berbew | 9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/09/2024, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe
Size

768KB
MD5

e9ec606c92131b806c630dd0464c4219
SHA1

70944c0e016795db98d04f1e88e5fcaecf90fb63
SHA256

9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4
SHA512

c20b481db67e8533aad6b6c35cf837706c9a86e62f35861551cd1f4d83ecd6c1516608ea674aacbc2231e882b9bbff05a7762c76aeef3a3f043d7e16fe7063c5
SSDEEP

12288:MWKaFn/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KF4cr6VDsEqacjgqANXcol27ZO:XKSnm0BmmvFimm0Xcr6VDsEqacjgqAN1

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 60 IoCs

pid	Process
3124	Mlhbal32.exe
2012	Ncbknfed.exe
4428	Ngpccdlj.exe
4504	Neeqea32.exe
1064	Ncianepl.exe
1656	Ngdmod32.exe
1708	Njefqo32.exe
4668	Oflgep32.exe
224	Ocpgod32.exe
1784	Ognpebpj.exe
4964	Oqfdnhfk.exe
4888	Ofcmfodb.exe
3460	Oqhacgdh.exe
2044	Pnlaml32.exe
4628	Pnonbk32.exe
3884	Pnakhkol.exe
2712	Pjhlml32.exe
2016	Pcppfaka.exe
1452	Pcbmka32.exe
2660	Qgqeappe.exe
4736	Qcgffqei.exe
4356	Aqkgpedc.exe
220	Anogiicl.exe
2872	Afjlnk32.exe
1952	Acnlgp32.exe
3060	Amgapeea.exe
1324	Aminee32.exe
3648	Bjmnoi32.exe
3352	Bcebhoii.exe
2952	Beeoaapl.exe
1884	Bmpcfdmg.exe
4560	Bjddphlq.exe
1408	Banllbdn.exe
3312	Bnbmefbg.exe
4664	Chjaol32.exe
4680	Cndikf32.exe
1620	Cdabcm32.exe
1112	Cjkjpgfi.exe
1868	Caebma32.exe
4052	Cfbkeh32.exe
2028	Ceckcp32.exe
5036	Cfdhkhjj.exe
4204	Cnkplejl.exe
740	Ceehho32.exe
2656	Cjbpaf32.exe
3452	Calhnpgn.exe
924	Dhfajjoj.exe
2864	Djdmffnn.exe
580	Danecp32.exe
2176	Dfknkg32.exe
1544	Dobfld32.exe
4732	Delnin32.exe
3456	Dfnjafap.exe
4184	Dmgbnq32.exe
3400	Deokon32.exe
2600	Dfpgffpm.exe
4420	Dmjocp32.exe
4892	Deagdn32.exe
3688	Dgbdlf32.exe
5104	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Debdld32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3176	5104	WerFault.exe	142

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 3124	4844	9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe	82
PID 4844 wrote to memory of 3124	4844	9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe	82
PID 4844 wrote to memory of 3124	4844	9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe	82
PID 3124 wrote to memory of 2012	3124	Mlhbal32.exe	83
PID 3124 wrote to memory of 2012	3124	Mlhbal32.exe	83
PID 3124 wrote to memory of 2012	3124	Mlhbal32.exe	83
PID 2012 wrote to memory of 4428	2012	Ncbknfed.exe	84
PID 2012 wrote to memory of 4428	2012	Ncbknfed.exe	84
PID 2012 wrote to memory of 4428	2012	Ncbknfed.exe	84
PID 4428 wrote to memory of 4504	4428	Ngpccdlj.exe	85
PID 4428 wrote to memory of 4504	4428	Ngpccdlj.exe	85
PID 4428 wrote to memory of 4504	4428	Ngpccdlj.exe	85
PID 4504 wrote to memory of 1064	4504	Neeqea32.exe	86
PID 4504 wrote to memory of 1064	4504	Neeqea32.exe	86
PID 4504 wrote to memory of 1064	4504	Neeqea32.exe	86
PID 1064 wrote to memory of 1656	1064	Ncianepl.exe	87
PID 1064 wrote to memory of 1656	1064	Ncianepl.exe	87
PID 1064 wrote to memory of 1656	1064	Ncianepl.exe	87
PID 1656 wrote to memory of 1708	1656	Ngdmod32.exe	88
PID 1656 wrote to memory of 1708	1656	Ngdmod32.exe	88
PID 1656 wrote to memory of 1708	1656	Ngdmod32.exe	88
PID 1708 wrote to memory of 4668	1708	Njefqo32.exe	89
PID 1708 wrote to memory of 4668	1708	Njefqo32.exe	89
PID 1708 wrote to memory of 4668	1708	Njefqo32.exe	89
PID 4668 wrote to memory of 224	4668	Oflgep32.exe	90
PID 4668 wrote to memory of 224	4668	Oflgep32.exe	90
PID 4668 wrote to memory of 224	4668	Oflgep32.exe	90
PID 224 wrote to memory of 1784	224	Ocpgod32.exe	91
PID 224 wrote to memory of 1784	224	Ocpgod32.exe	91
PID 224 wrote to memory of 1784	224	Ocpgod32.exe	91
PID 1784 wrote to memory of 4964	1784	Ognpebpj.exe	92
PID 1784 wrote to memory of 4964	1784	Ognpebpj.exe	92
PID 1784 wrote to memory of 4964	1784	Ognpebpj.exe	92
PID 4964 wrote to memory of 4888	4964	Oqfdnhfk.exe	93
PID 4964 wrote to memory of 4888	4964	Oqfdnhfk.exe	93
PID 4964 wrote to memory of 4888	4964	Oqfdnhfk.exe	93
PID 4888 wrote to memory of 3460	4888	Ofcmfodb.exe	94
PID 4888 wrote to memory of 3460	4888	Ofcmfodb.exe	94
PID 4888 wrote to memory of 3460	4888	Ofcmfodb.exe	94
PID 3460 wrote to memory of 2044	3460	Oqhacgdh.exe	95
PID 3460 wrote to memory of 2044	3460	Oqhacgdh.exe	95
PID 3460 wrote to memory of 2044	3460	Oqhacgdh.exe	95
PID 2044 wrote to memory of 4628	2044	Pnlaml32.exe	96
PID 2044 wrote to memory of 4628	2044	Pnlaml32.exe	96
PID 2044 wrote to memory of 4628	2044	Pnlaml32.exe	96
PID 4628 wrote to memory of 3884	4628	Pnonbk32.exe	97
PID 4628 wrote to memory of 3884	4628	Pnonbk32.exe	97
PID 4628 wrote to memory of 3884	4628	Pnonbk32.exe	97
PID 3884 wrote to memory of 2712	3884	Pnakhkol.exe	98
PID 3884 wrote to memory of 2712	3884	Pnakhkol.exe	98
PID 3884 wrote to memory of 2712	3884	Pnakhkol.exe	98
PID 2712 wrote to memory of 2016	2712	Pjhlml32.exe	99
PID 2712 wrote to memory of 2016	2712	Pjhlml32.exe	99
PID 2712 wrote to memory of 2016	2712	Pjhlml32.exe	99
PID 2016 wrote to memory of 1452	2016	Pcppfaka.exe	100
PID 2016 wrote to memory of 1452	2016	Pcppfaka.exe	100
PID 2016 wrote to memory of 1452	2016	Pcppfaka.exe	100
PID 1452 wrote to memory of 2660	1452	Pcbmka32.exe	101
PID 1452 wrote to memory of 2660	1452	Pcbmka32.exe	101
PID 1452 wrote to memory of 2660	1452	Pcbmka32.exe	101
PID 2660 wrote to memory of 4736	2660	Qgqeappe.exe	102
PID 2660 wrote to memory of 4736	2660	Qgqeappe.exe	102
PID 2660 wrote to memory of 4736	2660	Qgqeappe.exe	102
PID 4736 wrote to memory of 4356	4736	Qcgffqei.exe	103

C:\Users\Admin\AppData\Local\Temp\9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe
"C:\Users\Admin\AppData\Local\Temp\9a032eb02863b5126b839987cbe902081c198b757b19bfc3068ea865b31a96e4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\Mlhbal32.exe
  C:\Windows\system32\Mlhbal32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\SysWOW64\Ncbknfed.exe
    C:\Windows\system32\Ncbknfed.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\Ngpccdlj.exe
      C:\Windows\system32\Ngpccdlj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 216
        63⤵
        Program crash
        
        PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5104 -ip 5104
1⤵
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
768KB

MD5
15bf0920db65771426eb678ae37af2dc

SHA1
119a34e2852c001e70d626257ed69495ce64701b

SHA256
4a659466c18aa88bcab4affd663b12593b0d90429330cffd1acca1e082a0ce91

SHA512
22dbd9aaccd076a64268bd830687053508cc960cd7b8233d6e64d08c4f0baa5d2a87add4c6a0a5602a2d64600b9a16dda5eb20197b16180cbeadcd7084782836

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
768KB

MD5
e3751b699ad8c8c1ee4934a8b01edf0b

SHA1
70e5880151ebd942bbcf4817fe77036c245590ad

SHA256
6034e652cd3b90e1c9f7be89938e5ac0c1dc76089763b4573d5530a02f244212

SHA512
572afa7e335a34b19bfc719b1310783d23e122bed06f12525466132e7a63d5889cb785614d308997ed0271b6b5c3cf40acea3060a724db27f116e098dc8aaa02

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
768KB

MD5
760b67f44c3ce1a02106d83798f37647

SHA1
c9a6dafc491a8488d07ac7697d6f97d4fb6836a1

SHA256
d98b52d67166b80a28a600385cc2848d9023bc055550f43d2752abea7fe31438

SHA512
dd20efc179d783866e940856573f2997ae34208c76699cc5bf4311465ef26b726690ac019bc897232c8ca4876fea1c7b977aa225957af2fa1be86b2d518fd7c1

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
768KB

MD5
b6f41457b9d821f8b26bee8af1aa83a3

SHA1
b17e2e2df5a324ce9c0dc159e1504659bda76a4f

SHA256
a3f14ba2f569feb40ffafd03e7710b0b2f6c03a11c3ab97a9fb7584254477a28

SHA512
35dc01e1267646b70d417090954cb8d7bc8b7a7001c41f5f7765c4ec37be4e3df453b3b062818926fb5ba98f1a460b127da0e4be49acacea3e92017654137db7

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
768KB

MD5
2fd4a3426ff991a53359138a90a6448d

SHA1
d3fd3962a79bd5b7c08d442ed76db68a380a0644

SHA256
8e01fc4e99008f66707997a962ecf34bb7cf52082190d3a38d994d2f6073efd5

SHA512
5586286a359b2ab05f366db6adb5588985c4c2ab253c5a6f360ca6110d11320b289303a08667485da32eb1cc1e534dd5ce7777cf6fd9e3c2e5004052d0888a0c

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
768KB

MD5
93d101ad05324f59fbf247e87d9d4da1

SHA1
b8fc9c6c5a01e1e72b56e4ab623b1bdd2f5c367b

SHA256
9dfb47002f10837c1b5cf9c32c074ed2c643c651bbdbc2e8ed2658646f2f82d7

SHA512
be88d97da0527bb1ddcbb27d388d39d17d2542ecd3bd08a9871ffd10c99828ffc6ba9485d04ef3d0ac1588a957a4bb9b4060262380344a300761da800cc46e63

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
768KB

MD5
81a22f7044ab8b9bc7ba89209bd556ab

SHA1
8c7a622ebe101058540279864ba494f45e6542ef

SHA256
3726fe1ab3c77a0c62cfde80d96302dfb7f4c6625f2859b9bad615971898acd8

SHA512
c9791ec4526e0cd1a5625ab558a249820c6e2f469bc000d83ddea073f7a35765bbb61d344621eeeb92ffc2c0afab8549f4919f8c2a1af217300e24bdf2b3ed8b

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
768KB

MD5
905398a14b196e10fc81c20f628330c8

SHA1
9a6d9109863d81aa36f0e918904c3e13f7d5d6d7

SHA256
04a33997d066a0870dc4dd2a8a1d75bc97bb645c78424f3da0e45dfed708fe45

SHA512
d921f9c7606cb2d6343ed3220f503719ec557281614be53d54deb190a71701e6faa5106c3e12f38967cb76b23386a622b541b514e451a8382a18062a20d33980

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
128KB

MD5
888a23f9b5d04208646711c38c46fcce

SHA1
2cd248abdfbca4de352a76bbdc084ad4d98969c5

SHA256
2640a63fe2a4f45552da5be5bdae04d299373b1c11ae98ce861970be8a140bca

SHA512
42b88ce4e3df3e3df3c1ad984027b74bb1f34d39360126b077fc82bad432ba201b2658080734919985eb7acfd701ed6dc3a7d31853a88d2cc9038c7ba3623422

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
768KB

MD5
5bbee35672d74c68d03bc1c64269553d

SHA1
c2628d8e4977b48434e236c361764b54433785df

SHA256
e744feadbd898907762c281fc87460c79607e2840d74d6827688fea908ddb124

SHA512
ed027b6e37e5bff5d4b050c0b9aed7ee710bb38e2078904523aac375b2194b8b5d83d55429a0a2f8a95cdbe76e06e4da55bcbd756ded5ebeae8a7812cddfbdc5

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
768KB

MD5
7e3977d124b6a2a00d13d8653ebb5171

SHA1
1eaa1069cfc3cda96b3fc150f0077e686f5bcb2e

SHA256
dce816e2ea7fafce47e35431cd4be21e1b6c0256ae89b096b60e0b02bcbf8193

SHA512
c8bf42a9c1f04d15edff9af3eb5b038aa4604ab89ed253010d2406f017cb4d78fd2a5c067cb266001840bc8dcd2e10dcc53e68ab11014b7b70d0abc3ce453328

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
768KB

MD5
d582eb21594843e30eb50f3413740941

SHA1
50b45e1063f67ffa9c8e297791bc2279dda835e6

SHA256
769e03e96b5012d29473dbdf845812dc1e20eb81b2f71d3478561ce8804de1e0

SHA512
bbb88a160aff2c5cfececc64959bb8f1e20eb48fc680f6bde94efa248745f3e09ed258b3cd65e0fa8101d68aaf156c0a92848e61a6dd6e16c4a79dacbaeae547

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
768KB

MD5
c6b3862da947895ae6745a6bc379d8e2

SHA1
5c211ef8653f940ae4a15e4e83b98531c458af3b

SHA256
769c08d967c650400849775669a5053b39107b6fb4b0e226125264fb74b9a439

SHA512
0ecce80739f63ac0bb7d45aa350c784b1e27bd44ccaeb313f8a9dc1f096c240ceba994411e5555616a12d22ce6365aedf6f3f0769014c1598c9272235d7c75ae

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
768KB

MD5
d20d69081f42e5cadedb2c409fb71124

SHA1
d6c99c50aaacd2c454f1fe038daf9a302daa3a61

SHA256
44b0e33f4799146dc5866cd00764945409138848b7b8ff72a925915df22f7e5c

SHA512
02cc0fbe1a4b3b19415da2ecb8d5226550d9f75bc829bf0ad75102e11970a146d5baacbf9411edc9c8a0040b77f40200dd6fb77d6fabdce9d280445474fa807b

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
768KB

MD5
8a94decf7374866ef1f205aa6faaed97

SHA1
176f70ded13fe834b4e9a82aa9b480a86c2e7a34

SHA256
b6db01db903fc153803f03f123596393fe13069b5885ead46e379f918a14c520

SHA512
7d80ab0714718f45527a24d91bea4f3659bbf7731b566e971c2caafcfc50809ab17c94fe53736e6601670201ff413a97d3a04ad79167c9be5a80b626b2c4f66e

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
768KB

MD5
e0f226579284c5bec17848ca11f81a5a

SHA1
f357de8cb920116491d0a8493d2aee1cbc60fdbb

SHA256
046b9f24fa7a5eb189f49d5e4f08565bf40eda68c4c2d76208db35be3d266863

SHA512
90d53860896f316dd5cc73e51276e5b1ae45b473749eeef231499041c5107c96b2c916c6bba9ed6a7b7a582c6afb36a56da8287f18261d1f1226906c18d7ca35

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
768KB

MD5
0eacf2b077e7e13c698f5f45f4fb474b

SHA1
6908e71e0ef1693a49000ab51c6a29529ae771fb

SHA256
52fbe53515c66d94a46c3f2e1fab8373ea577cf53a0e75d21ef8caa1ba516cd7

SHA512
89475fcb6ba290cd7b8d71de7b7126f21a18c3e1377c0d4189a23f81a1c7ef0db8107bc75fe8c6cdb081ae67f3814dc3622ac51eced8e91e04571d3aa6899508

Download Submit
C:\Windows\SysWOW64\Hddeok32.dll

Filesize
7KB

MD5
d30a51174ffd63f3e52a7b1df1de4af5

SHA1
0699ee18da66174cdab0cbb9d91444240afcb2de

SHA256
6a61de951794e6f67d4603a6ff7f8419ea26fe20938c9c918a6f526acc691dbd

SHA512
1da4bc7e38ff3cb984c5d3c5755b6478c4ad70d52ee6536a5627dcbf1121361e331ad1e785255783eae7a1b10c1597f85e869fcd621b60adeefe9677b6763acf

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
768KB

MD5
74d86e9fd92d2fef32ab6612d85f9ad2

SHA1
da316b665d8af4dfe42c864b35ec86246f39e67e

SHA256
fd6d35e3e736304e5be9822f316676fa2920f8078af30c945a7e80e6ac9e72cd

SHA512
902751b4f53e12a7203be838cceb9e3f2831e70764feb2bba04913bb39d0ddb97ad2dfdf9746003474210a23fd5cb50f78a9607aa4867c803cc3110fc9c0b04b

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
768KB

MD5
9b2dcaf804fe2b0836bb3fa1210cfbd9

SHA1
863c545e13975150bb412d5b85a75386ed3946c3

SHA256
4998f65ccbd1a2b271d0f03e35ad46121533e1b7407f32d0141932370c4aa274

SHA512
aae2467f7e2a2ebbb8ef9c3ad1e872c958892e220411d20bce133a9aec339f8ec1f07302cd9f1f400f0ad3cd0c6b75c39ff1967833c0dc8549c9e2eca298d964

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
768KB

MD5
28f606d9d05ab8b035786412403500f9

SHA1
03c7ea82086e0405d26ae368dd18a5ca8224f95f

SHA256
77a180c84471fdfdacb8961fab960dd5ed3d5f18b3f8a7c2cabb6f618ce50c41

SHA512
9f44e95188020bb92db016c5736babe7ed116065014a6224f4a850f185dc7ba53eaa19902d7cd3898dc305651406d3101c31d131903513236af5966c0aa1077c

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
768KB

MD5
0a77a8f4cf83248f7527806c956ec4ce

SHA1
8852560894c25901acc11368c881f66c45719eb5

SHA256
3f324e620fe1c96e28adfeefc10e837e2d6f9421d22e145d0488c280351c9601

SHA512
2ccee56e251fe8841880d360ce187e0f32d4c7fc30457e5c07f0f62d34096aebfb9476f8a3aa463810b4533c5b62ababf9bbf6f79a0e5519b9cf13e8534194d6

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
768KB

MD5
6dfd2298ceafe729a7d817326f703384

SHA1
d6b3656a0485fda4f2c50b6e53273dc05c7365a4

SHA256
b8f8a862342e13bc0be56fb51e323fbe8fb8708b6bcadaa395e2d7f4b4f24954

SHA512
ed201c35c638463b517beb08aa1be16cd1dfd442ca633ee328bea13a39f7b080b163f44139f40d4aaf586795c8f30285eb5d4f5e61a7b53b3b0ed9aa1b8b31fd

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
768KB

MD5
80dbf4d9549a52b1da71cb027b0c443c

SHA1
2e1b1ac3b4f0c8ebb97ed4064253b5dd02c74de2

SHA256
f20cae22cb4a4a0ff462359e160506c17bf8b0ef1fd9f56a1b8d51a082f2381f

SHA512
a7a5b9115c8df15578c50bc57291d8519afa6a704809c689d407e971b1b278db9ddb4cd560aebb2b89f745d3532d4d1bb22998031fc54210a7fde9ebb7bdab7e

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
768KB

MD5
deb39cf0a4cd86b7e536e8d1e074e1aa

SHA1
a93cc4ccbff26f7900c41045b33b0cb10a3b4aab

SHA256
916aabd54b785440e9c5513da621c79f890aa702b46adbb40a335357bc3267ef

SHA512
da11dbb4436622dc5c16fffd5b94426166b9326fecdfa8827bf7382cb98d4138869edea83ff3a0a7603be4ba00ab0f57006ae03d9fe66f441eab196ed3fffe1f

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
768KB

MD5
559bc18b3488713f85eab04310198a7b

SHA1
a349100f8bde6f98e28bd8f1a3af146028c1d2b1

SHA256
37f2e35784545bc922c8b683c58d43f03fc36bb39b663bcc53d10e4d68bc7a7f

SHA512
cfba7a366163b037cf2a73687b3a0ce263d524b6b4bdcdd4379559510568d670c8f20659b24b87c3ca10b5b1eaa581d2398efa8f308e15882192f610bcc185de

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
768KB

MD5
4bedee27288ed6c232301e86f7e2abf6

SHA1
1f4ac2222bab54db4f80d553703cc944228c7b9e

SHA256
0956faa2fec1771dc2fcaf6fd208622238e549e9af04533a5bec1ad99a1a5807

SHA512
e3b84f4caf0247dd2ff6c2a150ab7aafc55b79ab086e94f1815f37492bbb4852901c22ab47c2663962a7c6ba80cef2008b513b29d6ed49d11a539a9571f824dc

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
768KB

MD5
9b39530589ed65b56934051e267d6fe8

SHA1
4ed493108afc3c5ecd745e4df17f69ea4a16f2e2

SHA256
a6e59979f1da189e0274f5803c2abf982ee621a2e5422fda86f637d69d7ea227

SHA512
02151e2611bf8efa7c22e342d39c21aeebfcc558eab5ef9d9f7a518b73fcd43103a48c5f60d5e3815e5e72194ec5483b7980bf25016ba710e557af717e84e890

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
768KB

MD5
1be687c88b43103af44de391f90a8f60

SHA1
02e6ca2b78dbad8a96db6b5ecf6cea2babbbe204

SHA256
a675fa3e9c0f6968d14040d19d70128a47d3ac3fd7db56b773955d262c8ce53a

SHA512
2dcc1e2c600e87770e6d05e217435310166d1188f4f561bf2928dddc9ec26ddade1b078ccf4cb28febdb0d97f3646010c16e19271abc4a6fe10b59b270169c29

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
768KB

MD5
e61e02c6f1dfef9356dcd93e81898296

SHA1
664758545ef5ac6db02d6b6f209fac2f457aafc4

SHA256
1e9440fcdbcd555155ca8ce002e813ecac26fd65212568f36959700edd9e66bb

SHA512
466ddfab948b51b6fceaf737141523e223e926234085d333287d5654c41942f537cd42dcc8e44f2f449eff647ceb7cc0e9ea6b9dccaed27269c17e239c8cca5a

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
768KB

MD5
5d36a5ee85269031763197f1d21e9d3e

SHA1
c154d7cffbae519fb0adad21294fba95e256c913

SHA256
dd003c75e91418b142a7300d37c57d0b483b80ffa5192798190ef2aca3773eae

SHA512
791f7e866d3c2ce56d661e5f7aa9fe6166f13972aea22e9c1a2acad15d74d89a0aa632203225fa4d349cf9c394766b29facf044a21319f210a073d85c826c721

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
768KB

MD5
0c3c57f9fae52b50a9fc321288b59061

SHA1
4c1f173cd55b480e386fce4f8e6ab3c767804cda

SHA256
0349f114add64f418a0a772910ca29d78e35960bc897a307ae830e9f1a3b0d63

SHA512
3dd96872046dab24d3d35d422c4da6a8f851d4234a5f558c8305e5ec85bd443b6c8f1f75e3cf1aee250900ad12a08667fb3264f90c5a5c0ea6dd3f49452427a5

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
768KB

MD5
fa29f60ea4b150f7879b2a94db200988

SHA1
f12c551fda559de11beb79331ff88700e1a91f8d

SHA256
bac4c337ec5026271cc6037b43b86107da3b674739cc9e6ef2c5441307357851

SHA512
c614d6ae2e13c8a7883329c0768e5e13c01df8d43e4ba01e4af5f1daad856790d1ff02969a434935beb8d543ee5f9f53a5f90aac769673a01cb2aaa5265668f7

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
768KB

MD5
3ec82a282535caefead294a274a909c3

SHA1
16b274d517064832b6f5b70eda379087314447ab

SHA256
df61556c5c934b7284fc78064bd76f1579e642bbe19679083bba4e6f434ac51c

SHA512
cdadaa44bb2b10486c93ec38f1b707606faa7f708956512bb777cf0f601d605591fda5e3f5fdecef6461f3269f2132586ea1aa5f9f6ada549745d5f077853712

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
768KB

MD5
364321b5988aea37c78334bcfa4111d8

SHA1
641833a50304fc47e6b8b559c64d5da4a44a5266

SHA256
497c8bd8ce6693961f22d6c4b5ff33726e5dc409c677d88afaff437b0c44877b

SHA512
58e152a8d30d094491353b509d85147597ddfb62dfd6963155a904f950b5e4f3b9882e447e6a0c8cb66ecac46f2c9d3ec82099c510880f6ff2feb08006fe0d43

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
768KB

MD5
901fb8b43c56f4fc5ca84ad83b69e6fd

SHA1
960e33e0ef4723b26d9cc268ba32ee3e21df505b

SHA256
4689529e1da5ba50d8eb2cbc1321f4c5e25597f3da3763b3f2e3e645a54f5a90

SHA512
554ce613e501ec1acb9b22c7abf5982cbbcff0f8b0bf4209986774eadba8fcef7bb2d61703e643aeebc77082960696c10e057906c7e7761aa5c4c9916d979313

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
768KB

MD5
52e7f3f8635c437f4eedda854ce13b7f

SHA1
7b3e1d19e72091895418676b823745274077ae50

SHA256
d3070fe84e778cb94f0da0101fb1b9a1e95d4bbbc3a39c31761d40467db98515

SHA512
42df1d05058cbb63dcb07b2e392a6acfb0457eb768f8d088ab6bff7607f64b82e85cdd74b30414ff60ba288416b8fd076ea7825884798435f8c88c8cdf2d5fda

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
768KB

MD5
0c4093a7623159e1034aa1197c0f9fa8

SHA1
c8db0b2b4c7159441ad07175c1d18a111c3869fe

SHA256
7adf1c118bc767c33ed183188917163daaf48df34b77ff935c0a1be35336792c

SHA512
b2efc8708ab02368f4c0bf8b7d0704ffa6c8dc0f5bb9e64abdf74daef3af0475a03d7f08e907d9b7dc43cedabb7ad038b3f3da2840eeee5bd9db7bff488cbcfb

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
128KB

MD5
f2d8fa76e2001664b442d1d46eea289c

SHA1
7bc15d7fcdb42018226398cc1215d6cf7d5264fa

SHA256
3026c5ca35d93585bb29e28a28d5c41f5b95eb6084c468dcd1537c39d3a51fd8

SHA512
c75688864aadad72ce6f96bb69a2b7ae1084a2962b65443dc86fa869d86df2ffee58a77ebe602acf61e892de231a0e025ac6a786aad08ca1225aa7a790711405

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
768KB

MD5
339cf42eaf35cbf74fdbb7e2043a8cf0

SHA1
6ff723e3d5ee10828574700c7583e3f3814dfc33

SHA256
db42db983b04ec0f4fe1ede672742084115c6cea8eff68aed16d291dfda36e26

SHA512
3fa17631c3ae41b21a150ab4172923ba6dfec99cdfdb120012b4d1cd6174a4c3c23b1088dd5f1eac95ce749e92f40064fa4d8a8a9077a8a2cc787e2ce40bf1c2

Download Submit
memory/220-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/224-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/580-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/580-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/740-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/740-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-439-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1064-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1324-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1544-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1544-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1708-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1952-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2012-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2016-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2176-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2176-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2864-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2864-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2872-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3060-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3312-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3312-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3352-459-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3352-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3456-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3456-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3884-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4052-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4052-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4184-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4184-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4204-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4204-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4488-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4488-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4560-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4560-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4628-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4664-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4664-451-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4668-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4680-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4680-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4736-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4892-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4892-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4964-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads