c2e8329a4

SHA1
86e06436b6767cf50a6ca580adb4cc3edf04101b

SHA256
f029071382bf1c9b329e1925087fc2b1673e033eeee2ecb5eacc58a036d85310

SHA512
0b02b395a27eb3d32219a51433f329892e4793d61ec64ad4c1a76b4794062ed2ed98f544505d10eb522f5305b03acc817478b4c8c512b515d74df235f6d1f719

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
81KB

MD5
bb3a89341371f7c937ade80ca5dcc002

SHA1
426e311b6f7d6edb481cdadf113b9fde771da894

SHA256
7426c906ed7797d0edf16b8181ecf7c240a8c5623d32109edc711fbc19416d6f

SHA512
712955885e88d9eaf675a31f1964b2f35ecb2b9e4c7f99008d0c7ef5751725cd2baffd43349e0d0a9109186a56191166916e969a4b102babd16b2c16e0181729

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
81KB

MD5
5a052c546dd72272d09c99999da9d0b0

SHA1
54c46767365634d6ce9b4200a1fb7139b61c19fa

SHA256
9f1a5f4fadb33717eff07debee407e1746e3ed248ad85450d72a7e224651ddc4

SHA512
1873463f094f40151c1dbfa815c08022f3e58adb263fedbafd0cf2f40f66669f543e5c24440680b45410dd1b0a1081fe69430a198fe887121d37d863da469df1

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
81KB

MD5
776ccd58daea528e790a14a7f7ca9458

SHA1
89103c978c2caef73a048e1b311d6100ece11533

SHA256
8ca6bb19f8e3a954830b6e701031b73b683e6b2da643040d0542c60c828e4f3b

SHA512
63ccb2b467029fd7a75e341594abd45d7afa9660a6ecf708607aa4620022361e7eb280b9f29c12a8cf0830655127a0f5a00dfc4d0e5bf40dc865e05303036592

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
81KB

MD5
e1b4cd458714905e7ccd9bbf2a94c676

SHA1
411d6bb557d54c377238015f83547726b25311ea

SHA256
c2a04189987583e187e7fcd13865cf7817ef7f61c8738359cd2bc009822fd82d

SHA512
b5493746ee37ac0c196ad30045526c302d4af93154293ddf9c0be5d4991176375c18b5d4d2bac9cb3fb0e30832072a3aaf0d884dc8ced27377daa1e83e029cf8

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
81KB

MD5
4308b9dc710b4799e2bca9e8e96ff71e

SHA1
230784da860dde409267c4a9f1948f3ab46d3fbd

SHA256
f2d75a4b927f767c01881c8856de4b7fae26b9c70092ecd95d0dacd9de76291e

SHA512
32774124f294589e9cb70ddd006b62ed232e218272881984e193630ca806928c292fddf23c3f6af328b6992a697392d34e8ee9fae21a4495241829c76d8996a4

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
81KB

MD5
9d07bb2ecbbc9ae2a294457ca132ea3b

SHA1
2208bac12fd1dc1332917fc356d2836c050f4cfd

SHA256
562d9ec04bc84b8c99d92bc1b1409438d88bca2b569782795962e171fd746031

SHA512
6609f1598f8f82280d3010f54d3cfd19148295081af8c0079e4783b16ccf28dfdc8b8d5c4b12cb36e2b973966ce69fbba65926bd8389d8c760b9526407c2c3c3

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
81KB

MD5
081515753732384885c587ed9a06b811

SHA1
39cc008d69e322109fb94d13dde1c1189891be43

SHA256
75083e2cbe89630b90f627c837110be7d86e704a09777115ff99308803140a95

SHA512
1b56b3f46e40b631bab93de73dd232df7d546db141f0884495bb14e88fb9001363624ea2d195764810b64f55f2adcab228f477462a8fe1f801e2a0399f414664

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
81KB

MD5
04d32c6588a30d1c0919768577010438

SHA1
ebfd1f5fa21e026dfd279c9bcec6d4e180b60b59

SHA256
e86fc834619e7137c80e2fb586777f3c381d4c0f8242f3c8be861416ba5f7348

SHA512
254c1767da9e1a36e465f2afed151fb31986dacddf9634048c0a185674d95f9dde4b7070dd249d661d7188adf3dffb2904692cfd0d87f64a47c6de5b7c6d8be6

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
81KB

MD5
031360d1dc6131eb353a70a7b3bc9347

SHA1
82dc7288eca9a016a67cf6ce318991659b24e884

SHA256
1fb6d1a4301945afa49c786127848818f36546fe759c8c780e765ed07976662c

SHA512
7532fac7b90ca23e1ca2d51196d6fb1c5fa40fbc0141274babaa24099064e7c3c46b35197d2b3bf02dfb5fd56d69c55deaf6ebb200f14d4c0b10ce59f2692e9d

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
81KB

MD5
cbb2074367cc79bab7c359da9d2a5bf1

SHA1
6c0c4f3f7e2db9ad40b0cd9a82e5362038305bc8

SHA256
b0f24d1e8414c5c6d777dd251f87eb3476e22660f8883e3c0fc1bc6274fd2679

SHA512
371dab1f69d82f0ce0ed30e08173b3e511aab127b66c894b606735bf0aed28c23b8c312d6a72a6f52d713887ce5ed7bfd32c70cee598afc0a89dd46e7813eeee

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
81KB

MD5
e4083f52d81f7101a4cf0fe19e1b790e

SHA1
0ee17771e4f20d58534dd3f2eddfb592ad6eedb9

SHA256
bee225180d25522789769ee12e80633450bf782860be72e60f488581ed941b40

SHA512
a79a6ede2a8306f42a6b68c87399199cf54811a69cdc397cad8a88d497407ea24bed05af406a461f779c184bb12058c3a3c44c50ae2070bce191edac0d92c0a4

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
81KB

MD5
e8e6e26e679400cb5bf9ba41728bb6d7

SHA1
fecc85461a12e517f3dc8bc87ffec7fdabaa8e30

SHA256
bba8d353e4ebc215337245aa9a714f19e54838dcf04476e35f3ef4465085f6c6

SHA512
84f64b8d721bfd5d46dccd9b8fe1e9bf44c60a781c795e1a604cf40da2bac1eac369f48462eb15ac2d1432dba43801c6143e60832146f0366866d83f7495ec06

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
81KB

MD5
a7fd2ba3029318f80d574eaf288aa275

SHA1
93cfea0cf187bcb82f0b106f674860d2ea53d329

SHA256
45c44cab07f337875c535d02a76f0241050e2517a68259c98e4de2c0e466e2dc

SHA512
1d86b3fbd3c99d25ae4389e152f89c2c929bf47fad1304ccb6c03ec566323fae6c36f06cbef5d7da1ba454b8c465af196a2ebc2ec24dda958193cfb5f65838bf

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
81KB

MD5
06c92b2a198d8bcd50d15cb59fc12d59

SHA1
c7a82723a7fa357ce6e52310961c5f7297128b5f

SHA256
e68813ecf1f61474fa0445a2fed2e134fa41b9765664b1fcc6c417497329bcb2

SHA512
51a9377b2029ba5eb5f52d21ff6e97c7dcc31d2645c8fe7738b9dbbb0d76865d0180a97ad61a5b0c8522b3795ce1047c0a1c6b564d6251f4391fc546b920beb7

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
e4d5eb7fbaf058d686e8bee70c61d54d

SHA1
e744dd8fd55874d1320685616c0ed567912d5791

SHA256
028e533378822784cf3022d1a8f88ba1113cc212fcfeb285e0ce4ea4a5e095dc

SHA512
721a2d1f57192732eca06562cb4c5745a30f2f7ac96061c561e2bf00efb65e38784a0f3d3882717e8d7203fa7f6e48d2644eb7026c1ac68edf71a96903b9d51a

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
81KB

MD5
2c3a7b626fcf85646283ad7b2693a123

SHA1
c04f690efd3004bb4828bca04e9d8e95abbd4b07

SHA256
19bb66ae4005de3f4d3b82de6602eae41b547f2ec597c7a3cd447fca8dde0d53

SHA512
97fec74d151d02568f8815c501974aa9da1b1df0cb7a860e216bee6909045e735bd22d72a752898631d974280ebacd4cf3d7263cf9cafa4a685f9b427b55e2c4

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
81KB

MD5
5071564405f354e613b4a009faf6ee60

SHA1
446d775481e0675682f95f09431e89de0aff87c5

SHA256
98f65c43045586e7e264b25dc65f726319a212bbc07a86b9e33f45f0a4de38bb

SHA512
ccca28132d35a076f537f1a67a870ab3c11a62bb3f00ad797a9a8ca7d005fd9e5f262a572931b17b75ac2fd7db065524e9123e6ae017c8cf0ed39a6fc4dd857d

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
81KB

MD5
768178b305730369a477af0fb3de2db2

SHA1
fea08503a5d781c2bf7ce3982df60ac27904177e

SHA256
ffad549fdd5ce4b8ec52db893185596ae4510e4a8d4dcc10bc37addebf587e1c

SHA512
50dee5b1052b84432dfdde1d851015861b90f1efbad7e6ccf60088ef63ee0a42fef248f5ce9f4650044b1a0a488d4ddf8d48c7583bc9b09a332759388ab50f61

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
81KB

MD5
bff8e87f9a7c3d22c2a2564186a57dab

SHA1
dee905c887b71c7e800b894c9b89f8506e891aaf

SHA256
42c9b8b60b46856c238cc257997d7112a19fe2fe005597f5201f1b8f3a88a499

SHA512
c501cfcd9569e0bd203e30f8b3ca4b5364e7885a693c7807d9514d76babbd5048d057e17a40a0586460b3d42ba2a43116506542feace44fe90a85a4785f2ca3b

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
81KB

MD5
2e579f6466c547f23f5fb786f51dca18

SHA1
8d78d008e317fa7e519a40b330c671f6591e99ef

SHA256
df6d2c3448d569a9acdff10cb91607ca3dddd1691b070c53fd2891bd0c8f6ef7

SHA512
11c2ccae2da9ab16f11cecade0612d509a4ea44f09095bce2cf015d4c8992a71dc903fe859d95a2be4fd593b97d87c311c9dfa0f935b3a5817db28c205098adc

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
81KB

MD5
9dc5503b6e86d0dc06b70c6d4ca20523

SHA1
510bb71048ca9eab8f01195bb398159b31598029

SHA256
7e84790ff422014552b277004b549f8bcd7ecc9dcac915ea9007bfef5120a4fe

SHA512
6cad4a9ea1914ef498588da318bcb47a9bda58a3373ed31158d47c8aba034b33c1064a99419cbfc256dcf2f1c034cb6cfa393e9493b96adb938db588f524ca53

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
81KB

MD5
5def7c5f6c3793fbf36107740b893e40

SHA1
ac71b6fdf0b6c468a806022f697621a7b2f55f01

SHA256
22aabd17ade2bf447b125d6c2f0b7bbe9c39181adb52858b791ce27c4fa3b338

SHA512
f89f1da108cf0a46cde83ab39949990fb952e7db586e1934ffcc6094c177006bb3ae9a25fb3f4e218d2a4cd9bc9e0980f27b5986fe97c711d2401eb770bd77c1

Download Submit
memory/400-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3156-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4144-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads