berbew | efa7736296f6d0a7df0748147577d3df58f59419dbae1062fdbe7b00e05b4a92

Analysis

max time kernel
94s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efa7736296f6d0a7df0748147577d3df58f59419dbae1062fdbe7b00e05b4a92.exe
Size

161KB
MD5

8ea8d35f2891266f231423eb5692afe3
SHA1

985afd22d066e2ddf19ca51625612d3920bade79
SHA256

efa7736296f6d0a7df0748147577d3df58f59419dbae1062fdbe7b00e05b4a92
SHA512

1d72416b38bc3985161e32886a5c2de6348ce58d5efdb0b9fb9d7b14097416aa1d62dc341877d6bc0f4e5a7e12473929c86dae16b8742c53392339d6cd035018
SSDEEP

3072:NpjkoCJ5Sngi079rqM/koVwtCJXeex7rrIRZK8K8/kv:71C/SgX79d/koVwtmeetrIyR

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	efa7736296f6d0a7df0748147577d3df58f59419dbae1062fdbe7b00e05b4a92.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbeidl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1388	Jlkagbej.exe
848	Jbeidl32.exe
4800	Jmknaell.exe
2116	Jbhfjljd.exe
5076	Jefbfgig.exe
1292	Jianff32.exe
4956	Jmpgldhg.exe
4896	Jfhlejnh.exe
2272	Jmbdbd32.exe
4572	Jlednamo.exe
5068	Kboljk32.exe
60	Kmdqgd32.exe
4100	Kdnidn32.exe
3888	Kfmepi32.exe
4244	Kepelfam.exe
3068	Kmfmmcbo.exe
3380	Klimip32.exe
5088	Kefkme32.exe
3552	Kmncnb32.exe
4516	Leihbeib.exe
1756	Ldjhpl32.exe
2504	Lfhdlh32.exe
1524	Ligqhc32.exe
3948	Lpqiemge.exe
2236	Lboeaifi.exe
3976	Lfkaag32.exe
1116	Liimncmf.exe
2452	Llgjjnlj.exe
5064	Ldoaklml.exe
3492	Lbabgh32.exe
2416	Lepncd32.exe
3588	Likjcbkc.exe
4368	Lljfpnjg.exe
2016	Lpebpm32.exe
4164	Ldanqkki.exe
2096	Lbdolh32.exe
3192	Lgokmgjm.exe
2176	Lebkhc32.exe
3132	Lingibiq.exe
1272	Lllcen32.exe
2876	Lphoelqn.exe
2456	Mdckfk32.exe
4932	Mbfkbhpa.exe
1464	Medgncoe.exe
3216	Mipcob32.exe
1992	Mmlpoqpg.exe
2128	Mlopkm32.exe
1612	Mpjlklok.exe
2000	Mdehlk32.exe
1960	Mgddhf32.exe
1720	Megdccmb.exe
1800	Mmnldp32.exe
932	Mlampmdo.exe
3052	Mplhql32.exe
4356	Mdhdajea.exe
920	Mgfqmfde.exe
3040	Meiaib32.exe
3564	Miemjaci.exe
264	Mmpijp32.exe
1012	Mpoefk32.exe
1208	Mdjagjco.exe
3272	Mcmabg32.exe
1728	Melnob32.exe
4324	Migjoaaf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mmlpoqpg.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Bagplp32.dll	Jmpgldhg.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kcdgbkil.dll	Liimncmf.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Fqplhmkl.dll	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Kepelfam.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Bhoilahe.dll	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Kmdqgd32.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jlkagbej.exe	efa7736296f6d0a7df0748147577d3df58f59419dbae1062fdbe7b00e05b4a92.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Lpqiemge.exe
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdhdajea.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Ligqhc32.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Jmknaell.exe	Jbeidl32.exe
File opened for modification	C:\Windows\SysWOW64\Kboljk32.exe	Jlednamo.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bnkgeg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6588	6456	WerFault.exe	273

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efa7736296f6d0a7df0748147577d3df58f59419dbae1062fdbe7b00e05b4a92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlednamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benlnbhb.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 1388	4300	efa7736296f6d0a7df0748147577d3df58f59419dbae1062fdbe7b00e05b4a92.exe	83
PID 4300 wrote to memory of 1388	4300	efa7736296f6d0a7df0748147577d3df58f59419dbae1062fdbe7b00e05b4a92.exe	83
PID 4300 wrote to memory of 1388	4300	efa7736296f6d0a7df0748147577d3df58f59419dbae1062fdbe7b00e05b4a92.exe	83
PID 1388 wrote to memory of 848	1388	Jlkagbej.exe	84
PID 1388 wrote to memory of 848	1388	Jlkagbej.exe	84
PID 1388 wrote to memory of 848	1388	Jlkagbej.exe	84
PID 848 wrote to memory of 4800	848	Jbeidl32.exe	85
PID 848 wrote to memory of 4800	848	Jbeidl32.exe	85
PID 848 wrote to memory of 4800	848	Jbeidl32.exe	85
PID 4800 wrote to memory of 2116	4800	Jmknaell.exe	86
PID 4800 wrote to memory of 2116	4800	Jmknaell.exe	86
PID 4800 wrote to memory of 2116	4800	Jmknaell.exe	86
PID 2116 wrote to memory of 5076	2116	Jbhfjljd.exe	87
PID 2116 wrote to memory of 5076	2116	Jbhfjljd.exe	87
PID 2116 wrote to memory of 5076	2116	Jbhfjljd.exe	87
PID 5076 wrote to memory of 1292	5076	Jefbfgig.exe	88
PID 5076 wrote to memory of 1292	5076	Jefbfgig.exe	88
PID 5076 wrote to memory of 1292	5076	Jefbfgig.exe	88
PID 1292 wrote to memory of 4956	1292	Jianff32.exe	89
PID 1292 wrote to memory of 4956	1292	Jianff32.exe	89
PID 1292 wrote to memory of 4956	1292	Jianff32.exe	89
PID 4956 wrote to memory of 4896	4956	Jmpgldhg.exe	90
PID 4956 wrote to memory of 4896	4956	Jmpgldhg.exe	90
PID 4956 wrote to memory of 4896	4956	Jmpgldhg.exe	90
PID 4896 wrote to memory of 2272	4896	Jfhlejnh.exe	91
PID 4896 wrote to memory of 2272	4896	Jfhlejnh.exe	91
PID 4896 wrote to memory of 2272	4896	Jfhlejnh.exe	91
PID 2272 wrote to memory of 4572	2272	Jmbdbd32.exe	92
PID 2272 wrote to memory of 4572	2272	Jmbdbd32.exe	92
PID 2272 wrote to memory of 4572	2272	Jmbdbd32.exe	92
PID 4572 wrote to memory of 5068	4572	Jlednamo.exe	93
PID 4572 wrote to memory of 5068	4572	Jlednamo.exe	93
PID 4572 wrote to memory of 5068	4572	Jlednamo.exe	93
PID 5068 wrote to memory of 60	5068	Kboljk32.exe	94
PID 5068 wrote to memory of 60	5068	Kboljk32.exe	94
PID 5068 wrote to memory of 60	5068	Kboljk32.exe	94
PID 60 wrote to memory of 4100	60	Kmdqgd32.exe	95
PID 60 wrote to memory of 4100	60	Kmdqgd32.exe	95
PID 60 wrote to memory of 4100	60	Kmdqgd32.exe	95
PID 4100 wrote to memory of 3888	4100	Kdnidn32.exe	96
PID 4100 wrote to memory of 3888	4100	Kdnidn32.exe	96
PID 4100 wrote to memory of 3888	4100	Kdnidn32.exe	96
PID 3888 wrote to memory of 4244	3888	Kfmepi32.exe	97
PID 3888 wrote to memory of 4244	3888	Kfmepi32.exe	97
PID 3888 wrote to memory of 4244	3888	Kfmepi32.exe	97
PID 4244 wrote to memory of 3068	4244	Kepelfam.exe	98
PID 4244 wrote to memory of 3068	4244	Kepelfam.exe	98
PID 4244 wrote to memory of 3068	4244	Kepelfam.exe	98
PID 3068 wrote to memory of 3380	3068	Kmfmmcbo.exe	99
PID 3068 wrote to memory of 3380	3068	Kmfmmcbo.exe	99
PID 3068 wrote to memory of 3380	3068	Kmfmmcbo.exe	99
PID 3380 wrote to memory of 5088	3380	Klimip32.exe	100
PID 3380 wrote to memory of 5088	3380	Klimip32.exe	100
PID 3380 wrote to memory of 5088	3380	Klimip32.exe	100
PID 5088 wrote to memory of 3552	5088	Kefkme32.exe	101
PID 5088 wrote to memory of 3552	5088	Kefkme32.exe	101
PID 5088 wrote to memory of 3552	5088	Kefkme32.exe	101
PID 3552 wrote to memory of 4516	3552	Kmncnb32.exe	102
PID 3552 wrote to memory of 4516	3552	Kmncnb32.exe	102
PID 3552 wrote to memory of 4516	3552	Kmncnb32.exe	102
PID 4516 wrote to memory of 1756	4516	Leihbeib.exe	103
PID 4516 wrote to memory of 1756	4516	Leihbeib.exe	103
PID 4516 wrote to memory of 1756	4516	Leihbeib.exe	103
PID 1756 wrote to memory of 2504	1756	Ldjhpl32.exe	104

C:\Users\Admin\AppData\Local\Temp\efa7736296f6d0a7df0748147577d3df58f59419dbae1062fdbe7b00e05b4a92.exe
"C:\Users\Admin\AppData\Local\Temp\efa7736296f6d0a7df0748147577d3df58f59419dbae1062fdbe7b00e05b4a92.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\SysWOW64\Jlkagbej.exe
  C:\Windows\system32\Jlkagbej.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\Jbeidl32.exe
    C:\Windows\system32\Jbeidl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\Jmknaell.exe
      C:\Windows\system32\Jmknaell.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        26⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        27⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        37⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        42⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        56⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        62⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        65⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        66⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        67⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        68⤵
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        69⤵
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        72⤵
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        73⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        74⤵
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        76⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        79⤵
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        83⤵
        
        PID:556
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        87⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        88⤵
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2092
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2380
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        91⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        93⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        94⤵
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        97⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        100⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        108⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        110⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        111⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        115⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        116⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        118⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        119⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        120⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        121⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        124⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        125⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        126⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        128⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        129⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        131⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        132⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        134⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        135⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        137⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4380
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        139⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        141⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        144⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        147⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        148⤵
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        151⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        152⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        154⤵
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        157⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        158⤵
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        159⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        160⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        161⤵
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        163⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        164⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        168⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        169⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        170⤵
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6620
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        173⤵
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        174⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6776
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        175⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6872
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        178⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        179⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        180⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7092
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        182⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        183⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        184⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        186⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 240
        187⤵
        Program crash
        
        PID:6588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6456 -ip 6456
1⤵
PID:6572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
161KB

MD5
4abcfc0f3c13f2eeadc4b2f6db714eaa

SHA1
596e22a2b681600856931faaaede622d79f6fcbd

SHA256
186b5aeb15e3f15b20c8e7c786a557ef694e36077f92c63f8c4a47bd24cfd49b

SHA512
6d4bacfc80c8ce0e1ccbf2bcd3e9c4bacca00a85fd74ba921b5c03bb098080c337c1ddb546440578d5d7d71c5be5bc40e2feb0a6c1625ae3c050085317aec073

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
161KB

MD5
1bd749fe9c7f177f7dbb00a5f16acab5

SHA1
b75d986c453a2c33c8c40c2cc0c9cba07d5c9b48

SHA256
2f4adf050c86a18f9b5ba88dfc356a523db56e29f745c2a674306d95265cc061

SHA512
e1cabeb46574c6a6725ed88b3d863c24cbb7d04860a848792532a0b4b0a4199a61ff6d71b6628d9116d2118afd23152d45eeae7be7654ba0bfc5c96dd7ea9257

Download Submit
C:\Windows\SysWOW64\Fqplhmkl.dll

Filesize
7KB

MD5
bd20a317106f41eaa1a1b10521a233a0

SHA1
339298fa73f8564c239c6ecce31a4831277dd64b

SHA256
151bc355a4fa8fa6cc599b42bcf6f37e9ceba996f3db9796954f26bc5b0a4480

SHA512
ef6e5088f395acdb91e0d3acb7f48b0c37ae7dbb3217770882ea1c9d57ddaaf9da926858927bf9ecac74cf71801319d8fcc00774fb9c6775e73b3d5711b0a750

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
161KB

MD5
cb0d210dd3af1b67284e6aad2e06147e

SHA1
621aea9db3bc367194e38d668dbbf23043a143ac

SHA256
91210babc23a3ea62576e22c4be46b4c084bc6268d7175be16916e8221143e2c

SHA512
1e8ff0c63e17f83e8d678d8e1477b920e2e56ac94e40635d6b9648073fb4c58a04b8ffa6b05705c741fdbc15dd2ad752fd585327ef69aacce12480f32a57823d

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
161KB

MD5
00282acbb3121558fd7baca4d28fbdb0

SHA1
7ed66fcb88ee30d95e653022045b3f11be2dba7d

SHA256
94ba21f4d8c694392fa1917d1604054bcee28904ceae99b9eccc443dd76a8b87

SHA512
b2327e844337d1f74d30f6936e3cfe72431b29bae9ffda61f48f216b7a8f620901a06971d274b34466d06b318cd06970bfb0a38e9df3ca31d156a96cdf2bae90

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
161KB

MD5
585ea9d74207b0323ca0ea230aeaf6e3

SHA1
3180fa5ca2fb0b2129b6bf2ef3c9d473525ade88

SHA256
b65e05d0a6b4bf6f6b89a8224605ee1be1a4f87ea82e4cdd1c31eaef5111cb8a

SHA512
a44fcf856782f81f9e442cb85dc0608ca7e90536adab31994b523ccbb1875554b7cad51764faff4bceb898710948eb963ad29d7642d675de71d26022293b0e27

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
161KB

MD5
ba7afaae6fb6d49dbdc8ee8251759535

SHA1
181b928bcb91f5d6e8d6571ee43e232f8b17b585

SHA256
310d07d495efa32ea046829aeae431da1211ec2c07b801b068f7739b996100b5

SHA512
664a7032543eb7249f16d5ca64439b59e53b1f72031bbe3ec9ffa5ef47b185c4585bf7a3fa13e8f24d1574c9d71d8536a488dcc78f81f92440281a2bdc3dd599

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
161KB

MD5
1f85aa98cd1cca1853461f15584df557

SHA1
7585bc5aa7d667df4694366ca5baf1351879f6ff

SHA256
2c751031ff3b5b550444ec9707c6a734278ab0bb0b9d827074d90bb6d2eb5d0c

SHA512
1450cefb3ad8024f509f9639df77c4b15986f36fe1b4eef76becf3c26e5f5214a8eec0cd80de2cca4a6ce4af6849c5131c7b2564b5d48b0eb432a124b9adbbfb

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
161KB

MD5
c58d5c0262b1e7df10f4ebcf0e69de6e

SHA1
38e28d244d6bfb7ded5aaef06eb4e97960c2b550

SHA256
39a6714b091879e1209028d79c357360e4d7a79311f8e38f1228ff2f0e108c3f

SHA512
29d678309ebfbd94e28a9cd5b57c5d242c78fdd05201dafef617872abf7efd5defb75add7989746fd034178e504bef5178d2b66799032e61b131e599a233556a

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
161KB

MD5
300363c6c2cb76fc6ef01a7e4932da15

SHA1
5bdf54655e5f62264852edc9c7159e4268e8b95b

SHA256
b7cc4569a0c86d36196425c3913498eaa9fc9f68f5ab9242a9619d8ab4dd4bda

SHA512
945dc0fa3714cb99410c847bab113f71045170dc5392c73a62b0aa3a346f32cee8dd73f48c9a3f55d61c8f736650cb5275de76a4db8469418a6ca43853b44c59

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
161KB

MD5
374580c7f5ca0a797b147598ceae0dce

SHA1
8e7fd14d88b64b9568c0e33801a8e05d06330a2e

SHA256
ae21a8e976e4d3abf957c474027295e5b6a537902b49b077e7f3c215becc2b58

SHA512
8ec9f59c6e32bdbac4a8b5d327fb41c675be84183aab7da70aa4a696609fb85c12521b26379aeab4d8e8aef5876c3ae961d43e99c652b1b784831c06b96b8324

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
161KB

MD5
9cad8d62c8dc11c97c62ce72c87aad22

SHA1
a853038565e104c7b143f265ccf7df289bd8ecc4

SHA256
b23ad2270c49699bd37d56d70b66c93857fd873573d7b2de1bc4adedbbf59c53

SHA512
9294e76699fb7c5915d351eadc3c7cfe73c3a576f105230d53d72664f9fb6a5088c84220cbf95e1ea7a612b72c85913e5181257ea5ec9789117130a6dd88d65a

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
161KB

MD5
a52c4c6512528434b26133c74744848c

SHA1
3955d7cf5041f49669bd5e75e3320b5d77ac1c80

SHA256
68cedd4f26160be27c6d83e0d8af57dbb34262f9277c76b346d426532e8bed34

SHA512
ba7ffe71122a2ee4bdfb5f8f36811eac6c053a4f1256c97e28618d29244a1d13094196390b1ed6e32d3bd61238b90479f2a23c70d96f24683d086b050398be46

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
161KB

MD5
2f7000761683982b94bbaa42fd078d64

SHA1
b90c9fe2d592172334c12432a6e853f4084d98f4

SHA256
29c0515dd1ef98a7f595086a06c07b5a676f1461e173b880b7460e74b18e6cb4

SHA512
0b7113a13f151178aba20cd4f47573388746a40f159fac3c434462fff9637b718d0d8e35fcab5fb2f12ec17c3773b8d6e9d7ac50913350417552818de2bceaa9

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
161KB

MD5
0716b46315de76134e67fb7ad4b36fe1

SHA1
367e84c93b8c303cf7e8727d5baecc2c2ac3d0d8

SHA256
64654a920b50f021ddf264f121ee9f4052335fcbff8832fbfc875699fb83a1d9

SHA512
2b7c4bd13ce62377d70db4be27c9831094f1eca09d429fe36de3d9a7e2549e553f5f9946cbfec74b716ce0db9df8e7dfb20f56b847e243599cad01a35e3ca537

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
161KB

MD5
c08dd5aa67f9249ffd6ae0b5eec6184d

SHA1
d316ffc2055a8a24ba86a5b09e8c28f621f7bb08

SHA256
59b59b80f8d31eab07bb0848e16603c233a8e266e48d6028621b6307c4e79a4f

SHA512
09f3a345ef7e72ac4aa94b03fe30f231cb057da90b9c6ccf5d810e78ef271096e388b99c162de927abc3793b9910a07c4ef46052cd7c62a7fe520000ca53c01b

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
161KB

MD5
1b51766236c4ebd5b998c363ea3cc9de

SHA1
15b5e7963ee94537b6b079a5f49e193f0ac3b329

SHA256
ac509f67d18ae8487c2b82761020ba5cc498a0d078bf64f26d76e0f06ef04463

SHA512
1c5e1a044ebaca323e2988fd77e5f19804bf85de3e2ca4016fc4c2c00db26f3d8031c70adb0bb1324e534220c7dc8ca1973fe8f91427ce4e5416ee35163b7625

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
161KB

MD5
466491be7c42d33e7273e6f92ce900d5

SHA1
373015ac5a2e53ac0d1e31a0242d7484062b659c

SHA256
2a853ac47c7bf587220ab3f56dde94721227140ef575ecabd15a3a3f98426c32

SHA512
6180ca13abbe553852606315c4a0638017cb656fe4c4220249252daee4395b77e6e549e9a0e29a664f77c5be5977485a20bdfed775cd7e55c4488ff67d2f1cd2

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
161KB

MD5
ec7f100238cc8e76ac2a37381b2c8fdc

SHA1
8d7496f0ae40ade5e7fa4fa49455dad41e2bd5f8

SHA256
687171205678370d43a847acdc26d49344df85158432228e759fe4104e54f610

SHA512
d0f4ccf4dbe56de9818627c49ba672bc6c770166d34cd2bdee223df4c31a83513caf954bbf62f0b8f1b92d572ab1224a8488843916e2175d24f6e4a4ab6741a1

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
161KB

MD5
622c74d03d303fffb4bcf522fe8f97cb

SHA1
1321f8955c90410e1baa734f20d0f61e476da202

SHA256
f24d18fe042f71ee76f4924490eee35a28c19471d3733cca4ecdf616c023b077

SHA512
7d50befdccb24a952ac14c1d4be27208d5b6d1d1c196f36a088fc25d815c643ea74406a0ed45a92d255e314829ac58843dc52d50c14e0eb5dfa1ce811802a89b

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
161KB

MD5
73c9ad8920c2ca911d79d61e54e24224

SHA1
e93ed939f2ae2825d39858f6d10e40d6536a7e0b

SHA256
52e8f3db98d0243afe74b595c4f452a8370edc9aba45228dccc14f2a19f5092f

SHA512
d69607aaccadf273ed3730054d6c19af5a74f8a8d542110dc5265a57146aac822714c79893a0f5124bf2eae3bb644d8ab2ec677797f9b30cf8372994dc090488

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
161KB

MD5
5b8cfdac9cfacbe73d34c9359bceb49a

SHA1
1c0cbe3173e23288795cb91ee59a0b4188872e07

SHA256
51b20855c441ccd471662f85e055ab3d35bc454855e8d5d64ba9f8a9f56fb9bf

SHA512
8b81f2d9260afdfd1df7716b54b5b91a4785509a53535084f974269dd3ed7fa1f73ec7d85b5a1c318a889e9fbd51212a02037a2c3721efeb00e17d1e63d39873

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
161KB

MD5
a80955138bc4c2de010b2e5c835b629e

SHA1
4417eff5c592f9ae1509b3cff9b10b1acd41cd38

SHA256
9e62e683d1f2f5d4d445271f986b1f8e0d2b815633e084c58aae7fb7b6b3ada3

SHA512
720224eaab613f08d60d017f904d83447fb602429b27d627e565b9e03efddaf67ef5d54b0ab83aae960f5750997f17bbe56c0d2245cfd2e458976790a0b00d78

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
161KB

MD5
4919ed57529a0641225c805c2c66299b

SHA1
41df14ae8acfb9e8f5e13a65e49ed478daf14c92

SHA256
7039eb1ad8a7b6faadc9c454825d2b42fd090942b5dfe921ec10acf2f6309c34

SHA512
e4947b025628cac2dbf9114dfe145b84ce0debf68704e9506437099a0c6b615641c16894e000658f581ff1d939b516f820ea7e7f5e50d78219e8655b26b9693e

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
161KB

MD5
dfeeb80cbd2a1f14eb024613e49ddd87

SHA1
c2e4f0b392f3c6f717b8e7bc0495f9778a055ef5

SHA256
e5cb750ca63d4c99327a21d60976eccb67b0a87589c4358962afec433331f90c

SHA512
e83040385ab68df92d28359ed762803a862cdba6081cecbda533e2406d67b562fad20b3a4c61aadd0f43ce3065165ec2b5a90f3bc53eac08c464c04ed7ef1ca3

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
161KB

MD5
a02121ae051779f5804895b228ff92e1

SHA1
abc549f1303f52ba1df7b36dc6ae0d59c5ac6e27

SHA256
6192eb9478d1ba47aaae80671d5c97fd659af190362f69bdccb6aa10f7a3281d

SHA512
7fb561640a0ff835c6d8e02301d82c6eb78a2c99770d0f984ad0c325800cf20a72502859882cccd05aa8362e2e9d3dcde01fdbaa175143440176c0a00c0db3af

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
161KB

MD5
6f6358f4ac869aee5d9a77b22d72216a

SHA1
02454235303cda2bf0293bca8926af996b075f44

SHA256
671d25659a435f1c8bb6d78c23ebdc90dda013f8223ace5f5ad7b84f50dc02d2

SHA512
2ef2d67746578d6e16f355715342052cb7d50b369cc5599cf9ec17c5e594a1f1ed99b8cfaf81e27d449e988406a0ed110416d8255c0e14af4bf23bf3db51acaa

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
161KB

MD5
547fe543ad7c2083c146e7deb311f94c

SHA1
6bddbdf2d3c48b127adfd8a51675eb284e752b87

SHA256
8a8fa6914871e744714b88212d85612cb2da10d0933842d33c91eabe51eb2a3e

SHA512
81d08e0fb3176bd7d3057fba5e36fdcc5c20c984dda5e4f41a6fcd50891bc32b81fd7d37ed00d95b66174a811216a5fa99b6059b7aeeac1e4b3699cdd79d975d

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
161KB

MD5
034a7cac5cf1135e2529c16f24e9f56b

SHA1
b461ff85483b9fd07bc2645479e008174e14a632

SHA256
7399f39be03e3272149a962bacdffea9549b6d33d0e089a6abd5e171c6477c68

SHA512
fe1c38b1cdf51f120ab6df4ccfecbf841519ff42a2d7c4f1875f0d94e9d108f6eb79bbf4eeb1a9762bf1ac7b6e868a7a86efbdacdf7fe60c380ef751b0a622cb

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
161KB

MD5
7eeae2ceb43ef7a15f6e2b5148d013a2

SHA1
b28945afc8c0c76397dc1d78097512da12715b7d

SHA256
63d5322ed18e7ddf8295adc5d46d441f69e0cb8ea4cd65b647b3946a375c0d47

SHA512
21a1f6983b0a6bf7848556fb2108e6108d7e4d582b529be9614039f9e880273ee8c1b962013e6d109e2761048709df2821d3e9be931711707a8c05efbbc72a46

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
161KB

MD5
075473ef7053a75685c073542563d632

SHA1
66520c07e89121e7142d2b88acce8a7e94249de7

SHA256
f11d25a468535edbdaad54ac7fb7aea775c72bef217c65eab9cf4987234ffb68

SHA512
bc08e7f6c3f1805e5168bd8bdbd718752223017583e8a1d58215ebab3e0a3603b6d902c843d3a4b39422afa7c5d4e968fed8790e3a9db1f407181bc39db4d69e

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
161KB

MD5
4cab8316f973e4e67cb30eebe109e954

SHA1
2a14417374af42cb47ef10c89f1566fd9a592bbe

SHA256
5ec6030258f9135c6137e51375ed5a3509906d8c26b9e9ca817a6d1dc5200fb9

SHA512
15a83a76e6411035a4c4b49ea62380736bcba12228a1bee1be8ca1707a05615f4c59c649ecbec7a2dacd7d81e716ca264ffdafad7aa7955af7b050962daad071

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
161KB

MD5
ba32a30f1a12826f918baa58fef68e0e

SHA1
8f5bbb1fd71f0c291dd98b3ce03ce9fda519262d

SHA256
a51325ec8371b70e7e1b01414b7e41ec8053dc405ee54a941eb27acd1f846ea3

SHA512
303376bcb40c90861faec76e114f1c5ef61eebd65b8767149ebc217ab5e3a2ce046850d29908294469aa702499180ee6e0b777b7e00146d0f3059b84032f7257

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
161KB

MD5
a123ffff184471a0698360d5c3819ef2

SHA1
e5992dbcc79426f0913e56653edb14d7ab92c98c

SHA256
405f589245cf5a65569da21d27e77e1d1da8d8d7f27161d2c0174f434c634adf

SHA512
66e4f74f45e8a855371823322dc7df7fcab0003b749fa54ccad78583d1f5cdcf45ce5c70f0da86536d77fa5f30484ce4be0f9ac80cb8f74c32c14b0c3a78fac8

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
161KB

MD5
b173bc4b50c1b983d1f70a37c46a747a

SHA1
61dee30d6c55eb7cffaf5e8ced0f95e8ae74f4e1

SHA256
e6e410714aca1efc8f673cfe0c505231ec8058640065895efef0ef4601df139e

SHA512
592800727c4dca531a521f01a43cba5da3e4d66d810247319af3d0daae7d3adce0d5d65eab05e6bc7ab9082ae5b032ed896d3a208c24b2b14f15fae77bb4d65b

Download Submit
memory/60-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/60-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/264-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/628-525-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/848-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/848-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/920-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/932-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1012-446-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1116-235-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1208-453-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1292-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1292-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1388-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1388-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1464-350-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1612-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1720-393-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1728-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1756-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1960-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1992-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2000-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2052-519-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2096-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2116-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2116-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-218-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2272-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2272-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-244-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-513-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3052-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3068-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3132-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3192-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3216-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3272-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3380-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3380-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3492-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3504-531-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3552-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3552-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3564-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3888-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3920-489-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3976-226-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4088-501-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4100-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4112-549-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4124-543-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4164-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4236-507-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4244-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4300-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4300-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4324-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4356-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4368-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4488-482-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4572-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4572-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4912-537-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4932-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4956-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4956-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5052-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5068-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5068-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5076-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5076-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-494-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5088-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5088-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads