berbew | fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4.exe
Size

115KB
MD5

e3c745812b16841be1c0e6b26b2b36df
SHA1

cf7f3998b1d9476d5643b992ef8117aeec457666
SHA256

fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4
SHA512

773f19a25ae6412793ed74209aa1642b40ce60683797d8271ce0d3e7a59a31eb07d5196f7bc135668411cf4a4a7486e60ec9771f0d53594b10f247c93cf7c0a1
SSDEEP

3072:gQOr7IcABWbdbrIR/SoQUP5u30KqTKr4:bcnbhrIooQUPoDqTKE

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 53 IoCs

pid	Process
5080	Qmkadgpo.exe
3152	Qqfmde32.exe
4664	Qceiaa32.exe
1752	Qnjnnj32.exe
1052	Qddfkd32.exe
4160	Qffbbldm.exe
2268	Ampkof32.exe
2560	Acjclpcf.exe
4388	Ajckij32.exe
3920	Aqncedbp.exe
1300	Agglboim.exe
1220	Anadoi32.exe
3080	Aeklkchg.exe
4204	Andqdh32.exe
5072	Aglemn32.exe
4232	Anfmjhmd.exe
2956	Bfabnjjp.exe
3456	Bmkjkd32.exe
1240	Bcebhoii.exe
2552	Bfdodjhm.exe
4956	Bmngqdpj.exe
4300	Baicac32.exe
3228	Bchomn32.exe
1404	Bgcknmop.exe
3096	Bjagjhnc.exe
4292	Bmpcfdmg.exe
3536	Bgehcmmm.exe
4356	Bjddphlq.exe
908	Bclhhnca.exe
2932	Bnbmefbg.exe
4876	Bcoenmao.exe
2076	Cndikf32.exe
2856	Chmndlge.exe
452	Ceqnmpfo.exe
4008	Cfbkeh32.exe
3444	Ceckcp32.exe
1916	Cmnpgb32.exe
3924	Cdhhdlid.exe
1972	Cffdpghg.exe
3960	Cegdnopg.exe
1068	Djdmffnn.exe
1472	Danecp32.exe
4172	Ddmaok32.exe
4772	Djgjlelk.exe
1084	Ddonekbl.exe
1684	Dkifae32.exe
1148	Dmgbnq32.exe
3452	Dhmgki32.exe
4868	Dogogcpo.exe
4552	Daekdooc.exe
4988	Dhocqigp.exe
932	Doilmc32.exe
392	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4992	392	WerFault.exe	134

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 5080	2328	fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4.exe	82
PID 2328 wrote to memory of 5080	2328	fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4.exe	82
PID 2328 wrote to memory of 5080	2328	fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4.exe	82
PID 5080 wrote to memory of 3152	5080	Qmkadgpo.exe	83
PID 5080 wrote to memory of 3152	5080	Qmkadgpo.exe	83
PID 5080 wrote to memory of 3152	5080	Qmkadgpo.exe	83
PID 3152 wrote to memory of 4664	3152	Qqfmde32.exe	84
PID 3152 wrote to memory of 4664	3152	Qqfmde32.exe	84
PID 3152 wrote to memory of 4664	3152	Qqfmde32.exe	84
PID 4664 wrote to memory of 1752	4664	Qceiaa32.exe	85
PID 4664 wrote to memory of 1752	4664	Qceiaa32.exe	85
PID 4664 wrote to memory of 1752	4664	Qceiaa32.exe	85
PID 1752 wrote to memory of 1052	1752	Qnjnnj32.exe	86
PID 1752 wrote to memory of 1052	1752	Qnjnnj32.exe	86
PID 1752 wrote to memory of 1052	1752	Qnjnnj32.exe	86
PID 1052 wrote to memory of 4160	1052	Qddfkd32.exe	87
PID 1052 wrote to memory of 4160	1052	Qddfkd32.exe	87
PID 1052 wrote to memory of 4160	1052	Qddfkd32.exe	87
PID 4160 wrote to memory of 2268	4160	Qffbbldm.exe	88
PID 4160 wrote to memory of 2268	4160	Qffbbldm.exe	88
PID 4160 wrote to memory of 2268	4160	Qffbbldm.exe	88
PID 2268 wrote to memory of 2560	2268	Ampkof32.exe	89
PID 2268 wrote to memory of 2560	2268	Ampkof32.exe	89
PID 2268 wrote to memory of 2560	2268	Ampkof32.exe	89
PID 2560 wrote to memory of 4388	2560	Acjclpcf.exe	90
PID 2560 wrote to memory of 4388	2560	Acjclpcf.exe	90
PID 2560 wrote to memory of 4388	2560	Acjclpcf.exe	90
PID 4388 wrote to memory of 3920	4388	Ajckij32.exe	91
PID 4388 wrote to memory of 3920	4388	Ajckij32.exe	91
PID 4388 wrote to memory of 3920	4388	Ajckij32.exe	91
PID 3920 wrote to memory of 1300	3920	Aqncedbp.exe	92
PID 3920 wrote to memory of 1300	3920	Aqncedbp.exe	92
PID 3920 wrote to memory of 1300	3920	Aqncedbp.exe	92
PID 1300 wrote to memory of 1220	1300	Agglboim.exe	93
PID 1300 wrote to memory of 1220	1300	Agglboim.exe	93
PID 1300 wrote to memory of 1220	1300	Agglboim.exe	93
PID 1220 wrote to memory of 3080	1220	Anadoi32.exe	94
PID 1220 wrote to memory of 3080	1220	Anadoi32.exe	94
PID 1220 wrote to memory of 3080	1220	Anadoi32.exe	94
PID 3080 wrote to memory of 4204	3080	Aeklkchg.exe	95
PID 3080 wrote to memory of 4204	3080	Aeklkchg.exe	95
PID 3080 wrote to memory of 4204	3080	Aeklkchg.exe	95
PID 4204 wrote to memory of 5072	4204	Andqdh32.exe	96
PID 4204 wrote to memory of 5072	4204	Andqdh32.exe	96
PID 4204 wrote to memory of 5072	4204	Andqdh32.exe	96
PID 5072 wrote to memory of 4232	5072	Aglemn32.exe	97
PID 5072 wrote to memory of 4232	5072	Aglemn32.exe	97
PID 5072 wrote to memory of 4232	5072	Aglemn32.exe	97
PID 4232 wrote to memory of 2956	4232	Anfmjhmd.exe	98
PID 4232 wrote to memory of 2956	4232	Anfmjhmd.exe	98
PID 4232 wrote to memory of 2956	4232	Anfmjhmd.exe	98
PID 2956 wrote to memory of 3456	2956	Bfabnjjp.exe	99
PID 2956 wrote to memory of 3456	2956	Bfabnjjp.exe	99
PID 2956 wrote to memory of 3456	2956	Bfabnjjp.exe	99
PID 3456 wrote to memory of 1240	3456	Bmkjkd32.exe	100
PID 3456 wrote to memory of 1240	3456	Bmkjkd32.exe	100
PID 3456 wrote to memory of 1240	3456	Bmkjkd32.exe	100
PID 1240 wrote to memory of 2552	1240	Bcebhoii.exe	101
PID 1240 wrote to memory of 2552	1240	Bcebhoii.exe	101
PID 1240 wrote to memory of 2552	1240	Bcebhoii.exe	101
PID 2552 wrote to memory of 4956	2552	Bfdodjhm.exe	102
PID 2552 wrote to memory of 4956	2552	Bfdodjhm.exe	102
PID 2552 wrote to memory of 4956	2552	Bfdodjhm.exe	102
PID 4956 wrote to memory of 4300	4956	Bmngqdpj.exe	103

C:\Users\Admin\AppData\Local\Temp\fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4.exe
"C:\Users\Admin\AppData\Local\Temp\fbfe0afa067ff1c97dc70489213eea316f81c49bd11a8ac7196a96c5ff0c6dd4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\Qmkadgpo.exe
  C:\Windows\system32\Qmkadgpo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\Qqfmde32.exe
    C:\Windows\system32\Qqfmde32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\SysWOW64\Qceiaa32.exe
      C:\Windows\system32\Qceiaa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4664
    - - C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 404
        55⤵
        Program crash
        
        PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 392 -ip 392
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
115KB

MD5
ad48a5fc89a671e7a0d3c6289bc61822

SHA1
cda79951e1da6962139d451134ffffda20d70d2e

SHA256
ed8208d05da8c936044717a2412703e8d4ff2f93865cccc2ee530c4f238dbee2

SHA512
4c6394cc33725bc169cfed768e986bec1d51c38f7f8a372082ca00128648811c8138ed75e44433009ac2f3d47eab26174a402e5dbfee2d0bf5bdeb8f9003128c

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
115KB

MD5
ecc018a886d7d898b3694182f5f404de

SHA1
ae99e56ae5cbe2c5648ad127c29b565bfa74a26d

SHA256
dccd4dba0e74dcdd4e473d73fe160c475841d6db8258a5fa7becdf2961fa9be2

SHA512
b57cc62c53362b4c1e92607d3c1dddb444968cb568f923ce6432bf2b1876d71aa6ee790542e41339bb589fae96e3500ed19368251e7309033aaf2d4acc2325c2

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
115KB

MD5
cf2e967eec51f69a3254b94e625cc09a

SHA1
dcccc3de589f21f8361d0863833b5e52cc06aa03

SHA256
2f42774411f722f87eeacc47d59af6a380b877badff129e13d60049cfcdfbab5

SHA512
90037d2e6d91601e53c7f318aed83fbd515a84fb9d9635d60e1b4067599a645895525a42e652bb1485112699e517342cc8320f5190c4d6bb6da4021ef46f97b4

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
115KB

MD5
864d705e12c0fd3a1cd98a87d3d69c4b

SHA1
023dca446a3349c888e5037e62a41e58deb77e6c

SHA256
160238c27ddbda3212ddaf32a02b9661c6f9e9b1a201d03e0cf5b631bec501fa

SHA512
b657f48b81e86540a09f6c4aca949ed6396547f6d9f3fbb310170ed7673c7809eedb0e518807e814b21a4354482581856b1f58b63cb6acb241e22fb33814e3fc

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
115KB

MD5
ef164056ef91d45ecd86cc62213a7d22

SHA1
943ae910fdc592c992690b4433fc01bce0038117

SHA256
2045b063fa20ced5389c75a00e6669ba319148441bc3cdcb6530ba45551b90b1

SHA512
cd6fedbaf3fb686330218ec00063cdbc71f7442315808a613ace5d11e663229e124de0d10579868e39143aa5170cb6078366d78d5dc3a449309a0dd772ca3a16

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
115KB

MD5
a43ef9f32fe16b8e7a81c4c63ee04360

SHA1
a14bec4a682024b2188c0c52f4cf2636db02eeb6

SHA256
c244adf0a5fbe5fef38eb5dafa63121374dc34e1519cf1d16c3629f9a9142c25

SHA512
e85484d7454fce4d2066818af07a1637c59e3a7c8807c82bd0daca13a8bae3bba582632034d7bcad5058e2d6a505904bf152396302b808841d25b280fe3d90e1

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
115KB

MD5
83dfdde79d99ea8251883ec74cd40105

SHA1
ec49a6d88348a674a8a6cbc51d66243d329f04e1

SHA256
a641846ab72b774a99f69e93f169d159c1d5e8359a55f6997cf5cc2a07083ff4

SHA512
17f2df4ac12ff777f3753d1eec2cab9bd66b437116981812a47065ab675ce69df5e9177ecbd04271b4f4f016bdf862100e0fd5d3bbb956328a8b4f872cd3395c

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
115KB

MD5
74585616313486a864b9dae610bfe1c3

SHA1
408d50cb2506a3fbb8e585d93120e7eda9629b99

SHA256
610d07f97b579e898fc3f708e3c8f75e6f598c096f8c1943c4dfe05c84bd9f7c

SHA512
ff522b5bdc69991af81459525a9cf300159e3d4d50cda605446bf0e5fd62680e90dcace245715ac056de452a31f2e15c0a4a3805225d2a1d270275e7f2a9ef0b

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
115KB

MD5
212a3c6e44b776bd5370dae08070563d

SHA1
b2689631d38c3216b50e5c861e2f64320a4ee02f

SHA256
326b095751fd6d402f14194ed5be54ebc48e5c46b7a139943de1ab12352da841

SHA512
a362bec66979c4ed55c9c22f419d1e130d10d6d0f7af2f49d75afc35cf4674a45f7470d8c474218dba2e55ed821c2ffd91cf16eea870e54bef736a24e66e7792

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
115KB

MD5
41060e29dca36f83efb24c72db837d01

SHA1
e1b4c5bcee543dc8cb790cb61bac3fe8fe5e842e

SHA256
b96a6736eafd51fe029d54a15523a825480276abe353fadf3ccedf7b81942580

SHA512
9717ac96ccc5879129f8132558799ec1be77348feb45c2370f4ada046e53e342097c8d391e2894da5d7dda6ce9002d1c2d1f4d37db599e157009a6521d46e974

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
115KB

MD5
ec1028bcdbcf354b857cae5ced35f40c

SHA1
6c196ab17bc9d1cc76ba0fff7d773a0cf6f99f69

SHA256
b38d0072128f41e000925bd6d26dfe518cae2affa91b2bc447ff28fda2a53b0d

SHA512
89da2f018d401238ccfb2d26c455341f0497d5273f3f1b41beef9f239a3e486782fe7913ee8e8fd3c19463bd8a842f259451f09d39e7a5fc209e29a653c78480

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
115KB

MD5
b9fa20120e1bc62c79375bf3e5546e52

SHA1
5b5794fab5c2e9becebec78e0d02ac0c3eb2264c

SHA256
4761070bcc82b8f56ab1446a5bd9e564d3aca9270fa05112a7ea752cbe6f176e

SHA512
e9c584795af7c38facdf510acbcacba150f444c32872543765be99e8a80b91be03e85bc24324eb626044d1932bbcabfb7b2e310f4e0a307d8aa3b06af3935470

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
115KB

MD5
74000b6df5b5ad07d01b010d371a1f5f

SHA1
c1a0421ebd6248f1d728ac50a76c21c66b26e9b8

SHA256
f7884e8a7efcb06fee0aa20dcf5cb1665a4d117f3efcc88f302f6b3b7f3a9289

SHA512
becacd0aa8ef2ee2aa624403ec0611690303778d457efb6236be6bb73bcbba3ea4eab197594f6a9ce1c0796499c39fcf4eb2b2b505681284714d9d8c302728a6

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
115KB

MD5
3ba85c9a322052e35d0fb4d460143d43

SHA1
3a88373a25135d0ef3827713eb945401a121fdb7

SHA256
f007ed66cd4c2ef0db1725f3efa43453973f6391476d86381dc770d7636bd7df

SHA512
9b60187e996d5b872ebfdda1f9e2fa5c383a33b86ac481cd73585667a64540917e1dc033dcc8355d11bc6832bdc4fceb24435715baa21d920b8992b29035768e

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
115KB

MD5
e3dc54866680216578d6536995aa5044

SHA1
cc93b7aff0fd6d2f6de9b1e06a0bc94b9653d198

SHA256
8b2805d81a2ae251213df02f4980abf8076983c531002d7bc95a3a33a301a264

SHA512
21f3eb8046705b61419d5876d18f9b57e375e8d5068821cf0b301810cc382475c6f3e40bd2907c2c5eef0df42b904899b8fb28e93af2faac1f7dfc7dca8550da

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
115KB

MD5
a8fe4ed373ef0e948056751c0617fc0e

SHA1
1749c8bf6a4d099317c29229e7894bb187971831

SHA256
cb60223eb14acff37b4bd5a79c64bfb17b75cc6a2c9b208633946756932b35d7

SHA512
abae1a3b6e0d81e7cc2e3d5063b8c7d04fdb87c1c7568b8e5fae44b13e23716f301510c56c4846afb801a8a6952f7c6528e298b630fd1eb31faca4def3cad102

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
115KB

MD5
1f7525614bbef8c1169f1734d410c1d2

SHA1
480f78b7e9047de63047f4db4ea42f9557f4b27e

SHA256
3cd81c66eee92ce41378021148901824a469c46ffd1fcc271cb2db0afaad7732

SHA512
f1473852da5e07fee013d3afb2dd3155d1275f9b12b2439f75a891d28f70e3cdeedd6c863f8eccbe3cb8f476c8a8372f87982850aebb40188e901b69c16a8f3a

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
115KB

MD5
13e9df5a075045137ec46b94e822bb2b

SHA1
ec07730559d4e94510e62c4431ef1e455fb6eefa

SHA256
7773f5aa6584774f6db62a1dbdf8862dd96fb809fc08aa993a7bb65e8f038662

SHA512
80ad4f94cbf34876db0df2b6da9bed23b8db9d799b3241ac02d4d5c3029cc86dd6501a7fd8aea1526fee08c9cde48f6b25ae987f701bb4f70948310eaa1f63f1

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
115KB

MD5
eb03a5593cdc03d14fa808cdcbfc2410

SHA1
5d52394ac72cb38363d047f03fc03dfda51be905

SHA256
bee7ae93f92dc29363947f316ef7ac14f6f54c25499d0bda9321b6ec9e780299

SHA512
15f1d4bc5d37a02483f8f14a48a666c8acc6a1a5a2159059713bf29110b360d51c18a8143b0ed4de94fee7fe2b0b29b416d7714486930b7ea3fa6ae174aadd4a

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
115KB

MD5
9fc7d56782779a509e3836a97addb811

SHA1
d6e28de6ee0e916900c282b0ed5472630797aa00

SHA256
d7bb6df8487d17a4b6aea7091a93875b67415fa72ad7bbccb2f7118663e2ba9b

SHA512
ad308f1e39f0ebbc5625a9a6d0ed48fd4ead1347a8ecd26d6ab79c7b919296bb2559cbeb1c3c2ac0878a2c0009a17ef507d258d3b39d51d9c843b2a17d680c10

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
115KB

MD5
25a68105a5d6be243ed624cd43c8f9be

SHA1
aa10cfdc2acd74eaaca2cd103659bd8ac086eef9

SHA256
a92895a0f3f625765154b572389276d5bcb4e78ef4c74f23223b51c22c782e74

SHA512
e6bf1c3f93d64b63a2fc852cf37f75927b56922ecc91c74e9f70ad769c23df47d4edd6e59d4eba004a8457bc7eff9df5315eec443c30619a4ce3969bebadb47d

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
115KB

MD5
802e413518d710354c5bb4a905523ee5

SHA1
42a4f352d94d3d8e2bc7df3b923353224a92eeac

SHA256
5ecd59dcaa52aa2536456d0a92f2e2a01cf3da6e6e606b8dfcff09247e3d97e2

SHA512
52cf65dd14c694e4b04c12f3f4c10d54dded4c7a94bd60a63cef53461b8db60f9ce41acbc7a79342c2a763f3eb172b741399acfc8bbbd8a25146bc163ebc458e

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
115KB

MD5
8a6b89e31cd97bede4af79b4c583e196

SHA1
b56eb60d2b974653b1ca15a16ac9fc1994fb33f0

SHA256
93df9270e81587fdb6322075efaec686a9b805f137c3e8961fb7699555df071c

SHA512
e49b6b7326ea887335971d20dae34bfdacecff0fb9289c3c1b5c361b8488037200570405d1b03996cec310960ddcaff722e5f17c1a9f50da10a1af64ac23c8cc

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
115KB

MD5
56c878e9f59580e939069e38e45f9f68

SHA1
b2f4db30546cd33b286ba74e297a01c84131412d

SHA256
aa3fa58ad6f68ebe32f1fd47e38575a763fb636d7b16b34beee5aa4b0d68486e

SHA512
c618b9b263a261efc567b369f2296481d394dbb3fcccb5e138cfd9cce06a0cecabaf9f8ac07258f0ac718be029ac7f1ec96c86ea06301f58783689c95c5f6b50

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
115KB

MD5
b3a01158f6bd25c6465a947e771dc222

SHA1
e25c07642ecfcb2d9bb37cfdcdf09acac07f3552

SHA256
2b12308854de4e459199b12ae2ff684d96694b3978f3be8d930d7323372ba89f

SHA512
cbd568d28f0b48bced94129aa06fcf11259691a39d1774ac7f374982f9014a51a263f4bd2a93a4238e45c0119588c9f5f8e01dec87a917e6d596107c99c94932

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
115KB

MD5
dce008c7adaa630680079df4be2d14c0

SHA1
aed8710fc62b508c92344962760a34da4c75d4a3

SHA256
e4948bbf23144ad966e13d441c31779db2954c4b04bf5eec1544a76b45d6646a

SHA512
799f63b0b799ab76ebbb3cb252f69b69245694d476b5bfe2e010331ac472d788711bd5573eddf85995f30947e1c67ff579fb2c6f4df32e828ebefe08d4d50922

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
115KB

MD5
c38cb065c4c818d651e8ea997463b3a1

SHA1
39d128b72056c13163f8b36e715ed68f83625caa

SHA256
47d8c88ec05ea454d0510e509478a4523ffddbc607058c1197f4945315e6c64f

SHA512
36f81e43ac5d0701789d3d340a05a35fb1f8ae7cef6b276ac27a87afed1a9205f2bb3d4356b410b9a3adeba8eef05967afd0fe1221b5c0355dc7c835a4ed5628

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
115KB

MD5
2390ed9e3745b56a35161f4e5117d33a

SHA1
0e605eb11f27d6e5bca09c9f366bc1fb921f3b0e

SHA256
eba1ef2961d444aa9b9af8d419a7b68ca39dd8da651017d958de256f0dc66dfc

SHA512
55d5aab8ed8a284f48056e5fc2bc5af45424921187583cf9052a3b5bd58124961462bb2a176748b2cd652a14e6638f94047f10f2c6f575a1d073eb46a7af11e1

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
115KB

MD5
bcbaa935e6049b43141c9d0b17572128

SHA1
2ed4fe8e8fad2efc87b3dcadf8c1bbbbcde78762

SHA256
a68df6550b65e4ec70ba6b9e4efeb69cddbe8acf0986c336d92d53e0023d77d2

SHA512
d9b1e8e48cd77e3c6bc88f300c381556c1705d21a06f2763d0be8b123bd3ba07face6252c312a610787bc50067fd2e3781d79b4a9d1c8e0f1fd876737f8a3c98

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
115KB

MD5
85f11b73646394720fc2225e8761263f

SHA1
58980d083244d0e583e00f210bad8689b1d74adc

SHA256
e9d63a84d5ebe5b4f44afe8641d5d087741de6c8b7e58380e3cf6ac21fd1aaed

SHA512
7bd4d3dc164562ebdfaab55cce281261212ecafe817230eb5d1f5256d7ace1ab8469cacca6ff7e72c1b37dc75c72267db0ecb9bdc7567ba90408731dc4ddad10

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
115KB

MD5
1e2f62e956fca4eb0675a1018ecb5b9b

SHA1
029437df16f53030f1762192217dea7b01f79c4a

SHA256
f05de13828cd50de22ef36c3c3a5b8971966afdf0bcfad956eb0f91ab47fa010

SHA512
cfbe489c934edc40f02db5563e930a201f3627e60c4793714444e3388469032e397a83c69a47ad3a3797cd0198597e5edc0f17b3be32ebc857c953884eef4e9e

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
115KB

MD5
dfa2e527056ea0bdc8be7257c644f053

SHA1
d102e473f9c284f0441836025886b045b077c193

SHA256
c26d35b353727a188c9e1fd4f13b1961f50466d54ba127b372e044e410738dce

SHA512
5cd5c31ee04d60841ce28fd8ca8cf4e2e1e03cc8a3a764fb439b01fdbc4712707cf8ca9c4f6a2984f72935b6dad7d0bd6715c602c8bfa99a2419e74c8278a7d7

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
115KB

MD5
c3aac46333ec7dcaabbc44f07c48e424

SHA1
3bb6a8735a71dadedc49ad3d2482a929e6d6da93

SHA256
29dfec14e20e10617303412863bd4a271e20354d107d7c380f1eab535c0a8f5e

SHA512
5f20e00b31ff7af80b23c90134d79a116979a90565013516f2522f4fb0079d4d439566eecf6905c83bf47d12898596ce223cea7dc21d794e95d06aa86ee91829

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
115KB

MD5
e0b084e686921cd30daeb7b1b61af3e2

SHA1
8a41eb0b8a947e2acb3e48d606be396eab328c56

SHA256
6de4b5ff4a265da733c59ad2d66463e293bea3b9024f16961500154497adc948

SHA512
fc917e4a5634885f1c277aa7199d570ea15bbe7f000e5e7b8830c5b5afe65f4a5d5b5bd6d800951b2afbc0dc59c3bb60ab3c6ff07807f3c9f5a81710c3339e4b

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
115KB

MD5
17c7504f2776205f986466813c9fa03c

SHA1
a3bdd1cb078fb09ce6e32a3f30ea77fe04ad2e96

SHA256
4432469582c886198d20395d2264c797df7c5eab551832be2f6488255ce7faea

SHA512
1507250ca889d4872876dd2cf8db700cd3f195a1f3288e1d0cfdccb73a40ca25d89c518f8dc9f5ea06537d266f8c8d622611b06362cdf1bb1e3a15e49ccb0d03

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
115KB

MD5
b94df7b8d6ee19e0a29c109a7cc512b8

SHA1
57879edf1a7bfde1992a295fff5c853295abebf1

SHA256
0cc3a685c46811a463c06a518929b6052bd3450767d7bf0efff5d85da3ffb873

SHA512
5bba9041c8f62315232068da566635b0bfa2e8b23932c99956de06d738eb5f836189f5d1fdd58ac5d0327bc58d99f6421d2f8391339b3e10af3c63712c731591

Download Submit
memory/392-383-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/392-384-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/452-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/452-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/908-233-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/908-408-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/932-385-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/932-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1052-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1068-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1068-311-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1084-335-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1084-392-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1148-347-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1148-390-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1220-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1220-420-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1300-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1300-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1404-197-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1472-317-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1472-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1684-391-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1684-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1752-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1972-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1972-398-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2076-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2076-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2268-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2328-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2328-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2552-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2552-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2560-65-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2560-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2856-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2856-263-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2932-240-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2932-407-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-415-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3080-419-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3080-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3096-206-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3152-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3228-411-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3228-185-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3444-281-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3444-401-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3452-353-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3452-389-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3456-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3456-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3536-410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3536-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3920-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3920-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3924-399-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3924-293-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3960-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3960-397-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-275-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-402-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4160-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4172-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4172-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4204-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4204-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4232-416-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4232-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4300-181-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4356-409-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4356-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4388-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4388-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4552-365-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4552-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4664-25-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4772-329-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4772-393-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4868-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4868-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4876-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4876-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4956-173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4988-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4988-371-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5072-417-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5072-121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5080-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads