berbew | f7cacd72396afd00eab29308ed2b216349d4b47a14d0921d6870bacb97b2422c

Analysis

max time kernel
110s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2024, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7cacd72396afd00eab29308ed2b216349d4b47a14d0921d6870bacb97b2422cN.exe
Size

96KB
MD5

c5c81bbf14da3fa08c7ba1962556f2d0
SHA1

1689c493586867bb7f0ab9de68d91999862305f2
SHA256

f7cacd72396afd00eab29308ed2b216349d4b47a14d0921d6870bacb97b2422c
SHA512

350143a5562a96abbc6f217c4b0ec6287b24907ca5bbf8d34494bb61a9d7e304abe9f353ae01557244a3ddbaa00f970e4d8edd5a8b6a46a330258b2f60b029d4
SSDEEP

1536:I+oWxmPvu3rbjsseZjB4ERR+F2L+7RZObZUUWaegPYA:IvWeIbsZjL+2+ClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jojdlfeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjblje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iehmmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnfmbmbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doccpcja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbmohmoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gghdaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmjfodne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpcapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihmedma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llqjbhdc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfoann32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebifmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hppeim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddkbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgmdec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iialhaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbhoeid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlmchoan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npepkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkcndeen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feenjgfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimldogg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f7cacd72396afd00eab29308ed2b216349d4b47a14d0921d6870bacb97b2422cN.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3344	Iomoenej.exe
3232	Iplkpa32.exe
1908	Ieidhh32.exe
908	Jcmdaljn.exe
3568	Jmbhoeid.exe
468	Jpcapp32.exe
3740	Jpenfp32.exe
2216	Jebfng32.exe
3804	Kpjgaoqm.exe
1412	Kjblje32.exe
4820	Keimof32.exe
3768	Koaagkcb.exe
3156	Kflide32.exe
5056	Kcpjnjii.exe
220	Klhnfo32.exe
1616	Kcbfcigf.exe
1492	Lcdciiec.exe
1084	Llmhaold.exe
2936	Lcgpni32.exe
1552	Lcimdh32.exe
540	Lmaamn32.exe
4876	Lnangaoa.exe
4328	Lobjni32.exe
4652	Mmfkhmdi.exe
3824	Mjjkaabc.exe
5000	Mjlhgaqp.exe
4600	Mcelpggq.exe
3052	Mmmqhl32.exe
4056	Mfhbga32.exe
1560	Nfjola32.exe
1152	Npbceggm.exe
2124	Npepkf32.exe
4180	Nnfpinmi.exe
1952	Nfaemp32.exe
1548	Nagiji32.exe
3032	Ojomcopk.exe
4584	Ocgbld32.exe
4676	Offnhpfo.exe
3208	Ocjoadei.exe
4220	Ombcji32.exe
3128	Oghghb32.exe
1020	Oaplqh32.exe
1856	Ofmdio32.exe
928	Pfoann32.exe
3048	Paeelgnj.exe
2488	Pfandnla.exe
4868	Pnifekmd.exe
4108	Ppjbmc32.exe
1164	Pplobcpp.exe
3420	Pmpolgoi.exe
3296	Pjdpelnc.exe
3304	Pdmdnadc.exe
2240	Qaqegecm.exe
3772	Qmgelf32.exe
4200	Qdaniq32.exe
4392	Akkffkhk.exe
1156	Adcjop32.exe
3652	Aagkhd32.exe
4044	Agdcpkll.exe
2492	Adhdjpjf.exe
1220	Aonhghjl.exe
3244	Ahfmpnql.exe
2384	Aaoaic32.exe
4272	Bhhiemoj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Paeelgnj.exe	Pfoann32.exe
File created	C:\Windows\SysWOW64\Kadpdp32.exe	Kiikpnmj.exe
File created	C:\Windows\SysWOW64\Oonlfo32.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Ieidhh32.exe	Iplkpa32.exe
File created	C:\Windows\SysWOW64\Oaplqh32.exe	Oghghb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Cocjiehd.exe
File opened for modification	C:\Windows\SysWOW64\Feenjgfq.exe	Fkmjaa32.exe
File opened for modification	C:\Windows\SysWOW64\Lchfib32.exe	Lpjjmg32.exe
File opened for modification	C:\Windows\SysWOW64\Mhjhmhhd.exe	Loacdc32.exe
File created	C:\Windows\SysWOW64\Nqmojd32.exe	Momcpa32.exe
File created	C:\Windows\SysWOW64\Ajhapb32.dll	Momcpa32.exe
File created	C:\Windows\SysWOW64\Mmfkhmdi.exe	Lobjni32.exe
File created	C:\Windows\SysWOW64\Ckkpjkai.dll	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Ojqhdcii.dll	Mcfbkpab.exe
File opened for modification	C:\Windows\SysWOW64\Nijqcf32.exe	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Ojgljk32.dll	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Dkpqlc32.dll	Fkfcqb32.exe
File opened for modification	C:\Windows\SysWOW64\Lhgkgijg.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Ofblbapl.dll	Fgmdec32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdehlip.exe	Filapfbo.exe
File created	C:\Windows\SysWOW64\Geoapenf.exe	Ggkqgaol.exe
File created	C:\Windows\SysWOW64\Lpiaimfg.dll	Ihkjno32.exe
File created	C:\Windows\SysWOW64\Ihbponja.exe	Ibegfglj.exe
File created	C:\Windows\SysWOW64\Mmmncpmp.dll	Ibegfglj.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Fqbliicp.exe	Fkfcqb32.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Ehenqf32.dll	Ddkbmj32.exe
File created	C:\Windows\SysWOW64\Flpoofmk.dll	Fkofga32.exe
File created	C:\Windows\SysWOW64\Jifecp32.exe	Jpnakk32.exe
File created	C:\Windows\SysWOW64\Eiidnkam.dll	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Lcdciiec.exe	Kcbfcigf.exe
File created	C:\Windows\SysWOW64\Aepjgm32.dll	Nagiji32.exe
File created	C:\Windows\SysWOW64\Aonhghjl.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Cnhgjaml.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Koaagkcb.exe	Keimof32.exe
File opened for modification	C:\Windows\SysWOW64\Offnhpfo.exe	Ocgbld32.exe
File opened for modification	C:\Windows\SysWOW64\Mablfnne.exe	Modpib32.exe
File opened for modification	C:\Windows\SysWOW64\Aonhghjl.exe	Adhdjpjf.exe
File opened for modification	C:\Windows\SysWOW64\Hppeim32.exe	Hejqldci.exe
File created	C:\Windows\SysWOW64\Kflide32.exe	Koaagkcb.exe
File created	C:\Windows\SysWOW64\Pmpockdl.dll	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Kocgbend.exe	Khiofk32.exe
File created	C:\Windows\SysWOW64\Jcmdaljn.exe	Ieidhh32.exe
File opened for modification	C:\Windows\SysWOW64\Koaagkcb.exe	Keimof32.exe
File created	C:\Windows\SysWOW64\Fkdjqkoj.dll	Gnpphljo.exe
File opened for modification	C:\Windows\SysWOW64\Jhnojl32.exe	Joekag32.exe
File opened for modification	C:\Windows\SysWOW64\Lpjjmg32.exe	Laiipofp.exe
File created	C:\Windows\SysWOW64\Ncpeaoih.exe	Nijqcf32.exe
File created	C:\Windows\SysWOW64\Fbqdpi32.dll	f7cacd72396afd00eab29308ed2b216349d4b47a14d0921d6870bacb97b2422cN.exe
File created	C:\Windows\SysWOW64\Oeeape32.dll	Bacjdbch.exe
File opened for modification	C:\Windows\SysWOW64\Pfandnla.exe	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Cjceejee.dll	Ppjbmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dakikoom.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Iehmmb32.exe	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Klbnajqc.exe	Keifdpif.exe
File created	C:\Windows\SysWOW64\Ibepke32.dll	Keifdpif.exe
File created	C:\Windows\SysWOW64\Lcimdh32.exe	Lcgpni32.exe
File opened for modification	C:\Windows\SysWOW64\Lcimdh32.exe	Lcgpni32.exe
File created	C:\Windows\SysWOW64\Ocnabm32.exe	Oihmedma.exe
File opened for modification	C:\Windows\SysWOW64\Gaqhjggp.exe	Gghdaa32.exe
File created	C:\Windows\SysWOW64\Ngcglo32.dll	Jaajhb32.exe
File created	C:\Windows\SysWOW64\Iimcma32.exe	Iogopi32.exe
File created	C:\Windows\SysWOW64\Emlmcm32.dll	Lllagh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6208	6728	WerFault.exe	278

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jppnpjel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kheekkjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llqjbhdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmjfodne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aagkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Filapfbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hppeim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocgbend.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hehdfdek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieojgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllagh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjola32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nagiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekcgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejqldci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gicgpelg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jojdlfeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klndfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjhmhhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpcapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbliicp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modpib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npbceggm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnfpinmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbbajjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiikpnmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofmobmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pififb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcelpggq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghghb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egaejeej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkfcqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkmjaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Geoapenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhnojl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhmbdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieidhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbhoeid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcdciiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edgbii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfpell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbnajqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iomoenej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enpfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpjjmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfandnla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgmdec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hajkqfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmfkhmdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbmohmoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iondqhpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkofga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggkqgaol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iolhkh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbldphde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifenan32.dll"	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqiibjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geoapenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpahkbdh.dll"	Egaejeej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkcaoef.dll"	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglpdp32.dll"	Kpjgaoqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dakikoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmlag32.dll"	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbaa32.dll"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaajhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keifdpif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojehbail.dll"	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbmohmoh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haaaaeim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jppnpjel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klambq32.dll"	Fbmohmoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhibfek.dll"	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f7cacd72396afd00eab29308ed2b216349d4b47a14d0921d6870bacb97b2422cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqgnfcmm.dll"	Eqiibjlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focanl32.dll"	Ekcgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqbliicp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feenjgfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqppgj32.dll"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Finnef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajbghaq.dll"	Hajkqfoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koaagkcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedckdaj.dll"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfefigf.dll"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll"	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdkcj32.dll"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll"	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneall32.dll"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klbnajqc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 3344	2668	f7cacd72396afd00eab29308ed2b216349d4b47a14d0921d6870bacb97b2422cN.exe	86
PID 2668 wrote to memory of 3344	2668	f7cacd72396afd00eab29308ed2b216349d4b47a14d0921d6870bacb97b2422cN.exe	86
PID 2668 wrote to memory of 3344	2668	f7cacd72396afd00eab29308ed2b216349d4b47a14d0921d6870bacb97b2422cN.exe	86
PID 3344 wrote to memory of 3232	3344	Iomoenej.exe	87
PID 3344 wrote to memory of 3232	3344	Iomoenej.exe	87
PID 3344 wrote to memory of 3232	3344	Iomoenej.exe	87
PID 3232 wrote to memory of 1908	3232	Iplkpa32.exe	88
PID 3232 wrote to memory of 1908	3232	Iplkpa32.exe	88
PID 3232 wrote to memory of 1908	3232	Iplkpa32.exe	88
PID 1908 wrote to memory of 908	1908	Ieidhh32.exe	89
PID 1908 wrote to memory of 908	1908	Ieidhh32.exe	89
PID 1908 wrote to memory of 908	1908	Ieidhh32.exe	89
PID 908 wrote to memory of 3568	908	Jcmdaljn.exe	90
PID 908 wrote to memory of 3568	908	Jcmdaljn.exe	90
PID 908 wrote to memory of 3568	908	Jcmdaljn.exe	90
PID 3568 wrote to memory of 468	3568	Jmbhoeid.exe	91
PID 3568 wrote to memory of 468	3568	Jmbhoeid.exe	91
PID 3568 wrote to memory of 468	3568	Jmbhoeid.exe	91
PID 468 wrote to memory of 3740	468	Jpcapp32.exe	92
PID 468 wrote to memory of 3740	468	Jpcapp32.exe	92
PID 468 wrote to memory of 3740	468	Jpcapp32.exe	92
PID 3740 wrote to memory of 2216	3740	Jpenfp32.exe	93
PID 3740 wrote to memory of 2216	3740	Jpenfp32.exe	93
PID 3740 wrote to memory of 2216	3740	Jpenfp32.exe	93
PID 2216 wrote to memory of 3804	2216	Jebfng32.exe	95
PID 2216 wrote to memory of 3804	2216	Jebfng32.exe	95
PID 2216 wrote to memory of 3804	2216	Jebfng32.exe	95
PID 3804 wrote to memory of 1412	3804	Kpjgaoqm.exe	96
PID 3804 wrote to memory of 1412	3804	Kpjgaoqm.exe	96
PID 3804 wrote to memory of 1412	3804	Kpjgaoqm.exe	96
PID 1412 wrote to memory of 4820	1412	Kjblje32.exe	97
PID 1412 wrote to memory of 4820	1412	Kjblje32.exe	97
PID 1412 wrote to memory of 4820	1412	Kjblje32.exe	97
PID 4820 wrote to memory of 3768	4820	Keimof32.exe	98
PID 4820 wrote to memory of 3768	4820	Keimof32.exe	98
PID 4820 wrote to memory of 3768	4820	Keimof32.exe	98
PID 3768 wrote to memory of 3156	3768	Koaagkcb.exe	99
PID 3768 wrote to memory of 3156	3768	Koaagkcb.exe	99
PID 3768 wrote to memory of 3156	3768	Koaagkcb.exe	99
PID 3156 wrote to memory of 5056	3156	Kflide32.exe	100
PID 3156 wrote to memory of 5056	3156	Kflide32.exe	100
PID 3156 wrote to memory of 5056	3156	Kflide32.exe	100
PID 5056 wrote to memory of 220	5056	Kcpjnjii.exe	101
PID 5056 wrote to memory of 220	5056	Kcpjnjii.exe	101
PID 5056 wrote to memory of 220	5056	Kcpjnjii.exe	101
PID 220 wrote to memory of 1616	220	Klhnfo32.exe	102
PID 220 wrote to memory of 1616	220	Klhnfo32.exe	102
PID 220 wrote to memory of 1616	220	Klhnfo32.exe	102
PID 1616 wrote to memory of 1492	1616	Kcbfcigf.exe	103
PID 1616 wrote to memory of 1492	1616	Kcbfcigf.exe	103
PID 1616 wrote to memory of 1492	1616	Kcbfcigf.exe	103
PID 1492 wrote to memory of 1084	1492	Lcdciiec.exe	104
PID 1492 wrote to memory of 1084	1492	Lcdciiec.exe	104
PID 1492 wrote to memory of 1084	1492	Lcdciiec.exe	104
PID 1084 wrote to memory of 2936	1084	Llmhaold.exe	105
PID 1084 wrote to memory of 2936	1084	Llmhaold.exe	105
PID 1084 wrote to memory of 2936	1084	Llmhaold.exe	105
PID 2936 wrote to memory of 1552	2936	Lcgpni32.exe	106
PID 2936 wrote to memory of 1552	2936	Lcgpni32.exe	106
PID 2936 wrote to memory of 1552	2936	Lcgpni32.exe	106
PID 1552 wrote to memory of 540	1552	Lcimdh32.exe	107
PID 1552 wrote to memory of 540	1552	Lcimdh32.exe	107
PID 1552 wrote to memory of 540	1552	Lcimdh32.exe	107
PID 540 wrote to memory of 4876	540	Lmaamn32.exe	108

C:\Users\Admin\AppData\Local\Temp\f7cacd72396afd00eab29308ed2b216349d4b47a14d0921d6870bacb97b2422cN.exe
"C:\Users\Admin\AppData\Local\Temp\f7cacd72396afd00eab29308ed2b216349d4b47a14d0921d6870bacb97b2422cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\Iomoenej.exe
  C:\Windows\system32\Iomoenej.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\Iplkpa32.exe
    C:\Windows\system32\Iplkpa32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\SysWOW64\Ieidhh32.exe
      C:\Windows\system32\Ieidhh32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        26⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        29⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        35⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        37⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        39⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        41⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        43⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        52⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        55⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        62⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        64⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        65⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        66⤵
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        67⤵
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4544
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4576
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        72⤵
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        74⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        78⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        80⤵
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3552
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4080
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        84⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        86⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        97⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        98⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        103⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        105⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        109⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Hajkqfoe.exe
        
        C:\Windows\system32\Hajkqfoe.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        113⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        115⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        116⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        119⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        123⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        124⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        125⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        131⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6400
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        149⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        150⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6636
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        152⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6736
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        155⤵
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        158⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        159⤵
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        161⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7092
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        162⤵
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6168
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:6228
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        165⤵
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        166⤵
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        168⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        169⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6680
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        171⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        172⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6968
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        174⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        176⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        177⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6596
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6904
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        183⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        184⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        185⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:6728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6728 -s 400
        187⤵
        Program crash
        
        PID:6208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6728 -ip 6728
1⤵
PID:7080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adhdjpjf.exe

Filesize
64KB

MD5
f0c22374bd4a62530542e52394793b0c

SHA1
0a2431e9c448f20aed0c514af69e4fe0daaed5f7

SHA256
7a3b570eb168cde7971018bde21026de26c2d4b4308919f5df300e30e1465069

SHA512
a87a68ec60ce2390b7912a5f135884cfe7d29dd7520ef841d075a139f346c32a2a3b6bd10b69b6ac2b2093915a64aa4b374fa7f5184bd01e07da833b273ce11b

Download Submit
C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
96KB

MD5
ccdfaea27b4c62e0de0042323f42a9bb

SHA1
c5b6a66d1777dbb008e79f3b8f4031b14c273704

SHA256
61d89bff00d31cfbc65726af03a2daa5669b5c10d441cea4905f325099b53156

SHA512
d4c6f427fe423b7974cb0c69e0ace63733f976787fc176ecf5920fc820ee02efa4010e3791ced99651407698e12cafb9c5a412db22fe72ceba54273251826213

Download Submit
C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
96KB

MD5
22dbb407b29e37a4bcdc31fce6ae7d15

SHA1
9edd1e4ef30169f263c2481785732bade54647ef

SHA256
680554a4ba24c1bc5048cdc5525aa9f6ddd20d5efd0cf04510368998a4bfdb8c

SHA512
0ec9c70571a6d95b5d00a81089e0749dbbb25a9e16ce3f5e536f2acff49f174619ca468bf443184dd1fb0bcc767ea121403198d40f3be8cf673d5beef7b28793

Download Submit
C:\Windows\SysWOW64\Bdojjo32.exe

Filesize
96KB

MD5
480b4e8fa8dd57149c0a91a22db3911a

SHA1
2300299d1899ef93783fd21f85756bb6cbe141c6

SHA256
59bf2cf8dde10909f9a43dce0c3e6bec58b921f69466330f0012e0e89965aad7

SHA512
920e51e41b53754b1473eee0982aad482c43f15bb95cf2c82552058e16bf2354f5630bdd44aadb11d0955b699c12d24f222aded6fdda83a54decaa51a931bf52

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
96KB

MD5
7d57b44b6542002940e399f89756e0d6

SHA1
cf7ffbb2ce43e840200daf65684a37ce8b11fc62

SHA256
8e4cb9c81e763c24484a70fa59ecc62d471f1786ea245393435ce9385197e1c7

SHA512
1070ec560d78259c852a5a7a1f0c18e417c94ef046920991b03cc33ae53f2e099328219fbf2bd86d911d19acdde31bcc27dcf9c3010a9d515bcf6ecf5ec4476c

Download Submit
C:\Windows\SysWOW64\Ekcgkb32.exe

Filesize
96KB

MD5
74a0392abf59590b42e76b0a62939d68

SHA1
4732c42260634b0e70f7d3a9555b5f449d1b692d

SHA256
c5a3b1710e711ecdcdfd32b48af6238193ef8a7fea043d1838f197829effc311

SHA512
2d194b44730faa842bec5bf85d4b450af1a2c5006071dad0b081510614d186ff25997b0d88bfdf1531289b643d9afa8fd41899affdd1bf712bd8fc9c03a04bd6

Download Submit
C:\Windows\SysWOW64\Fkfcqb32.exe

Filesize
96KB

MD5
f6fc41328b66f5bdb13b89fa9a91b373

SHA1
74b942bcb9bc72db9938b8656567ae0a74613a29

SHA256
5426245de8775222f37c3ff3179dcee91e550c183cea71e260eeea69e9ac0bb4

SHA512
1ac497ef37c436fab3e6af2ddb7fa01928412d9e381d64f5b06d7dd60ad14894f436546cd418925ded8ffd1ac0f2c74cd3215f17729b82261bd6cb955056a251

Download Submit
C:\Windows\SysWOW64\Gnpphljo.exe

Filesize
96KB

MD5
1d94d7d6ce1855153593fdddfc3b8c45

SHA1
c5699d75bb9824d113b5b40f589f3b7e65851c77

SHA256
c6d82c86b58f60eeeb1f93f92d937b2f629d1e210925ccf3b7973e608eb76678

SHA512
cbef88dc90dc72c67f022ddab2dd65187cb3f42e506ec4a6e1d19e9f98022949fe91eb4053b9dd107d3ff0e04cc32f63e4eca41531ddd5835e57d5516321b106

Download Submit
C:\Windows\SysWOW64\Haaaaeim.exe

Filesize
96KB

MD5
b182c787fed2fb32739218a4035330bf

SHA1
b6711f289c1a51aef2a69c2838113e9320e32f68

SHA256
2d43b2f192731344d0bc4f0c3c43911a51acef01c7a50924d2912a7bbb099c1a

SHA512
f216b68c3c2b46849f00abd9a7e96b450ae9c7f24f2fe313c509ce809783d15aa737eadc37441a52b24c5156be262c840506270f17b865811302b0191e8e823a

Download Submit
C:\Windows\SysWOW64\Hbldphde.exe

Filesize
96KB

MD5
f5a74919b5dd7840e57d829f8e4fda0c

SHA1
e3020d021ad75c6171af90f9f947da38b2535a49

SHA256
0e48cb9bde6c1470b8964e4421b082a0583f4486d52e931c02924ebd2acf82ed

SHA512
7b3ea92eab0e024419959b3ec54b799ec7d91d239a96abc9081152b3931cbbc97ee1b67cf8ffba4da8f4c48f6e7e7b3a0d3424bccf8266ad424f821e3e5f7a0f

Download Submit
C:\Windows\SysWOW64\Heegad32.exe

Filesize
96KB

MD5
ab591900ea1c28664e6b261e23688462

SHA1
ba1dff20dd31f3cb74786c0e53f76616fd4c1194

SHA256
38d9aea0a818e517cef34c72d5f798bdfc884813359f8cb0200acb5cbe7cd961

SHA512
5cbaa8487af1989ed4dfd1bb5310c40c92af3bf3e5649ef50b99ac9f816235f8c6a32e4886e660c82086470488cb00c7480c986f93b324fea6189d0a0868911b

Download Submit
C:\Windows\SysWOW64\Ieidhh32.exe

Filesize
96KB

MD5
ea026e0458289f0dfeecb956ffd9bcb6

SHA1
d3fcd6ade0627da747fde8558f33c1ae5a5f9f67

SHA256
8e0ae4f5a4bac9ad9dddd81415a11829bcef48aa80aa1d2089d4a2e330b53768

SHA512
baa6119d173b653178acb92be541ac17449dc2404fc657a5bedaf69d91e5fa3feb658d2a144996200248a7ce96fc7f536392f06327459d56abf5a9ff4753bf00

Download Submit
C:\Windows\SysWOW64\Iogopi32.exe

Filesize
96KB

MD5
c36294952398b6c2e4fa533a03013a5a

SHA1
f1d451e99d3d5c7d6da20b6cf5f60f5e677e996c

SHA256
e274d3d55c246ee502126dd8e1af00c2f88602852b3837a2ef7afc60f562b34b

SHA512
df41807370ffd3de8309c17020963e448585956005e529bbb043b5a4960b81e4e47d3db9cd043e810c1448d66902d3b437e0e30d9937cf2f1da90a80196ea65a

Download Submit
C:\Windows\SysWOW64\Iolhkh32.exe

Filesize
96KB

MD5
65dd96a32b15fdfe361f383ebcccfbfa

SHA1
af9d38942bfdb19f5c7efbc3a725f94bb0c5a370

SHA256
5d720ae17951a9e38092d65721a9fc12295ec40d8a1567aecf05a31915ffe9f0

SHA512
3f87bad2c27fc923b1276743f3edc85c9b817df8113fb3d5c0db3503fa6086a7b23549bcbe2118c1aacee050eff1fa3652f85a2ff166ee81f2cd774a0d98d058

Download Submit
C:\Windows\SysWOW64\Iomoenej.exe

Filesize
96KB

MD5
2a0f3bf663ee1f717783f2146e242dab

SHA1
df9ffde1ef61d367d5cdc5e177411d7781759b89

SHA256
d2f3f5580ab8e2b3bca7d1aa54447b48bcdac44db7e216ca83af2e2cfeb303a6

SHA512
f09cda6b3b775b8f6864e75cccbd4ba09c5002027d86a02d0225e4f7537e678fdae2c8df28d523c9a06714edd1e99e08b20886135ebbfb8f19a0c5bd2f2e7c81

Download Submit
C:\Windows\SysWOW64\Iplkpa32.exe

Filesize
96KB

MD5
85801fa9d8367a3a70f10aebea0fb7ff

SHA1
9a7e7fce573e0b850159c7ce2554e742901306ea

SHA256
839f771d3351763564c8107de07de9ef16657aafdaff46950ed30718fd7c9b37

SHA512
51fabda5f8f25ae0370359ddef221f21283015d3bdf100001e94e728849684295b4ca96baecd407adf1260bbb2fb5eb71bbb1def856a4bc931ca870559a11c9d

Download Submit
C:\Windows\SysWOW64\Jcmdaljn.exe

Filesize
96KB

MD5
aa922680802191641fc7ef5705664f25

SHA1
92a53669c4dfb75ac43f8d9c31200ccc9d528d7f

SHA256
fc8b0f9c487d83f5b60a29782f6b15b94ddb9eb25dd935444e3974c71c000532

SHA512
c3a53980f16eb3e4907c901e12d040a9ae95c3108ce59ab3eb6841b6503b810465ad44d2c5bd9951b53e6b8af6913edfa04160e73c25196603d833907baef3c4

Download Submit
C:\Windows\SysWOW64\Jebfng32.exe

Filesize
96KB

MD5
ae2a453eea2f27a2a14dfb3bd073465f

SHA1
ba4efad46405b53204de853777772688daff1d47

SHA256
08b3c6666ea0112c4ca4fe857e34a1037bf90f4fb2775aa0aa30dd4630503443

SHA512
0c8940b68632264880a75e6259bb9e55fba751832df9948d96cb3bfd9c59884ec60520954b5695d996dbc0ad16f3b72a00414133d6436b4dae397170c7f52290

Download Submit
C:\Windows\SysWOW64\Jmbhoeid.exe

Filesize
96KB

MD5
2a67eb39d6679390ba5481431cb316f0

SHA1
2ff8e1d124b8c1019e3e9ccab57434f52c4d1342

SHA256
23a324987199c8d7c10f0c1b41b8bc8c79d7be42260d52e06430caa91c828968

SHA512
5b36238951e24cd92775a8ee7b57bfcca28f72468aa3de9069aa7fd520bd36d5d59148cbba7546ae32909ffbada61b29de2b73900223526b4fc76ff6a2d19cf7

Download Submit
C:\Windows\SysWOW64\Joekag32.exe

Filesize
96KB

MD5
a5b8ae088137a3175f20857c1ac973cd

SHA1
062ab5233f1301b24fd00d1873e27f7749dae66a

SHA256
e11431f0e170bca7f161c241add0584c796248d6bf8bc199eb30d7cad55ec8b2

SHA512
5b867bf6f708f1ab0366a3f3c86985165779e4266a2859f1ef4602b36094c8cf3c0fc8c74ae840a1c8f4b31a674400d4c2b5bb4303aa67188b86c965c6c61d48

Download Submit
C:\Windows\SysWOW64\Jpcapp32.exe

Filesize
96KB

MD5
288f9cef54c843d04170d61aec56fac6

SHA1
7fbc86bf65a9827c5a9306bf3e287c19e39f4fac

SHA256
9f91e9ceb6b3e5afa818c11b83d29cbdfa7033717d89d5b7d705f90e7dc17956

SHA512
6918b88dc579ef912df71b37aeab76e1ab9c9cb164c27638e9bdeab93fc40a727987a0dc93d692be2c520814a3b12309a3361f317a6781f254ff86dc6e5b3343

Download Submit
C:\Windows\SysWOW64\Jpenfp32.exe

Filesize
96KB

MD5
e0ad04109e720e7409f7dd84d3068c4a

SHA1
fe9861ead93b924e8e9ccc4e6b72db9abf99f8d0

SHA256
d06dbceac4c63cae3140b7360063bd813b0efd8d2b2a8f2baff2c0896f528633

SHA512
b1ae950525552be8b30906b6259b0254d9c8e3c28908f46246849abd9a4900921dc1727660be39f650b526497c2c3e7ae9979143190dbff996f84fec5748d0f7

Download Submit
C:\Windows\SysWOW64\Jpnakk32.exe

Filesize
96KB

MD5
67875616bd4b1e378135bd6b137e02a7

SHA1
5f60e1883c06fe8c267cb7cc0fb26072503f91b7

SHA256
d72d70fc2902941e04e7c55797f4d9828c5914edb44d58dabfdd943cf60e43b1

SHA512
f805cd9b6c2d63639a302fcc4b9d45b4830207e0773457263fd2fc5a74650499688c75ef7c2f78b648f37328194dd34d0d1ce3450c3ec3bca683145d3d87b568

Download Submit
C:\Windows\SysWOW64\Kcbfcigf.exe

Filesize
96KB

MD5
046eca4e7a853eeaff11cb58b36d1d82

SHA1
74c18a8c5b340251bb0d721a0aeaa1f3527350c5

SHA256
50938d7f9a6026f187a4dadd547504cf02cbb1080bd0a42eeffab6e4890e4517

SHA512
c26f82f7ca8e38368738ba2581686fdb20b9ead927b03c00782388535d03d9270022d963da7fc42b52f6bfd9bf7172befde2c49005e2f25943ac7c562c06cc13

Download Submit
C:\Windows\SysWOW64\Kcpjnjii.exe

Filesize
96KB

MD5
efbbaf1deb658699cf367e986181cf6f

SHA1
1c5238cb03ecabbcb193eec9cbce9cc9375c9fa8

SHA256
6825075e8c16adc704c1dbd31d4ee40d3b0b304fa9cb80d67ac21465dfb1a88c

SHA512
ca4d643c074f59cebcc507ab845deb6c327a2ea6fe873fd59b699a2ce24a71648d5b866f84d7e531335706498843034a71a77e813de8da24152457e22795b6fc

Download Submit
C:\Windows\SysWOW64\Keimof32.exe

Filesize
96KB

MD5
3155c4eadea5acc46f39041cc7819124

SHA1
9be04ab0fc8c69707399d183544b014368dc1630

SHA256
6e09619b9266975c14a478824f308c8a5b5288355d70860e3b13f06e0f0c25a0

SHA512
160aea1bb774e0142b114f5322b548a77971a020c857ff5d843ea9fee1ac6f4e2160e1fdbf78c335ec531f4e756baef359e8fde32b980bb4aa2958d04e4a76f9

Download Submit
C:\Windows\SysWOW64\Kflide32.exe

Filesize
96KB

MD5
492034238e869979a51a0a565a0ef505

SHA1
97caf5a7ef3ed83d14fcfb18f008df89c511447c

SHA256
89da56a81d95047819d840cdbb04a86c96bfffc6302b231d0f9d4a4ad7a784a0

SHA512
9d965a36ff38020b44351fc21a5dc10ba3b4fa0e8a669a64b106f8314897ce51753b0b4e0b9aaa874bbbfc98b2ae9f89c095d62fafd72d158d5809d63014afbf

Download Submit
C:\Windows\SysWOW64\Kjblje32.exe

Filesize
96KB

MD5
8b1c24123947540cdb07e213f69557d9

SHA1
cbe218a597bd256b7b2eb20457d4aecf47c7b170

SHA256
786de940d546f23eb01318f7d05f038f774b27b9fd01b71876976c90c9dc5556

SHA512
028aaa9ce0b66f048c6f5b1986ea5394219506ed599218007ddcb69c343b0d127b2f911ba12c0c9a848ae278b4d026aa9040d5e364aeab3151483a5736db5e48

Download Submit
C:\Windows\SysWOW64\Klbnajqc.exe

Filesize
96KB

MD5
b7f37908edb3f4c7f7b63a66f6b64e63

SHA1
3db567c7cf97c5f40a47334cf669f7495f3ff115

SHA256
a8729349d44d82e86482aeec0ed9de487f9937a5501c4cdbfa6e17c9cb87cd2d

SHA512
21b1bd6bdb14a1ffb317d2774b8680913c218547f2420eccc2eed6095e5fbde78e28d819b9e4ede1d8c63491b67a36d5cd75dc47fc2a6991c4a68ed068a2e86f

Download Submit
C:\Windows\SysWOW64\Klhnfo32.exe

Filesize
96KB

MD5
a02dc570b2f798af95b657eda736ab17

SHA1
9c7408e49e14e895d7ca917039d12843213e8a76

SHA256
2389828518dc69c2886a662fc77e7c11139ea1e3f7911c70216fb02c060c996b

SHA512
38119504da2aa81aae92e0b66261c3beeae97609952ca8efcd803401816814d604fcaa99240b49fb54c00bc90ab670f7a957600d79cc6bdb14c33a9894643c60

Download Submit
C:\Windows\SysWOW64\Koaagkcb.exe

Filesize
96KB

MD5
16321e29c0231e7bb733d2225caf714b

SHA1
94b01474426de2957bd16828cbbaefceb82df1d5

SHA256
97e3eae03f48654f9d2aa4129e60bce439dbbf19a058a440d6e4abaae6b7639a

SHA512
4bd96b6d32e7b89fc4d05165c55090f93675690bfd5287e35a158c756f82a05ffd39f7606b2e528b02c8d51ce00b1c39d601cb0edd7b4cf24e285ef2ae69325f

Download Submit
C:\Windows\SysWOW64\Kpjgaoqm.exe

Filesize
96KB

MD5
a659bd3bd4983f44331fcb43c04de8e7

SHA1
f70b4cf5c2c081295897dfbc685ec52a415c8164

SHA256
059bce511b7dec945243eea23c183f15b82ee41d52b04e0879471cac0dba1027

SHA512
cf35b390399348ced115b842b6c5a57fabb3a132ef54a13e37ce70f9631b8deeff68ce5db2a3886a4d8a70dfa22e413df9d939493a7bac7cf3eea60412347c56

Download Submit
C:\Windows\SysWOW64\Lcdciiec.exe

Filesize
96KB

MD5
1bded281bc0f7132cb23e4b641d9fd1e

SHA1
a92dd3a3c587cc88dcaeaadcec07a838e4b102a4

SHA256
0676e2befae46a023f0aaa2be8c51c7eece0d4b74ace54c693950cc3e97e7759

SHA512
689f7056b890bf27416b3f097dd24cc00603252110b40f83582a37875a3da4c605f75d5d863c23abe54fcce03d76e3a7044a0f1fe8a9b3d03fafaa208afb8ac2

Download Submit
C:\Windows\SysWOW64\Lcgpni32.exe

Filesize
96KB

MD5
03b28e22e7e241938da481a4edd266ac

SHA1
0170f1a5d4441d2d9d9076d7adbad00539c34b91

SHA256
813f2451c3e9d0191d5a3b43700b5926ad161aa5bc4f36644cc5f9a468ab1b99

SHA512
08ab7edec0be9b2cbed0d6bec0b6918a847f1b02b2cbc96fd74087db28a17a589a92d85f61288120de117302bcca139ab6847629e8c29653cc7f191793d15e0c

Download Submit
C:\Windows\SysWOW64\Lchfib32.exe

Filesize
96KB

MD5
0fa0ae75c6bedf83d0cf0a70d0d880fa

SHA1
555cec7c476eaadbf3ee5ebee9a44e41ff320a53

SHA256
381f36f8b0f3d6d7e4179f816c747b820d85800aa0431a86538a534752a40260

SHA512
1e75c84edb9fcde07e63202a2fd417d18d82a74909364372e09787fe5698704a076fa3463070d889dce5c38ac172c5ea9539b0e37771823ff206f5f4757ac637

Download Submit
C:\Windows\SysWOW64\Lcimdh32.exe

Filesize
96KB

MD5
c7dc0a035f14dfc90f87d5294fdbd24f

SHA1
6c908fe314fe1dd86c9ac11bda6a953453210718

SHA256
9cb2202f5c83c433e26d9453e00b1b5af664e1652082985042781645cf88fb97

SHA512
c720096c1aca2890ae10dc1a2c3772b77a689ba5afd53a2385764778fb4773a423139d54d0e4045eb48dd26b9ad1c31db3cec18d365542524814630f362c9b1c

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
96KB

MD5
8b8522251b71628762f9dce849f9da14

SHA1
8a3e165acea3d1a817a39b331aa2fcab4f075dde

SHA256
00e9e9cd154101f3f7f305958d3730cfb23eaf28231a39a8343c3f4b7665cd3d

SHA512
c7b8f82c09a95f69af23c660f0a4068d0d52cb7c01dbf76c1f1a9e6f254cbb98c50ffdd88e3ca8557a15745b6f46db124f962d5dc410bb75be80141c4c965576

Download Submit
C:\Windows\SysWOW64\Llmhaold.exe

Filesize
96KB

MD5
42aa8b50f700ed379f22357c42a949a0

SHA1
d2f456cb0f855b7786013ee2e99b262631d43af5

SHA256
16e0a8595a8a098810928e2ff1c170d7df19de69bffd680df7bf5d9629e6bc78

SHA512
6cd2b19cacd9d4b2f50cdba1115f4712ac12ccf64f95ac2580bd48e00a3bcdf0f779db922fcff5879bda12841fe35c109c5df0ad40061bbd6674b1a81da42111

Download Submit
C:\Windows\SysWOW64\Lmaamn32.exe

Filesize
96KB

MD5
4fd82b9d92f626b8cedbb4e9e3c15373

SHA1
d648ec8939a1aca3c66fd144156a53ddc84b345a

SHA256
44045bc75677a7e8197cb26d296daf83c79865b1bdf400ef95a257beb142d0e1

SHA512
c7826094e443e4c25e13e8fd85a67728d545d95cc435cd97414fd117a6af9f2a92e69620a340c62263a2ee86e90ece70b7f4da6603764611140aa4d0f8b41116

Download Submit
C:\Windows\SysWOW64\Lnangaoa.exe

Filesize
96KB

MD5
8a193acb3fc9e7fd6f9127d5e56661af

SHA1
d0806241262f1c8ea1a008b952a3e0f1e908a5ce

SHA256
75e59ced163e9eb886d627321a2ff8a546a9c0e0b94bfdfe8b959cbf38282265

SHA512
90b7dced567d82b3cdf77a31bd31148a1f1e8213527420d99a3f100c10596bbff5ac9815b5b36761e9d3a0a37fc6af5a89328f2ffcab283e94fd232941529f98

Download Submit
C:\Windows\SysWOW64\Lobjni32.exe

Filesize
96KB

MD5
944b9fe218fd8ee8edc4f96728d62372

SHA1
bc61febe38fcee97b9267c9afe4021c788cf9c4f

SHA256
b5cda24f7b38befe9f3dbf711c8c1fbd3c66f55dbc9840b1eae08427b0ab297e

SHA512
a8e9b915cf8fd91e8f6cd2f517e65123835d5c15c784fe50fc81c6640e48247a1fe8d970f02baef05589800ccb0bee13f94302dcc6e607a94de0357b49eb3835

Download Submit
C:\Windows\SysWOW64\Mablfnne.exe

Filesize
96KB

MD5
4a459fd0e0d769181fd78ec86c975f90

SHA1
0684e80b6f65f7b4eb4dc93e6204769c6381081f

SHA256
b26af13de4fb7f22cf18c46d5d13ec5373a662dfe203a06d17d9f98edaa4e7e3

SHA512
9d8f11f9906fde63478f5b004a3ddf9c9634504d3b527532ce8683c20959581f225ae594edac7324757223abc7b4c01ac72f16398b8610d93e04907c625ac925

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
96KB

MD5
0baebebc108adeabb16bbf565ddc2459

SHA1
10e2b6daa522322c9ccb37674fac006ca2c4a834

SHA256
4890a6bab80142ff36d3f91e39c190204d2628749070f0a210ac5f7836b9ed61

SHA512
c87987c521d75aa185568f588a3b578cd8b392879f3d4549ac63a53624391528c4b47e33af0375e06517908a11abf5ca7ed7cd5197cb673f1b8a828033774362

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe

Filesize
96KB

MD5
f229abfdab8a61d37ca7132ec78dbafe

SHA1
b8dadd597fe701adacd13dd62e4e0095ab14bc6d

SHA256
fc27582c901c05fb6789d3529cbeb3e46a62ba01a2b061fcbb1b39d95c27c267

SHA512
74b3a7d7e03dadd2f4d1f295a3065c2a5165285ee155281d44cc221777c3d1a9391cc850d4a059a02687eb1251a9b56581a213a6915ebdacd620d1c9b8747aca

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
96KB

MD5
b6c8e67a6af10003c7aca9a3c29814cf

SHA1
ce2474bc68299ffbbdfe59e7dfd5e3efebb38d9a

SHA256
c48c9a9cc6798f6d5d578f36b9883e054625ec483cd3c2adb08af38c4eee84db

SHA512
4c66a8edb168d26b3107d61eaa0550f81bd8951ba5bd820f865c7141e938d915329fb32f486a43807e4ad352a120f74685556227b727ba5e17cc8fa69756446f

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
96KB

MD5
33db17f8583188ef6d21b62da12f071a

SHA1
2c940be367baf04c2358f3fe0c8e1341e6f86eba

SHA256
08875cd9dadcc06b42da3b0f5035efd6d29db2876ac8970d103a3640d367cc3c

SHA512
95c91048f6df826484a09c99a1d5be8a676188d4dcef14364d99c82eb054c8e1fd8af33c474ba1421d51653718082b0bb947d089c95cd40536a9a2ee3632a3cb

Download Submit
C:\Windows\SysWOW64\Mjlhgaqp.exe

Filesize
96KB

MD5
d1db792b202fa9d49d090f3bef4e98c1

SHA1
dbeb3036969e60db79dde4f1af72ba7ec5806728

SHA256
7fb0837c7f1458f5d372f2968dbc4072e2e8df9aa61e19005711f782fa934fb4

SHA512
bf1c7bb99bec6fb3755710544808562329bb0bb16b17c270c0efc85c30a3ef23d95fdfe28fd285d4aa4110882dab201e4a91cb7fd9a8a7b59f4fa0ac739c62cb

Download Submit
C:\Windows\SysWOW64\Mmfkhmdi.exe

Filesize
96KB

MD5
8f64a0faebeb7254fdbeaea36b43b8ca

SHA1
e9038f795d587c30d82440cb8f488e1df363de0a

SHA256
6c85156d83630db645b76be4b1d5046d6c5755b7833fe121a73f9abf3e97468a

SHA512
864cecc57dbbd87f92935966b99a8487305bbaf78113482a7c2cccba7b5b08d355975744d2a83805e9c4b856b7913a813cb253968fac53754928be18d36c7bad

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe

Filesize
96KB

MD5
b8fbc25f02d8fba1f8ec943ab07c61fb

SHA1
c84f493b9679e33574a9536bbd304f93f554eed8

SHA256
15ff5492f58fc3ca9a83c157d1ebeb4320092446b928ecf3c2aa986252d84c27

SHA512
4da355573e0e744b68d5213168a622bc8d67bed6d48b24fd98611f54e96706f2137708f640a1563fa4769740ac70604b3555e2233a7b634ce576ea6e2a876c2d

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
96KB

MD5
16b6b0e07b6b89960d90dae3f16a1640

SHA1
e81437780c4b0f810115b6204f11c011a7a6831c

SHA256
e795bcff4077cddd8ec08562ac31171374ef22e2e7c9fdb3e1b5e790d1b837ab

SHA512
e27638fb98e09ef99ff46d82dec7ef7d36145cb17d0c0cadbd56b1f22839437ebdaf330e26302aab2a281bccea323f93b59c9dcf797cbd426435338e2bc8b120

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe

Filesize
96KB

MD5
698ca722ee5be38e3aa556220abdeeea

SHA1
3ec5bfb81fbc008efc855a8d64d15ada80434f71

SHA256
331d633ea660298c5b772ac90eae7808d5b706c9ed980b988b26bd51b2bf152d

SHA512
6bffedb4e1f8af8d434098ecf2f4431de1671c765bb37a5af40a98a337ce97c94a885062690e607623ded9b10930429785c1433f87089cd8af92e80e609c1861

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
96KB

MD5
618a9790fd898722a9654f3363ddd567

SHA1
152a0a9bfcf34f89e50f33398b46cf6f675faff6

SHA256
4e639df379113f50b31262ceda9d620516df581efbcaba86c4d7c561f1e89357

SHA512
f9409edc416bd151e616abcf4c04bb6b80eb5a7a256bfe99eb9bcea2c72186214cdf3c0729c54c52e1eb6a48219b46bd8135b319d046e9e463a98c188486f2d0

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
96KB

MD5
357b8c43a62f71a391791eb44300ea74

SHA1
b2798b0218bca2d5f623e4f6371c99ee9535cbd5

SHA256
eedc7b8ea82d22611f2b08e34d749efe840d97cb0e342aef8520a7b1d45b10ae

SHA512
2d5cd70031765164e3c7adcab3cacc1fcf55f86cd63b964aa81323d1707326acde47b546a482cf16af885d0a534782af5e239a0ebbb0c81d7d2dc691076e31e0

Download Submit
C:\Windows\SysWOW64\Pmkofa32.exe

Filesize
96KB

MD5
911919b5ebd54b279e6ea84d2cd9e247

SHA1
fa728222df0f8d44ebe4090743872579494605fd

SHA256
8a71fedef5e50c736c24c2a89420f7b977a05336ddba8a3078dac5207b78030a

SHA512
e563f5f59e95f4efaf8e78e8a553f12270495532470f854bbe82a82efa09d06a5e3e14de233bd389ad5ca754e5f16aad571839e04dacf547e23076cff50556e0

Download Submit
C:\Windows\SysWOW64\Qmgelf32.exe

Filesize
96KB

MD5
63aacefe1a89070c3fd24481e468be12

SHA1
489acaacc578d644c1ff8e00d71165cd86aebb62

SHA256
2d43a804e94465d9a866437678fc861b6e130b9d539a286878cbb5f3bc037d26

SHA512
cf6ccb6878598e1d2a104ebb1d9932a74cc04206c4c40a9b619fd4b0f0ce6d9920f718c59983058704b870eac50f3305aa5ba83c142bfc483b57fd1ef0c8e265

Download Submit
memory/220-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2776-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5148-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5224-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5328-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6728-1308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6904-1315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7088-1316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads