berbew | c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe
Size

63KB
MD5

8c22e38fddaf968e622662db0f35df67
SHA1

25a4c433dfa779de51ecca613380dccfd324c140
SHA256

c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf
SHA512

6a26541f9050bf0e79a8209ed369c57d5f4b8127139db0bafe0bfcde1b968e73105e08676d83c97e8a1e283430a28446c76ccb590f50f5ed5399881a095f4b85
SSDEEP

768:FGWBtYPMc2bVpL1OQTgaFyquJvzZnHI9dq+spMBwVvv//1H5gXdnhg20a0kXdnhl:MWBXrwVq4noPqeBwVHFYH1juIZok

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 54 IoCs

pid	Process
64	Pqdqof32.exe
3852	Pfaigm32.exe
396	Qmkadgpo.exe
3896	Qceiaa32.exe
3424	Qnjnnj32.exe
5068	Qddfkd32.exe
1724	Qffbbldm.exe
2024	Anmjcieo.exe
4112	Aqkgpedc.exe
1400	Acjclpcf.exe
2000	Ajckij32.exe
2380	Ambgef32.exe
1380	Aclpap32.exe
4456	Ajfhnjhq.exe
4420	Aqppkd32.exe
2128	Agjhgngj.exe
3240	Andqdh32.exe
3100	Aabmqd32.exe
1076	Afoeiklb.exe
4488	Aepefb32.exe
4612	Bfabnjjp.exe
624	Bebblb32.exe
4592	Bjokdipf.exe
3296	Bnkgeg32.exe
2500	Baicac32.exe
3644	Bgcknmop.exe
4160	Bnmcjg32.exe
2968	Beglgani.exe
4932	Bfhhoi32.exe
5100	Bmbplc32.exe
2228	Cdcoim32.exe
508	Cjmgfgdf.exe
464	Cagobalc.exe
1876	Ceckcp32.exe
4104	Cfdhkhjj.exe
1636	Cmnpgb32.exe
5028	Ceehho32.exe
4108	Chcddk32.exe
3468	Cnnlaehj.exe
4524	Cegdnopg.exe
4888	Dfiafg32.exe
1532	Dopigd32.exe
3592	Dejacond.exe
232	Dhhnpjmh.exe
2888	Dobfld32.exe
1904	Daqbip32.exe
4756	Dhkjej32.exe
628	Dkifae32.exe
2116	Daconoae.exe
1880	Dhmgki32.exe
3664	Dkkcge32.exe
4060	Deagdn32.exe
1920	Dhocqigp.exe
1888	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4136	1888	WerFault.exe	139

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 64	1664	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe	83
PID 1664 wrote to memory of 64	1664	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe	83
PID 1664 wrote to memory of 64	1664	c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe	83
PID 64 wrote to memory of 3852	64	Pqdqof32.exe	84
PID 64 wrote to memory of 3852	64	Pqdqof32.exe	84
PID 64 wrote to memory of 3852	64	Pqdqof32.exe	84
PID 3852 wrote to memory of 396	3852	Pfaigm32.exe	85
PID 3852 wrote to memory of 396	3852	Pfaigm32.exe	85
PID 3852 wrote to memory of 396	3852	Pfaigm32.exe	85
PID 396 wrote to memory of 3896	396	Qmkadgpo.exe	86
PID 396 wrote to memory of 3896	396	Qmkadgpo.exe	86
PID 396 wrote to memory of 3896	396	Qmkadgpo.exe	86
PID 3896 wrote to memory of 3424	3896	Qceiaa32.exe	87
PID 3896 wrote to memory of 3424	3896	Qceiaa32.exe	87
PID 3896 wrote to memory of 3424	3896	Qceiaa32.exe	87
PID 3424 wrote to memory of 5068	3424	Qnjnnj32.exe	88
PID 3424 wrote to memory of 5068	3424	Qnjnnj32.exe	88
PID 3424 wrote to memory of 5068	3424	Qnjnnj32.exe	88
PID 5068 wrote to memory of 1724	5068	Qddfkd32.exe	89
PID 5068 wrote to memory of 1724	5068	Qddfkd32.exe	89
PID 5068 wrote to memory of 1724	5068	Qddfkd32.exe	89
PID 1724 wrote to memory of 2024	1724	Qffbbldm.exe	90
PID 1724 wrote to memory of 2024	1724	Qffbbldm.exe	90
PID 1724 wrote to memory of 2024	1724	Qffbbldm.exe	90
PID 2024 wrote to memory of 4112	2024	Anmjcieo.exe	91
PID 2024 wrote to memory of 4112	2024	Anmjcieo.exe	91
PID 2024 wrote to memory of 4112	2024	Anmjcieo.exe	91
PID 4112 wrote to memory of 1400	4112	Aqkgpedc.exe	92
PID 4112 wrote to memory of 1400	4112	Aqkgpedc.exe	92
PID 4112 wrote to memory of 1400	4112	Aqkgpedc.exe	92
PID 1400 wrote to memory of 2000	1400	Acjclpcf.exe	93
PID 1400 wrote to memory of 2000	1400	Acjclpcf.exe	93
PID 1400 wrote to memory of 2000	1400	Acjclpcf.exe	93
PID 2000 wrote to memory of 2380	2000	Ajckij32.exe	95
PID 2000 wrote to memory of 2380	2000	Ajckij32.exe	95
PID 2000 wrote to memory of 2380	2000	Ajckij32.exe	95
PID 2380 wrote to memory of 1380	2380	Ambgef32.exe	96
PID 2380 wrote to memory of 1380	2380	Ambgef32.exe	96
PID 2380 wrote to memory of 1380	2380	Ambgef32.exe	96
PID 1380 wrote to memory of 4456	1380	Aclpap32.exe	97
PID 1380 wrote to memory of 4456	1380	Aclpap32.exe	97
PID 1380 wrote to memory of 4456	1380	Aclpap32.exe	97
PID 4456 wrote to memory of 4420	4456	Ajfhnjhq.exe	98
PID 4456 wrote to memory of 4420	4456	Ajfhnjhq.exe	98
PID 4456 wrote to memory of 4420	4456	Ajfhnjhq.exe	98
PID 4420 wrote to memory of 2128	4420	Aqppkd32.exe	99
PID 4420 wrote to memory of 2128	4420	Aqppkd32.exe	99
PID 4420 wrote to memory of 2128	4420	Aqppkd32.exe	99
PID 2128 wrote to memory of 3240	2128	Agjhgngj.exe	101
PID 2128 wrote to memory of 3240	2128	Agjhgngj.exe	101
PID 2128 wrote to memory of 3240	2128	Agjhgngj.exe	101
PID 3240 wrote to memory of 3100	3240	Andqdh32.exe	102
PID 3240 wrote to memory of 3100	3240	Andqdh32.exe	102
PID 3240 wrote to memory of 3100	3240	Andqdh32.exe	102
PID 3100 wrote to memory of 1076	3100	Aabmqd32.exe	103
PID 3100 wrote to memory of 1076	3100	Aabmqd32.exe	103
PID 3100 wrote to memory of 1076	3100	Aabmqd32.exe	103
PID 1076 wrote to memory of 4488	1076	Afoeiklb.exe	105
PID 1076 wrote to memory of 4488	1076	Afoeiklb.exe	105
PID 1076 wrote to memory of 4488	1076	Afoeiklb.exe	105
PID 4488 wrote to memory of 4612	4488	Aepefb32.exe	106
PID 4488 wrote to memory of 4612	4488	Aepefb32.exe	106
PID 4488 wrote to memory of 4612	4488	Aepefb32.exe	106
PID 4612 wrote to memory of 624	4612	Bfabnjjp.exe	107

C:\Users\Admin\AppData\Local\Temp\c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe
"C:\Users\Admin\AppData\Local\Temp\c9b8075cc7f1993d4ba0dd83eb172b685d57ac3705130bd0f021c7840aa84adf.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\Pqdqof32.exe
  C:\Windows\system32\Pqdqof32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\Pfaigm32.exe
    C:\Windows\system32\Pfaigm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\SysWOW64\Qmkadgpo.exe
      C:\Windows\system32\Qmkadgpo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
      - C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:508
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 428
        56⤵
        Program crash
        
        PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1888 -ip 1888
1⤵
PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
63KB

MD5
003168b87e624e195461d93101d2e61f

SHA1
950bdde0070d4801ff8133c3494be08cc43cbb36

SHA256
73f7ef3e65c9e65bba15426e8c6929273a6dcb0388b076e6bd285cf50aefbfe6

SHA512
c5927714b5676613ab07279156b638ebe89616a2b76a63990744cca12ec7c603b26c12bea779fd8c2c301cb224405ba12a7beb29f7ad5ce418363ce1c8500aec

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
63KB

MD5
f90eb4fb20b775022423bca8774d0ef1

SHA1
719cfcc588ca8d32bc7f23c99e0a13981d1e22aa

SHA256
0674e47252895f4657c1155a6deaa3f077838fbd05eebd3bf0fed13ce38a6dcf

SHA512
46decab27d01c7be89032ab7d121756da86b071d5204b871395d5527fbe5ecb3cf32ba836ddfbc91fef5873422e5887a998039f21f09c94fc8e3d24cba350e38

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
63KB

MD5
4a195ab08b7770a13cad3cbee84953a4

SHA1
6b407ce19e3bfaa0e76d4b5e2cd60b0bedeaea26

SHA256
6ebe90afb0f30eb468eafb19bc682ab31f8ebbcd9cf3773cdf0abede09d41493

SHA512
523c23f2c57a838dfc1d2c123fe3d08dd8e71d64e3a3f6f2cb906cd9a6ee9f95a9b2f551fb8dc65b4d600b74398b0af121efa541f1c045efbe942cd46a46b760

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
63KB

MD5
9ee944a4841cd99f49e6eb3400f64d2a

SHA1
c11393f44918828330d1b0518396a1e578e4b813

SHA256
832fbc8888cdc873b7525ec26249e3579edf1586330d852dafee8ab5d24c585b

SHA512
23e292c09f286896ed6aeabd9f9b5da6e2027d00f8f494f5e65cf700ec8508b4db3a871415eed6155a6de0fd1b89369aed8137cf09de42e0aa33184986830ad8

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
63KB

MD5
daf14ff736d053f7634fd1e6e7bd9466

SHA1
e42c435db82f522efd3d2f3469556a71f65ac960

SHA256
165b75fde6d02404f4c336b6b12a6313a89c388462e6f2744692196a3c3ca58d

SHA512
b0c239228e915d01dbe4b63928422aafd4c33b7c2772b84428cd947e98912db2af8727136425499a5eb54af2926e5191b593d0d4e74c525f0b3109ad9346091d

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
63KB

MD5
c9ea03b445aae9620a5e717846532a0d

SHA1
705263b4d16bcf6fd4bd640f3a63560dbd47369d

SHA256
95ac26e184ce4f0fe9f93d57af1293ac7523c68b31ac9223fb6b052f8eed59c4

SHA512
4adc95b5c00119dd580fa7c73216470db87f969265c880d88f0c79cd2c10bedbe28a80e15287a933f8a089586defdf07f25169f4fb3da9c7c88322c520d06f5a

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
63KB

MD5
c893c3b3077ef8a54b8546c70c3a20c8

SHA1
d95f7b704dd1abab99c663a773465f87d1bcc2f4

SHA256
3ce2f8f6d26e7c56d60eab47fbafb7d9c47efba079acde674e42a3c8753bb1f6

SHA512
86bd008fb05367a73e1a3e40e614ef3acda2d40b65d54c5f28b4b17bcf83e784f63a0cd18997699ddc5f4f5074f56c4a6a61ea98e8d5b03f8c12ab4125337fa3

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
63KB

MD5
695182a4b15542857b7991d8df05473e

SHA1
5a8d37dbc970dc7427afeecd951708c31302af26

SHA256
1171fcfea8c920b4e3205505e7a9ba05583d509d2a664de81b2ce034740c9e0e

SHA512
8115d39c9986117dbd99b27d02a63b4d9c0ca6fc0daff0865f28a22544e2128c54af03e40a7903da4a692893525ddc3c3186cf71ab49f495aa02b14d5e362c3f

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
63KB

MD5
cc1fabc7640b5b174247a2a89c49455f

SHA1
7bd2d6bd43a265b6745e87f305a6369d6bbffd39

SHA256
bc2f22f5f95c2b4ca7990bf1e155bffda84ae0067f299362b4bd4210f56d2856

SHA512
aa0c5eeb03a89003dc6479d5499a9d4a472f688051f8ead65948b8ec7d64bec5322646b222d0eabbdf6d88046828e77f99ef0460ce7ea5783cd4af0bc4ae2111

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
63KB

MD5
7cc2a183fbde18e13c2b6a0a4ab817ba

SHA1
c16e453dd581bddb829cb3045dc44920d23cb43c

SHA256
65645ddb636efda9e776762e27f9100a5932db48cfac04ac1f06cf2f1222dc15

SHA512
52eed5d578ed8e46b395698ce99f02f8e78c768f1e84256cc4b6b150e258bb5955c421bd9078ce05e247db1c6454530449c71ef4aab80e9554b99d71254e7aa4

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
63KB

MD5
a47eacfd30e8d7f1090e0d8572938d91

SHA1
7a94237a915cbf50465eb2ea4d2e12f36ddddc97

SHA256
bb145a7a3f97064ffd7086ef74b8b9d556cd7edede511413a4c5fd19f909f4c5

SHA512
ddbc7a82650b9cea17b74e834440dfdb7a8230e67bbc2b29e6935c09396fa7d003eb347ec945d70ff6c46674eb9d24c4702734cee5534cc334a82acb08899639

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
63KB

MD5
e10107079f31dd29ed588e0b5cd69082

SHA1
cb1997ddce6ecce3628a81c328f03d52a1d73041

SHA256
2611361c1ce7b4060c05662e859bf16e58071ace0f58ae0d6f2ff7f48ca52985

SHA512
bb14ffd06530610b9aebe5ad62661a2626c9f1e047c1ea1e0d2460c01643c62a71ff34577a0deb35f4b7a82ed064876d454a00907584fc3e16c49fcd19ece80e

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
63KB

MD5
a50c77c7d5725e7022193d47e9df7fe4

SHA1
a450a45dc578af5bc2dffdf0b4c98a2aabfc91d4

SHA256
df3d63c0a29fc259911fb2ebb7c44c3013fb0bad580b858ac2bdec8022539578

SHA512
587db1302c7b3364c8235eed082badc23111ddec1137514553a8e5152686d4d8f007e092c1309f0cf9a68e2e25d92bee9b9a2fd05b3e5a96de21804125a19744

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
63KB

MD5
8c4f807d8623ab1f7b028763220b6e71

SHA1
4667283bb547585a69bb9a160384d88f8cc04cf6

SHA256
e57352ed5c48e4f88a9977f49f1889781a8390187cc8be48eb126840d11473de

SHA512
6b507db7d6973ce72792fcc5f9fe0331f2c61f1131335c3c69d551518649a05359b11bb4b0e99e20c60cdc0043103752c76af6618446e845847776f6897650c5

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
63KB

MD5
88c1d2526ede7f93034fd294a85f30de

SHA1
0d1dcd4e6edc8d9b6bef80c0475b57a41afc70c2

SHA256
31d6d89ce2a5a0a9b38ebe0179b477920c6e2a50c56c352ce93ec503eff48af7

SHA512
786f8777c667f599cfd37ac6d6e9e7351010cf86c7c34864385faa5b73550f97594c2bc62cafaf44c1ee22f62d1ca1cff5e3212d56487f443befc71bfe546c5b

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
63KB

MD5
bc8392d1a273f171cd1fe92e03f612fc

SHA1
88b808654531bff84a29b25e10fe23e9ccbd42c0

SHA256
98e1049ef89e776c3bdcfe4143eeb7e0776f88ce9737a9c2bc6b0c14fbba4b4a

SHA512
88fb9b1c4074ce335b6015745587ebb957b4648d0f8a2311d6c70dabf59932a6fa0e5e60597fbdb6b502166f80fc4506f44ba128584dbff4be037b2ba3ea6af2

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
63KB

MD5
b8f8713e5acf658414f7f289770d2863

SHA1
30551d522048b9edb1bc08ba2b484351e974e06a

SHA256
166ebd7b3ef3a9e4c26cf3a9a848f648e60b972703899ca849ab7d488c8a5b99

SHA512
ae78ebb852c3141168642691ef5e72253cd437ecd3fc271d7b35c92263807794eed66fc968185b0ca5c0e7bb949fec73e66f6b4f67c17e78f844e49358a8265d

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
63KB

MD5
5f782d271222aea707a32ea4d8c6831c

SHA1
97e2bbb5827b13eabe3eef96a3d938bae3d89d9d

SHA256
4fbc2526ce89a70c4456325b820a5c28c4b17372981f9961285de41d4c670976

SHA512
2f08048fb8cdec3d28114daf000eb2fc3d88be4c4dd844176a1cf5fc72e42bc56ca4e8cf5f577bebe0d2147c6d334f23aff7ec8ffb3de644b58f676f4757dc84

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
63KB

MD5
031f182e5b600d0d32dad957f7c2cec8

SHA1
4252d8ed27a22be86af6a28c8706ce7272386a28

SHA256
9545e413f3d0737e359ba7404d2986e041109f71b6d574ae17d9f29bd01030f3

SHA512
9fa5d20b6e8915d7a73c01c0bd91f7737bf1a83125a8957e3047583f24d70b79c65d1d7df6e4176900385d899bd8aa3c00c6b388a16a836d4a61c0c25b2046fc

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
63KB

MD5
aea9d5424fc9ddbda9c3f386f7481cb1

SHA1
0a5495d250701835a3c18c4f36ee205cdafffa54

SHA256
35488981d9e0418a0fec5ffa9f1d976dccf379428268d3188ce37f98244fda20

SHA512
410b57e3060e06a589bd7683d704416bb6a9d8af47d8b282a83711df4a64b711d604bf8a58714049a295efce03ac8258c5c3e409ff35285ab22ed9ec8ad135ed

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
63KB

MD5
e78b9a8bc413c0c1a46cc35b483b6973

SHA1
bc92e5aa43fd72854374c03ac19ff8f10602d228

SHA256
cfca1136915a04f89e0522918e7b38edcd66f957c0930d075af9deb084140b4b

SHA512
5f74492fa2048fd7fd9a17536481b5af7d4935a93840d1d36de6e691f99e70700c3daf361fbdc7e97297d2b7155d2aa9d22a99421a368ae876d86f9323d31fba

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
63KB

MD5
0164f4b2455f1e9b6feb580349352417

SHA1
b0d73e5ebcafca3c0d2a223d728d68092887e8ea

SHA256
1314231ec551e93e1631ba517f07fb216e59691048a05a07cbd308c7900cfaa4

SHA512
44152af26d37def0ca1e043960b9641256a17096133c0ee471747cc9083865e9333ce7848b08a856fc59e3943b808e8b09cfd82d3e8fc534f039a602e488a20c

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
63KB

MD5
0671a0fb2e5bb7258a57a5bd9db27cd4

SHA1
6ebc07628f69c8facc260600855af5b0b5aa5c65

SHA256
544ae01ce4519d877d9186518d5767ae9ce0f80241544e9dc4f0500c4b02d682

SHA512
3ee310fd8ca343fd9423ff41c152402cc2e2d61334ae9d276f33d3b7b02dfd2ce6bb9fa6a5227e4966434972cd0b69769a878820a1cd65fc418593c5f62bda1a

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
63KB

MD5
95bd84dd073660c57a03d57f2371e66c

SHA1
f8f80abbb2981b15bb6c155181a254fb45b72904

SHA256
7d6a5526ba445be882b9164f08beb77efc0aa1fdf3784f7e77c04103b3b38fb2

SHA512
2046981e64d1f84556fdbe85d0734e020d2933a502b0bc989cdaa9b9a73f0c5cae42cae0a5c87137135124b5a2dbfc4297521fdc57fbd88b5f7850439b00affb

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
63KB

MD5
259871b2e8363d4b4ebac1f23ed1383e

SHA1
eeda732362eac6372379d34d7b1b1bee9d561eb1

SHA256
cfadacf70891194f46f1b5b01af0b3e6377530e1b6dae3ccdcef5fea0a97a4a7

SHA512
259d2ff28cef0ed18a0c110e94534237efae57d753fb6b81c761ee11db739ae1d07fc61397e84f5f35998b59c86acfbaafb95a5a677fdce3c760a3a75fc65005

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
63KB

MD5
89f9013168efc58332092ed8a37cffbf

SHA1
6487e5f6a202b32f96832e956bea722352039b53

SHA256
0f2f4cd1e787b059a9facca8886b869cab02d8db734ad492a1b4ce061964440e

SHA512
aef3a4bef320e195da7c82f4f65bf79bce3285e7d8257e1cfe5470a6ef4a82121df94dc611f6b131b2edfe4aa59be95ab929114e3f06f9bbfc7d222133b4d9c1

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
63KB

MD5
85e6803a9295a311e21e3cb947d3fc45

SHA1
d8bd905096db7d850172275888b1323dd3da079f

SHA256
88debbff092339644993a8d73633fae177a8170f33ac8398274b3875562b4bb6

SHA512
66eb03900d5296d4bb430a53493e5fcc6560c31d5736d6d0a75a7662ec21fc1550430b264092a7dcded41a7710d2372e5c08dcd8f5982af0b0bb0b36fafdfe4b

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
63KB

MD5
e88eff45e8d7c9442ad1e96c70cf8853

SHA1
8b8045af69c1f0b7ba307d8d54cd0184d20b93e3

SHA256
cca368ba29bc279616ef83dfa617979ca165310f4c85a445d5e1f6f9d99c062d

SHA512
e920803aa2c640ab8c2646c1fce3dfefeaba46d92e46fd127340e6201c58ddbb6210e7c397b70bc808191390fc7b44cf6378b6376da907ed15804721ae9611ce

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
63KB

MD5
6fd6fd3d59112a2a66e455450edb3736

SHA1
8c4a99146133e8f1ce40af98df71a0d06ec825c0

SHA256
9196b70cdd0ff266ee7ee42ffa6f2b097b171a43259899956eefe3e00794e405

SHA512
9f2a0487c35133c7fef2102e84a62dc70d772085203ad3d31ea9473f18cedc7b0df6bbbe2a00719ac7174ffcacd5bb165fa14d77747f67869aed4c461a563bcd

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
63KB

MD5
6e5e9efe235128472217aa28ddf86489

SHA1
1e7305619cf71f0ff805f0d611aaad9f7a1429da

SHA256
3e9675e127cf7f99193f43c26ea4d8dc9487ccc65b5b8ee1d4c432bed01a8332

SHA512
582da2e584f1ebabb9aa110a6594909d74f5f135f993ba23833f300ee57cbe44bd8c88d4202b7fb209ac1becc307eb06116631779a5a87f5a5d00240a4d8b58b

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
63KB

MD5
d0c9d5f827837d4ed4621acc86233ec2

SHA1
7eabf604fe1a6fbfa8c42604b5ef5d7f4467cd2f

SHA256
307a74ef137689974e86b59711499776e3a68da20f7893fffbc289f5d6e90cae

SHA512
c399ea1c976c46b846a3b711ee680d733e0e70b9231df44bf6f832735136b1c72fe24f0286409d2a42195e3965af4a7574c4c42e9d5979e2a2ccc2d2dece7833

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
63KB

MD5
b01c84f44b67e971921a83139e637c48

SHA1
69c234ed232090934f75ad32ea35b943b8c1b043

SHA256
b48eb56f56eeb203e96e5f6db753789636c28d82efc431647c7d7dea626a372b

SHA512
a01d33a4ba5380df50daa9f8d9d1ec6a839182579b0b32676b9a873bf4e4310c97e3e43bd6d3721cf4eb3e912d4273dc8dd7496f2b3b327a5a9e11be1a17a9c0

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
63KB

MD5
4b3373827f47b136fdaf9e5c6ef4711d

SHA1
5148bdab4a545c116cd54c8f7da268c0dc5bc0c2

SHA256
a991b542fc2ec9bec9da10dfef82abf99cfb9c47fc66a53571bee7399ce032ec

SHA512
752ad43ea46d4c51cc621c09aafe586de7848236fd1544c93bc92413cff7e3f66d3be71d6d5199c63c6c279bd5ce231bd7861f9e008203c45cbb4893fb2d246f

Download Submit
memory/64-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/232-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/232-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/464-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/464-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/508-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/508-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/628-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/628-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-468-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1400-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1636-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1664-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1664-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/1724-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1880-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1880-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1904-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1904-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2000-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2000-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2228-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2228-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-470-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3100-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3100-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3240-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3240-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3296-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3296-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3592-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3592-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3644-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3644-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3664-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3664-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3852-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3896-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4108-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4108-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4112-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4160-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4160-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-464-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4488-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4756-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4756-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4932-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4932-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5028-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5068-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads