berbew | 4de9735d486e8f0fdf825a77dd965deaa4e20422267f47b720507c08582b6990

Analysis

max time kernel
92s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4de9735d486e8f0fdf825a77dd965deaa4e20422267f47b720507c08582b6990.exe
Size

59KB
MD5

4da2e2fba33535ecde52d3528b8b0a86
SHA1

40c61419f3837a23af514db0fb2aa5a5e3be2880
SHA256

4de9735d486e8f0fdf825a77dd965deaa4e20422267f47b720507c08582b6990
SHA512

6818ccaca92d6ceff2d5d645ba6bba950a39926160b209563bdb176e476fe3c5cf1136985229f3e71c977863406e6e9dec4118a27db950d614f98c9a0efed20f
SSDEEP

768:n+eJ0LvJpNCZLoYgLsAc4LSh4V+4PBRMAsbPiylohUcjZ/1H5i5nf1fZMEBFELv8:yJrYlAbns+y6fsNCyVso

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4288	Pmidog32.exe
2852	Pcbmka32.exe
3588	Qnhahj32.exe
4424	Qqfmde32.exe
4860	Qgqeappe.exe
4800	Qjoankoi.exe
4780	Qqijje32.exe
3272	Qcgffqei.exe
2408	Ajanck32.exe
2848	Aqkgpedc.exe
2944	Adgbpc32.exe
1568	Ageolo32.exe
3160	Anogiicl.exe
3208	Aqncedbp.exe
2216	Aclpap32.exe
3292	Anadoi32.exe
2980	Aeklkchg.exe
760	Agjhgngj.exe
3616	Ajhddjfn.exe
5080	Aabmqd32.exe
2528	Aglemn32.exe
1100	Aminee32.exe
1540	Aepefb32.exe
3632	Agoabn32.exe
2488	Bnhjohkb.exe
1228	Bebblb32.exe
2880	Bfdodjhm.exe
4612	Beeoaapl.exe
1680	Bffkij32.exe
1788	Balpgb32.exe
4676	Bjddphlq.exe
5012	Beihma32.exe
4484	Bfkedibe.exe
1640	Bmemac32.exe
4596	Bapiabak.exe
3260	Bcoenmao.exe
4912	Cjinkg32.exe
3612	Cmgjgcgo.exe
5088	Chmndlge.exe
1248	Cnffqf32.exe
3184	Caebma32.exe
3036	Cfbkeh32.exe
2620	Cagobalc.exe
3628	Cfdhkhjj.exe
2208	Cajlhqjp.exe
4792	Ceehho32.exe
4840	Chcddk32.exe
3748	Cmqmma32.exe
5068	Calhnpgn.exe
4444	Ddjejl32.exe
3448	Dhfajjoj.exe
936	Djdmffnn.exe
4920	Danecp32.exe
1484	Ddmaok32.exe
3444	Djgjlelk.exe
652	Dmefhako.exe
2224	Daqbip32.exe
3340	Dfnjafap.exe
1944	Dodbbdbb.exe
2132	Daconoae.exe
4508	Ddakjkqi.exe
4296	Dfpgffpm.exe
3880	Dogogcpo.exe
4180	Daekdooc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2648	2752	WerFault.exe	149

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4de9735d486e8f0fdf825a77dd965deaa4e20422267f47b720507c08582b6990.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4de9735d486e8f0fdf825a77dd965deaa4e20422267f47b720507c08582b6990.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	4de9735d486e8f0fdf825a77dd965deaa4e20422267f47b720507c08582b6990.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 4288	1544	4de9735d486e8f0fdf825a77dd965deaa4e20422267f47b720507c08582b6990.exe	83
PID 1544 wrote to memory of 4288	1544	4de9735d486e8f0fdf825a77dd965deaa4e20422267f47b720507c08582b6990.exe	83
PID 1544 wrote to memory of 4288	1544	4de9735d486e8f0fdf825a77dd965deaa4e20422267f47b720507c08582b6990.exe	83
PID 4288 wrote to memory of 2852	4288	Pmidog32.exe	84
PID 4288 wrote to memory of 2852	4288	Pmidog32.exe	84
PID 4288 wrote to memory of 2852	4288	Pmidog32.exe	84
PID 2852 wrote to memory of 3588	2852	Pcbmka32.exe	85
PID 2852 wrote to memory of 3588	2852	Pcbmka32.exe	85
PID 2852 wrote to memory of 3588	2852	Pcbmka32.exe	85
PID 3588 wrote to memory of 4424	3588	Qnhahj32.exe	86
PID 3588 wrote to memory of 4424	3588	Qnhahj32.exe	86
PID 3588 wrote to memory of 4424	3588	Qnhahj32.exe	86
PID 4424 wrote to memory of 4860	4424	Qqfmde32.exe	87
PID 4424 wrote to memory of 4860	4424	Qqfmde32.exe	87
PID 4424 wrote to memory of 4860	4424	Qqfmde32.exe	87
PID 4860 wrote to memory of 4800	4860	Qgqeappe.exe	88
PID 4860 wrote to memory of 4800	4860	Qgqeappe.exe	88
PID 4860 wrote to memory of 4800	4860	Qgqeappe.exe	88
PID 4800 wrote to memory of 4780	4800	Qjoankoi.exe	89
PID 4800 wrote to memory of 4780	4800	Qjoankoi.exe	89
PID 4800 wrote to memory of 4780	4800	Qjoankoi.exe	89
PID 4780 wrote to memory of 3272	4780	Qqijje32.exe	90
PID 4780 wrote to memory of 3272	4780	Qqijje32.exe	90
PID 4780 wrote to memory of 3272	4780	Qqijje32.exe	90
PID 3272 wrote to memory of 2408	3272	Qcgffqei.exe	91
PID 3272 wrote to memory of 2408	3272	Qcgffqei.exe	91
PID 3272 wrote to memory of 2408	3272	Qcgffqei.exe	91
PID 2408 wrote to memory of 2848	2408	Ajanck32.exe	92
PID 2408 wrote to memory of 2848	2408	Ajanck32.exe	92
PID 2408 wrote to memory of 2848	2408	Ajanck32.exe	92
PID 2848 wrote to memory of 2944	2848	Aqkgpedc.exe	93
PID 2848 wrote to memory of 2944	2848	Aqkgpedc.exe	93
PID 2848 wrote to memory of 2944	2848	Aqkgpedc.exe	93
PID 2944 wrote to memory of 1568	2944	Adgbpc32.exe	94
PID 2944 wrote to memory of 1568	2944	Adgbpc32.exe	94
PID 2944 wrote to memory of 1568	2944	Adgbpc32.exe	94
PID 1568 wrote to memory of 3160	1568	Ageolo32.exe	95
PID 1568 wrote to memory of 3160	1568	Ageolo32.exe	95
PID 1568 wrote to memory of 3160	1568	Ageolo32.exe	95
PID 3160 wrote to memory of 3208	3160	Anogiicl.exe	96
PID 3160 wrote to memory of 3208	3160	Anogiicl.exe	96
PID 3160 wrote to memory of 3208	3160	Anogiicl.exe	96
PID 3208 wrote to memory of 2216	3208	Aqncedbp.exe	97
PID 3208 wrote to memory of 2216	3208	Aqncedbp.exe	97
PID 3208 wrote to memory of 2216	3208	Aqncedbp.exe	97
PID 2216 wrote to memory of 3292	2216	Aclpap32.exe	98
PID 2216 wrote to memory of 3292	2216	Aclpap32.exe	98
PID 2216 wrote to memory of 3292	2216	Aclpap32.exe	98
PID 3292 wrote to memory of 2980	3292	Anadoi32.exe	99
PID 3292 wrote to memory of 2980	3292	Anadoi32.exe	99
PID 3292 wrote to memory of 2980	3292	Anadoi32.exe	99
PID 2980 wrote to memory of 760	2980	Aeklkchg.exe	100
PID 2980 wrote to memory of 760	2980	Aeklkchg.exe	100
PID 2980 wrote to memory of 760	2980	Aeklkchg.exe	100
PID 760 wrote to memory of 3616	760	Agjhgngj.exe	101
PID 760 wrote to memory of 3616	760	Agjhgngj.exe	101
PID 760 wrote to memory of 3616	760	Agjhgngj.exe	101
PID 3616 wrote to memory of 5080	3616	Ajhddjfn.exe	102
PID 3616 wrote to memory of 5080	3616	Ajhddjfn.exe	102
PID 3616 wrote to memory of 5080	3616	Ajhddjfn.exe	102
PID 5080 wrote to memory of 2528	5080	Aabmqd32.exe	103
PID 5080 wrote to memory of 2528	5080	Aabmqd32.exe	103
PID 5080 wrote to memory of 2528	5080	Aabmqd32.exe	103
PID 2528 wrote to memory of 1100	2528	Aglemn32.exe	104

C:\Users\Admin\AppData\Local\Temp\4de9735d486e8f0fdf825a77dd965deaa4e20422267f47b720507c08582b6990.exe
"C:\Users\Admin\AppData\Local\Temp\4de9735d486e8f0fdf825a77dd965deaa4e20422267f47b720507c08582b6990.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\Pmidog32.exe
  C:\Windows\system32\Pmidog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\Pcbmka32.exe
    C:\Windows\system32\Pcbmka32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\Qnhahj32.exe
      C:\Windows\system32\Qnhahj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 396
        69⤵
        Program crash
        
        PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2752 -ip 2752
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
59KB

MD5
7fe34e3325d68ef627e636007e56210a

SHA1
575d9671a8d72a9a7a2d1ab57956d664170ef3e7

SHA256
a29b9f92b40b268526e45bc04e6072f361f9aae50f27dbb3f008d5db632bfa87

SHA512
f0c3212e32f57153b717515bdabc8986987debb878aec5f02d1be066ed7a99cdd333fe58d48f80219bf22332a17457fec7a3d85aad77c73cfa4687f482fe3cd4

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
59KB

MD5
3c45c80d689132c5b6a0d07ec98e1fb5

SHA1
b85db6998b3ade96f79fa14bfce5e2d9f3ef40d4

SHA256
3432b5036251d0ab41e72c603a50d319af0b590d245516a3f9845eb4b09e3eca

SHA512
0d2ac8e831a828766a08b094ab696a797539f89d1b489f5ee15810c4d3fd124d01fe3b35680d38ff310bef360c1a3c5a1e4dadb953b35c3cd14fb05aecc30d59

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
59KB

MD5
8ee2cf2330824ac27d8123c6276baa0b

SHA1
5d4646d32a7a3308ab096bbbbef99a9435c1a6f4

SHA256
249996ae8688b691d422e682cc5003ffc01fe03f4ea9206be88ee16e0c8098f8

SHA512
ea869a9e981184985e7482501e9bc3da5597e1baffe8f26b31e24ef4803b43ca85cbf15139c082b66ce4f5fe3d03e5da8a8492c62ad35f4fb36f21166048ab18

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
59KB

MD5
ee9c6d8f6deb4c33d450108c74486f83

SHA1
e2e68a00350c7d56ad62537c93dc7b9dc3eae872

SHA256
580fbcaa1cf77a5fc47e1a582cde89ebf7c86cafca1c9cb145ddc42b32ac7a2c

SHA512
177f3bc97b0b539233e0c68a5cd61ebd6c6dc778a496c3cb526f55056031285dfce84016b0dd91a3b1b27e9c1d842af7fd7dd04aa4f595f45c02948e78200c21

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
59KB

MD5
d09bb8a988615ecedc83d007c5650dd7

SHA1
ced1ebe30ddf48fc50029ce518a12cbbf25e0361

SHA256
9249a8163a485c611886e7bbed84e60d2720b3142f3bd779950eba6fd579151d

SHA512
831836500fe2d0c2e742a6bbf18c061df00e9fcd2bde36b23addc9613e638505f386baa16b30262df059ee6a2ba9d7350aa987c3611e234c5d080f518e420a77

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
59KB

MD5
0620c6a76d9471c52d6a096930b0700d

SHA1
514772882f5527ad84e4298fd638edd3b3073974

SHA256
5ac73828dc9a8f238833a40359a2de1da9e89c2ce2290f9c66a2c7ea8596a0e4

SHA512
c4630afe326a5ef707d406e12f2e667b5d24fe9800005f773c72e6176398d39b9db31f725760aacd2c02efbdbd201ac9436b9b786b1d7a1bcb16ea2e2e30039f

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
59KB

MD5
5504db82976cc18481a4d0943f6721ac

SHA1
5174b754ff14fdaa54d507cecda7f177d9bcb3b2

SHA256
f800fd7f454b84dc674eb878f7fbc3c320b2e4882d70e7dd3efa54bb49d06b32

SHA512
673dcb994d630349e31c1d846fc028403eb48122a2db896485092a7d52f0b516faa9a88a84d7aa575e2e4d052c178d9761ec010b1d7a49ce25b23a9c80765f4f

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
59KB

MD5
344623a0a2d38224bb297befb097d728

SHA1
a5f66c72c7a5561a83aacc96e8cf6b820af46171

SHA256
acd9e629207961efe61f048b1c0fea60888fb7e3d1850df0ed10d83e9ae0b95b

SHA512
815809960478526fa063cbfec92b0e3f1f3361a6ffc3452cf4e11ac53ab16be9a7418c75726984df3feca5fa5ee92328ae24a0a67dbf647baf0719623dc278ac

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
59KB

MD5
65f86d4547c799194067c2f8cd98842e

SHA1
115975d7e548101c2fabfc3c61460834a24e77bc

SHA256
4b5665a9ba158ea7c9318753a34b306b483e96e28775dc4ebf866e4e34d61aed

SHA512
9efc3a0f40b5144a8ec5d4fddc7868f2c9b808c17d1ad97a1576ac758c3c6168c6c7628e3b853579f87c9afafce8b36a0196aecf35996c80b33c313c67e40794

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
59KB

MD5
52ab84897ba8b5c0f44fd836abab0d15

SHA1
9e9e68fcafec8a1d32903f45a6af66344976dd67

SHA256
a513416bbb32f0a4a2b0a5cf4c27b69283d4068b52982c6545edd0f4949bccdf

SHA512
dbb274a0a69ddd35ff69f8682cbac6da1a556dbd4c4a1c9fe474c948ed2e9cc38bc82b53d45fd995e6657592fc2f01ef8e7c6a27ff04937afc915ddf81c1135f

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
59KB

MD5
bce91278ce5827ee5960f8e0a669444b

SHA1
88bae933729aed48fecb175df91829d0c8e706e1

SHA256
7be5f3ea86f559ea626bcaab55c7beae001707e883809083cc52be53ddf3b094

SHA512
c74adb17d65eef6e76a8c99b790109bbc40009d596fb5cb66969fa5ba1798d497d613421ab68d9269edea27c19dc29d07c9c423852f5777cedb9ca8bd6d0e9c5

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
59KB

MD5
c71f7da717e594be85725c70ae582d72

SHA1
de57261d1abbd9890993b46fe129cf27a3d2980e

SHA256
d377099601b797806ac978fc5bfec72a35c8edc4fa6f9ada76d42ff3394ac94d

SHA512
7bcdd6f9d4e355f9af471d945c3805de106c94d64e43a6907571cb50abf93d763c2a24bb47bc039c16da9f2ed74b80690ecbb68a61f2aa2ea654b52ecf04ce1e

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
59KB

MD5
bdbacb2492c34334f04a106feaa8f040

SHA1
5859c5947f52a9052639b02612bcbb54dc508378

SHA256
2d0694fab6b426ce9804123b178ab4362bce358743bea1e28997c007000aa616

SHA512
a3fba75fea52175883e640ef9a94723e049d15f1d5d49424542ada93aa8c0f2d09572b07bd6d65453ba8b570e28065337058715a09f54998a7214de6d465d484

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
59KB

MD5
aff42b3be41fcdcd69ace2cdf01a2394

SHA1
4c14dc39bf0c50742b721e59c0fa16b72e0e7ea8

SHA256
30d1bf29095e516f56613a11ee1d37c24745faeb1c31040aa540fdb2ce68328d

SHA512
f36039d1fd1555005a9a85d112c2273639c5a9b70a5ead38ab254f1425ed9636aab4345619dfd19912793be962295bc743a9ec67cfc679a9c7827757d69710fe

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
59KB

MD5
13f968fae09133d7cb31dd7b204fdb87

SHA1
53bdb30f749a40e1096db489cfc3e44662bca5c8

SHA256
bb5ef3470527aa0393694702b970e7a9ae2ed58c3ebfb84f68a7955d03ad6188

SHA512
cc1b2dd3981986449e24d2558d08b03f990560cc904ccfaa120e5adef0e6d08c293dc3a28bb7a091bbb2da2bccf1435cf1981aa36763f44a0ef421a89950f075

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
59KB

MD5
af6d1f82dc98a1926b13c3d050ac2977

SHA1
dcc2eacb3f89266d05e97688a065138b793b9ca6

SHA256
cc4bb402d45da2b31e608e736689baa6a7511be70018d1b4d58272a96133d28d

SHA512
ad9f7e4f5de4bdffe7eb56f70c8854b8bf9c0266015127f5cb0600c436f43c3d405f48105da3e374a4456121919401b00a02ae475b8fef49e72580eff4b36375

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
59KB

MD5
e106b66cdc6eecb78612a656f61a741d

SHA1
111bd6448c54ff1057ef0475969b87ab36bc691d

SHA256
01f34de29af31b61690e3be212ef5248db8f16084fc2d59324e22f15e8321df9

SHA512
d459f55070880d28d9a7bd9e170dadc7cc13cc12ede8cc61908f3c44ab30dc3c50133272aa64ad55863beb68cf344ef66e7e1dda582e59f5b68eefedd9f9395d

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
59KB

MD5
474546ad1e1ee504dc1115ecd73338ab

SHA1
0d9204d3b341be6e936c1425733dab0ed89acec7

SHA256
2eae082289572b3d280b043986a7809316e6e38e8b71b77f61fe70c0808ce669

SHA512
f9de7fa38804c0d277e98cc8cfa8b61999a040ca7a56b67651d232e842ed8d728728df4f1878ea26b51273c4bc4688347ae8e5d2296a57847a478cd9f5f66dcd

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
59KB

MD5
79a204cab71b0c0ddb18c2fd7db6d803

SHA1
3665dad80b497475ba04aef4d932016581eaf3c3

SHA256
204fc45a6174c73898ab4c4cf42b83d04d0a24f44d812e6b99e7f4c53351b05a

SHA512
527fc4b5de8793ca267cc1ec5f2764ecda5c59b64655c3cbf42e76b02198d1e3b64c2928714343f5de95810085c29065cb40ffb8dd35ca226b5b017954be1702

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
59KB

MD5
3dbff67a2f65b01567802569257b2424

SHA1
55327dc76d2ac57f60de8504d71f16ac79478da6

SHA256
37ac24b414eba95fd931c19c6f01fcf5c19d116372e7eba5c0b49a3e8b998850

SHA512
00009f980216c7b12373f58636d5eaad0eecae5310a2a431fdadceb7a5d64d708463d98e37ea572b70895541df0ba20d19d8007ce16c4b737e614c8c38799b56

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
59KB

MD5
bb581ee50e5d6bd7bc137445bc880320

SHA1
b4ccd96abcf67814f3180bdc3dc9394511bc1739

SHA256
fab0c4e556fd099c22fa28d1abba540bb3d64fae33a7de8716695f963a63e8ef

SHA512
25b072e76d9cb3d089aaa6c59501f6674ec93b0b1e67f7b7669731418f4a3305ed2c672cca838d73f3fcc7ff0dbf69ea9cf228e88194bf2779a629cc1e47965d

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
59KB

MD5
a426aeebac117bd55b041aa4f0b2d444

SHA1
6ccd97f52e4f5a8ab647f39f48a0ed0e26770bf9

SHA256
a33437d66f30c3de3a835ab01e6da9f79255f275aa27f201284b7385abcac74d

SHA512
9ba30db847731883e51c02f01e3fd48381a25175b669cab5408ca418d383e1ee0df1faa517cfc739580fb6fdfc87826a9b6039c8e6a4ac80e644562edd0402b9

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
59KB

MD5
a83bdba27f639844f9a9dfecc512d3dd

SHA1
30e101a545e617ee42897bbf2549e8e0b2e1c98c

SHA256
f9240d6d094f601cf5e5365d9aa9d3fad70f5614af1a44d887c57c8ecdbe5ae9

SHA512
75355b076dec9850616fcb07d79c4bc1e500963bce7f53c3c2ec59da0828a7378dd51983c6e8077e516fd964f00f01bf3e3784f596b2265c829cbfde911b0330

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
59KB

MD5
cb1e78f5507a2b1742bd21a74864145f

SHA1
1f329cb7f802e28fc7d03eaa2a31dfadf91fa970

SHA256
6171f15652832e89e86cc4badebe27328518c7c413797c319fb986cce039901d

SHA512
d934dc16e9da93fb8c3a1876d15b4eb882488fb937205e4d17770dde71752422819c2cd712386f2ca040b1ddf485b0cc01493fc5b409b8842d7a3f64ca3a80b6

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
59KB

MD5
4081e9ee5ae8f9169f635268092985a8

SHA1
2c68e7b9da309fac07eeeb3493ae2fcad009ddbd

SHA256
97b5415b63d1a78745393e0f4c7f9b0a6ca912843736178c6dea37491cc9b9f8

SHA512
1cd4ff887677d90dc53678dae5b469afa5ec856905f353345ac639f8138cc5183b0399c91cb8cce914eceef8c962740bf13c14e86f09011de99474231158a8d8

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
59KB

MD5
ccebe6aa23e0a25dd13abae72632048e

SHA1
bb4ba9e0c570baaa223f485f1d787a038b5ca6f2

SHA256
055b336c747b1604825de3211392712d5ff1c31963b667f12b95ae1cae330983

SHA512
b505d9326093cb3293bdb5ea5e50ceff207440fb944e2ae73fba6e497f5cd5575d76e81b14f861b3ffc3c170098b6423b904187b6b3e60e4417d6cd64778dd0d

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
59KB

MD5
322f5823d2163f7b6c0f6e9b8117f3a4

SHA1
402f4d3a91339361864dbf499c392e7574ddd082

SHA256
0c9ecf33dcb1fb27a3ca337d19af1dc5e5cf62a8510bbe7ac0a126b47f39f214

SHA512
ef7cdd37daca17a69c2854d297400c6c3710fc61f2208ce225094eee321ad69d42d8e75511930f1612ae02f7ee066968126f0604b3a89f5bc55dad5bf8d543ae

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
59KB

MD5
a9583288cd13e3b231159ec40ac2bc54

SHA1
883f7387a1b9483dfff7df006bc8d395e67d189c

SHA256
c06d793c458ead7d558741662a1d07a5b1e07055d676cd9aece6b2ba6addbf01

SHA512
bbad3f4a9d5801b283d4e33c6210b50f9879953ba7cbc56222bf5412f9fc8ecf9943a0f7994e774e95af7d2ea8c758c97a5b97c1090d7978b5408e4f8d4e62ec

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
59KB

MD5
54d577142718c175b73bde2950659844

SHA1
c342a87a70997d918c928c981c4120851c5fdbf4

SHA256
15e34af3e5ffd69c6deb83cc24219f07903ff5a547a184c268839deed12d0a0d

SHA512
63dbd77c40ea2113566190d9b69dfce65a1896573cfbdccbcaaf7f10ec9aceea674e66f4c9372d06ac480c6991a4d9d1fdeb1e379796c0ed60ef99bd51b5948f

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
59KB

MD5
b26f79e9e3042525a389e11ace9c85b2

SHA1
f5b7c8de0ce4affd502b766567970f13fddce35b

SHA256
e6efafc5cd855631e59224780b1c17058ce88bd2d51b90eded48707537b2152e

SHA512
3873e7390544caed06f715ec41c102745d59a3349de5682be13f8a0dc8310add87085eea1b2fd70a9914fe8383be0f21b8c2b028c1fa8455133aef09b8414b1d

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
59KB

MD5
fa90d51e1f36d0eb903b61e5f509d4a3

SHA1
30e32a7c2da829028816b33d0e32c5e48e79e5e7

SHA256
0240bc0641213c8342b46375cdd3ba0845c28dfb503d679437726108807e1e54

SHA512
0dabd4f1fec9149b78d88aca9c706d5df0ac70cb33e8343d67357b4e9b3fbc2ee3a008cf0b5e8ad2969ad35cbb5381c2fa55b6fef6b9b83cee24de2571cd9689

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
59KB

MD5
66f61f703287b0a976781b017a66a651

SHA1
09d58dc72768511d591ce4ebea1db6087588515a

SHA256
23e541cc2c114c4047978fcba5f0ebaf40412becd6400b37b5f040822954d228

SHA512
a2840ffbdaad5cd0f4484008133496d9b770cf91de0790e21bb5facd72cd4e5b12d88b93174bc6543f1524eeb2b16afc215961ee0759d37dbc3e9bfd63fce02b

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
59KB

MD5
d66d27b167cba120ba16ef24f59b9303

SHA1
cc05ff4cd71313d0bd7235ebfaab74a642ffaf81

SHA256
f3c3b981dcc6ce6ddb30b58703a59a8e72b9fdc5bd65aeb3f3037698f9fa6df6

SHA512
ad434b4c914bc4d6ed47498cd26ed4489dbf3193aa84de5c5a063ffc4bef4536fb9f6abd83816bc0cee0440cfe4e7ede4b0706dd55c06eb81b0e0a99ce0af0dc

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
59KB

MD5
08828adfd776e82b5af052ae1d7254c6

SHA1
3ecda85278ee38cee9e34ef545ed00875304dbd1

SHA256
ea7e915a94f96a72000a1065d40db476187a634f3bdb33678f9896555a4501c9

SHA512
730a4564ff2e24ed1e5dbd4d5402ec119ba2b16f219c9b4785e50616f9ce7bc555d5163dfdb8828589ce1a78f56395280e9457ec8376ec96f3779c05fb7a9724

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
59KB

MD5
b69c1c55880a860fadea92956ff4828e

SHA1
bfd19e54fcc64f20e0c65ed0672a662a69171742

SHA256
9da0474e09d7ce8c5861738d5a655f2770a37f28cdbfbc8ccb380a9e9aea9c8d

SHA512
23ff4311f125c38c710fbd6dc1e506ce9680ab824e7df63b8692598c69caaa8400eab2cc0b86cabfd9186fb7140a09d2b34a0a560e9c65c571c484d5957ec87a

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
59KB

MD5
b66249f72dcb4e1d955fed5b3455fed2

SHA1
3c5c2825152ca044c721083951ed089d29870176

SHA256
d137e76a0713340b99d9edc37534e529b1f22033100c1d9f3d70ec946778652c

SHA512
520d4d2dd972ebcb8308e6a598aab838a4bf497bb3651beee646946f39a2332bef75cc034e28522c59ff2a2ae9565e651686fdb46d911776b9ba162f839976cf

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
59KB

MD5
7ea3309cf8783b1602b34c34bc6d1731

SHA1
a1700fc57ee75c6491b4d31fda2f9bc7524aff2d

SHA256
2c7eeb68704d1aaee50cbae55ff86e1db2552adce0b4b71e7b8955732209e33c

SHA512
e06214c4872576aa8941cf94446a84579952cba58aa9345ffa0fb7be10301a42b920824ff2fe07ffcff8ae3b887f6a51c83433e52860c481ee2392bc5f4936e8

Download Submit
memory/652-400-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/652-478-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/760-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/936-376-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/936-482-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1100-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1228-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-494-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1484-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1484-480-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1540-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1544-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1568-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-454-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-469-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1640-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1680-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1788-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1944-475-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1944-418-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2132-474-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2132-424-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2208-489-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2208-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2216-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2224-411-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2224-477-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2408-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-199-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2528-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-491-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2752-466-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2752-467-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2848-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2852-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2880-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2944-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2980-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3036-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3036-492-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3160-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3184-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3184-493-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3208-111-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3244-468-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3244-460-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3260-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3272-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3292-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3340-412-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3340-476-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3444-479-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3444-394-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3448-483-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3448-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3588-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3612-292-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3616-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3628-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3628-490-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3632-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3748-486-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3748-356-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3880-442-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3880-471-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4180-448-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4180-470-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4288-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4296-473-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4296-436-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4424-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4444-484-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4444-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4484-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4508-472-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4508-430-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4612-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4676-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4780-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4792-488-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4792-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4800-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4840-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4840-487-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4860-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4912-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4920-481-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4920-382-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5012-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5068-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5068-485-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5080-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads