berbew | 4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe
Size

320KB
MD5

ca8b81886f50abd274c8f9d9044fae7f
SHA1

7b76c0f8225ebc7b395a1cf484516f4f107cd900
SHA256

4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31
SHA512

e08239262250fa6cf0b6cb2dc0af483c78a462781ef0c5b2116e12ca2c07b46e453312fa342f56b48484c71a6c0e337c89078a974f10948361e5b6a822e3b0c0
SSDEEP

6144:vl27nP31KHRyYEENeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+g:WP3aRyYJNeYr75lTefkY660fIaDZkY6r

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 54 IoCs

pid	Process
2776	Miemjaci.exe
3900	Mpoefk32.exe
1012	Menjdbgj.exe
3360	Nilcjp32.exe
4172	Nebdoa32.exe
2996	Ngbpidjh.exe
1388	Njqmepik.exe
3280	Njciko32.exe
2924	Nfjjppmm.exe
2004	Ogifjcdp.exe
2060	Ocpgod32.exe
1644	Olhlhjpd.exe
1384	Ofqpqo32.exe
3336	Oqfdnhfk.exe
3292	Oddmdf32.exe
1512	Ofeilobp.exe
3224	Pdifoehl.exe
1300	Pflplnlg.exe
2516	Pmidog32.exe
1500	Qnhahj32.exe
1328	Qqijje32.exe
3620	Anmjcieo.exe
1404	Afhohlbj.exe
2852	Agglboim.exe
2664	Aeklkchg.exe
2528	Aabmqd32.exe
2844	Anfmjhmd.exe
1076	Agoabn32.exe
4876	Bagflcje.exe
4944	Bmngqdpj.exe
2188	Bjagjhnc.exe
3200	Bcjlcn32.exe
3768	Bfhhoi32.exe
764	Bmemac32.exe
2396	Cfmajipb.exe
4000	Cmgjgcgo.exe
3668	Chmndlge.exe
208	Caebma32.exe
3636	Chokikeb.exe
3172	Cnicfe32.exe
1972	Chagok32.exe
1788	Cmnpgb32.exe
1756	Chcddk32.exe
2772	Cffdpghg.exe
4476	Ddjejl32.exe
2720	Dhfajjoj.exe
232	Dejacond.exe
2920	Dfknkg32.exe
4112	Daqbip32.exe
1172	Dodbbdbb.exe
4264	Ddakjkqi.exe
4936	Dogogcpo.exe
4980	Daekdooc.exe
2952	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cffdpghg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1380	2952	WerFault.exe	135

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pflplnlg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2776	1760	4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe	82
PID 1760 wrote to memory of 2776	1760	4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe	82
PID 1760 wrote to memory of 2776	1760	4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe	82
PID 2776 wrote to memory of 3900	2776	Miemjaci.exe	83
PID 2776 wrote to memory of 3900	2776	Miemjaci.exe	83
PID 2776 wrote to memory of 3900	2776	Miemjaci.exe	83
PID 3900 wrote to memory of 1012	3900	Mpoefk32.exe	84
PID 3900 wrote to memory of 1012	3900	Mpoefk32.exe	84
PID 3900 wrote to memory of 1012	3900	Mpoefk32.exe	84
PID 1012 wrote to memory of 3360	1012	Menjdbgj.exe	85
PID 1012 wrote to memory of 3360	1012	Menjdbgj.exe	85
PID 1012 wrote to memory of 3360	1012	Menjdbgj.exe	85
PID 3360 wrote to memory of 4172	3360	Nilcjp32.exe	86
PID 3360 wrote to memory of 4172	3360	Nilcjp32.exe	86
PID 3360 wrote to memory of 4172	3360	Nilcjp32.exe	86
PID 4172 wrote to memory of 2996	4172	Nebdoa32.exe	87
PID 4172 wrote to memory of 2996	4172	Nebdoa32.exe	87
PID 4172 wrote to memory of 2996	4172	Nebdoa32.exe	87
PID 2996 wrote to memory of 1388	2996	Ngbpidjh.exe	88
PID 2996 wrote to memory of 1388	2996	Ngbpidjh.exe	88
PID 2996 wrote to memory of 1388	2996	Ngbpidjh.exe	88
PID 1388 wrote to memory of 3280	1388	Njqmepik.exe	89
PID 1388 wrote to memory of 3280	1388	Njqmepik.exe	89
PID 1388 wrote to memory of 3280	1388	Njqmepik.exe	89
PID 3280 wrote to memory of 2924	3280	Njciko32.exe	90
PID 3280 wrote to memory of 2924	3280	Njciko32.exe	90
PID 3280 wrote to memory of 2924	3280	Njciko32.exe	90
PID 2924 wrote to memory of 2004	2924	Nfjjppmm.exe	91
PID 2924 wrote to memory of 2004	2924	Nfjjppmm.exe	91
PID 2924 wrote to memory of 2004	2924	Nfjjppmm.exe	91
PID 2004 wrote to memory of 2060	2004	Ogifjcdp.exe	92
PID 2004 wrote to memory of 2060	2004	Ogifjcdp.exe	92
PID 2004 wrote to memory of 2060	2004	Ogifjcdp.exe	92
PID 2060 wrote to memory of 1644	2060	Ocpgod32.exe	93
PID 2060 wrote to memory of 1644	2060	Ocpgod32.exe	93
PID 2060 wrote to memory of 1644	2060	Ocpgod32.exe	93
PID 1644 wrote to memory of 1384	1644	Olhlhjpd.exe	94
PID 1644 wrote to memory of 1384	1644	Olhlhjpd.exe	94
PID 1644 wrote to memory of 1384	1644	Olhlhjpd.exe	94
PID 1384 wrote to memory of 3336	1384	Ofqpqo32.exe	95
PID 1384 wrote to memory of 3336	1384	Ofqpqo32.exe	95
PID 1384 wrote to memory of 3336	1384	Ofqpqo32.exe	95
PID 3336 wrote to memory of 3292	3336	Oqfdnhfk.exe	96
PID 3336 wrote to memory of 3292	3336	Oqfdnhfk.exe	96
PID 3336 wrote to memory of 3292	3336	Oqfdnhfk.exe	96
PID 3292 wrote to memory of 1512	3292	Oddmdf32.exe	97
PID 3292 wrote to memory of 1512	3292	Oddmdf32.exe	97
PID 3292 wrote to memory of 1512	3292	Oddmdf32.exe	97
PID 1512 wrote to memory of 3224	1512	Ofeilobp.exe	98
PID 1512 wrote to memory of 3224	1512	Ofeilobp.exe	98
PID 1512 wrote to memory of 3224	1512	Ofeilobp.exe	98
PID 3224 wrote to memory of 1300	3224	Pdifoehl.exe	99
PID 3224 wrote to memory of 1300	3224	Pdifoehl.exe	99
PID 3224 wrote to memory of 1300	3224	Pdifoehl.exe	99
PID 1300 wrote to memory of 2516	1300	Pflplnlg.exe	100
PID 1300 wrote to memory of 2516	1300	Pflplnlg.exe	100
PID 1300 wrote to memory of 2516	1300	Pflplnlg.exe	100
PID 2516 wrote to memory of 1500	2516	Pmidog32.exe	101
PID 2516 wrote to memory of 1500	2516	Pmidog32.exe	101
PID 2516 wrote to memory of 1500	2516	Pmidog32.exe	101
PID 1500 wrote to memory of 1328	1500	Qnhahj32.exe	102
PID 1500 wrote to memory of 1328	1500	Qnhahj32.exe	102
PID 1500 wrote to memory of 1328	1500	Qnhahj32.exe	102
PID 1328 wrote to memory of 3620	1328	Qqijje32.exe	103

C:\Users\Admin\AppData\Local\Temp\4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe
"C:\Users\Admin\AppData\Local\Temp\4dc1d2a5325e831c96d79f06248779daa8dfccd19df9246a1a27bff09bce6a31.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\Miemjaci.exe
  C:\Windows\system32\Miemjaci.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\Mpoefk32.exe
    C:\Windows\system32\Mpoefk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Windows\SysWOW64\Menjdbgj.exe
      C:\Windows\system32\Menjdbgj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 416
        56⤵
        Program crash
        
        PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2952 -ip 2952
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
320KB

MD5
f2b612eccb6aac24b96cc474062dc7f1

SHA1
43a4b131b1f8901aca2c4e2a37c224a342848a39

SHA256
272f736d1f0377962774c4b207b633d04f754b984cc1403caa10cf5101b4c7dd

SHA512
3616f4c793b246580aed94530adbf8cae46ff16c8b4192b508e0808db39a238a86ec0017009049f844f460bce0a1a15788558b946f184e861d65c8373b3319ef

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
320KB

MD5
58ac58ff711464d8acad6ebb0d31836c

SHA1
3855c74820217936cc0b3c963d08459a79adb38a

SHA256
219c4f931e57c8c7abd07eec5f80f5b396fb426c58ee8cc6760c2529be235e5f

SHA512
a341a8702e96e15af55c1376c5a504f2ada395fdd00a5ff7b9f9454f3332bfe806c7197302de36f37a69cb7a58ac1097a24a4fd6b9881d190982bfef4f46efa3

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
320KB

MD5
fab47cb93b996c5ee8cc684bb514653e

SHA1
50134cf3742e62e6d0239f750e186cd6325e9551

SHA256
d89717720dbc59c5cbf450e42e7c21dcbe97f9b1807e44f37a6ad4d32c21edd3

SHA512
70aa4b76b81997ceb3e6ba4dad990a00e75a90554a28a95cb28b355213100faeb189e0668b2d20f436049725642d530e17c935820599f722f75814ca2b6d1813

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
320KB

MD5
1caa3ca47dcfdb107f243e144359f588

SHA1
0f8fe79631184b72ba17026907d7455376fdee85

SHA256
d28d7d77d9e0bf2c3a3d180c8d65d4f3d0ffb38627adae193896d41f7c5c4c6d

SHA512
b72cfe41a96c2796b742487d220764266058f56fc7a820a3f3f9805f4cc69964c4f43a671c4110f37f043bac89416d171b71e14e249d9e6af8fa5cb8581ee099

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
320KB

MD5
bb5b10efcbbfac9eb13350a6235d6158

SHA1
e4a4d206f6d2339925fa2d59148387fb60c91381

SHA256
fc2c8930dd645b8a3370ea638243e027616c4fe8fe06738ea27ceda82a8b1732

SHA512
544ed20a5e12dac81ffa3cfbec8eca77f251bbce3654f35e653e01a96c2e1b33d53e450fb1337911306c6be7f6f5257a1453c19022e6863f81a3e5fa8f36fada

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
320KB

MD5
09753b70c799a16ec56d75e8c2e0d48e

SHA1
7ba0daed6e04f3e74bbeb1324224462084a8ba31

SHA256
40330413a7fa30bd47b0a82cd9ac64c7f80c9617a47955e63089a8b9be82ac56

SHA512
dfae724a1a877b7ac0ebdef010d574737c3a7229b557f184192995f4bae20833596e552112c1f83a223e696df4a755563eb06a4f780c985df5ae375211c782a5

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
320KB

MD5
933c7e38f0209d4512ae7f79e922b867

SHA1
12e668ae54f84fcac07a20df2e45dc2004de6913

SHA256
44402f67ac70a8cb0b623a70690d2f8d2f110ded1e42d40159b8f10fdf180b7e

SHA512
09f36c9b432f8435e18f14c6cfdad00d2730e3365622dafaa0f88ed6dd382fd28b347a0eb461187533156ce72525ea57d657d6d64afbde5d8e7e2abe6eaa5a53

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
320KB

MD5
b3d98f02b7aaf4578ed2de861898b57e

SHA1
d088ca36621367abb80896994396d87ffb6b1203

SHA256
2e82df0066927d4a5eaeb6093cc40ed616f5a46141036fa8586a13fc6a3df8a6

SHA512
eecfe3dd2bbae7fb34799ce7157eb4dfca130be11b401af35d27801c765a010799c73b3b6493360a670da488157346a8c0f6b51b2a8f2fe09b893f1d86f483b0

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
320KB

MD5
cb942bd4f25ad85650392b8f73771395

SHA1
a70f89df1d8c7967d3c06aef7aeb579373d748ae

SHA256
e264497e968fd5eeab1c0466c4cbd01d116086a06f575fff8d935e751dafcc73

SHA512
74817977da93b394ce7d96616663ee8d7f64c80e7ab86d808c1a1492a32c7ece9223712f44e25a556463c62b6c69d1671eb800cd374d16e0a616356c799aeeb9

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
320KB

MD5
c3b2983c6ac5cac4402c444c718c4f87

SHA1
157ba1c4ab65c30d38c7f9d601aa9094932fc39c

SHA256
009cbc49e3b30c9eebffe695d568f41fa8bba60dfcea0a0a602582a66598b625

SHA512
1bb50f404d4b3b0e332d8f729087bbf576fa85a194cbdf60af8420a80d7eb3f83e996917d6a6e5a4c3092f7703ad035ac1c7793d5b64a962a65f641b56268d20

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
320KB

MD5
a50ea82de3c2ba601d3d09dd25f3eba0

SHA1
a1ddc989ea8265a4c428576f4b7967a353f204a3

SHA256
5e7dbb337ab13563f917f377930c1545066604bf065f88a30897686598efc839

SHA512
82dcc1999ffa630ed9532f322e520a7b435b954275903a96af3ac547e43b2f384efd1d700cb7e9dd61401280dffd78a959c403c3cb7fe663c60cec7d31edb2a2

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
320KB

MD5
9f38d2a54293d697bfd33d04d3fe2ba0

SHA1
ae2e7d9bfd270e62691d2a260a0034973fa9e07c

SHA256
dc5273281b54be0a08cac7988efaaae47f30da7269743200723aaf3c2e0064fc

SHA512
36c557108c6349f0c87d94a4113b507b6a6f3a2f5fc800204ca49088247887d0ed1d7ce64ea91817a52f734561004257ea0faff4cba74654dc819a6f88f2e9a7

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
320KB

MD5
3c0e05567461b220ab1a4a1f03029455

SHA1
35da9a2024bf0fc8739b3c29c3f46549a51ec371

SHA256
96e653ec7845b682d458cba0e7c3588e98d19f5981b519a2202a5f4ca7ea3f2f

SHA512
1d112caef898e90dcac4a3a70c33db4f6959c94a26009079b16131be96adb166f1cb58c2b0eca42a973f3ea5164d3971e43763eac21079affcb14030e170a19d

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
320KB

MD5
bbe89c33c318062a129010b2991a3a79

SHA1
455c893a22777f6e5208cd9068b6997ca610123d

SHA256
65a375325201e4f4e5f427d8e79e5cb128db4987b98dc69eb8cc4a8d2c1243bb

SHA512
63cabb3900c0099ab73eaf6e78a723f29367875d03764f4645e0502bff864788d7d2a0e1ecb8beb304172cc61435e75e442b7c57a9c47a1cda289656361e6e82

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
320KB

MD5
6d842842feb11dcaab8a92f278794f51

SHA1
5feaec4ef67b73cab41c11bfebb1b5a46a26e863

SHA256
8a7600c70564f37aa47f7f9acd2ee58e0b03aad78116ee30250f04c447e2a06b

SHA512
bacfab02f29b0cc2601d0ee27856ee9b298db7684ba7f75f94cffe39b8c9148ce1cc5d279edb75cd9506e769d37a8354770359d733f85abf891e8fb5a7dc8c92

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
320KB

MD5
17f99c27d688d561ffd43192416970cc

SHA1
dfaad1665e68cbb93e8cec1d7519f69ae83ef105

SHA256
348f46a52b4c3083ccdfc6f7c3159851b6ad602a43891413ebbc53c099c7d053

SHA512
513931f5bc9644eb1216f765551d9fad39b63d27d1748a70ad7c9094ef5e601db1d1c9aebd55163bce6f53e4c333afa84c69cb97c2a790a28e10cb274b1387a0

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
320KB

MD5
461b1bef756dc2f0796f82e737140e50

SHA1
c02d43551b9e18ef2530ed5a1c569d5369648321

SHA256
744f9003bfbe47796bc1c50df034d86706d23ce8edd8cbf8029bf87b27d917ff

SHA512
3312e76355775864b45a0c5b9f376dd7b044fe319729329e277c9f9b540df8e4472b34a70e94d9d870d722acd1f000f8b268686aa470b38754a384e279cb3adf

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
320KB

MD5
b029d247251c600fb05597d924ecf751

SHA1
6a269254a6a7b3709ddf180f8eeb35bc7c934e14

SHA256
e520d22fd476ed166d8ccc4d3a75587c8fbfb821fe0d704ab8c2ec86fb0a345c

SHA512
3476da7bbaafabdcf711b058ecd97627ed97cb875bdfcf6edb903a1cfcc93f006244c90ea55d1e412b2fb16f1e3e29e9c6b68fc10445808ab42efbb0c5a18a6f

Download Submit
C:\Windows\SysWOW64\Gfmccd32.dll

Filesize
7KB

MD5
21d0a469bdcb3f352ef1936d465dec27

SHA1
264aebcd92d980cfeb75fa59757eab236f3e4562

SHA256
2a1cc44ec47c4d85d1c1920e70f1f5b181a4a2373a2dd9d3cbc2fdfe1a0d119d

SHA512
f5214c2beba9287e8c41878a70e0da048b54e991dcca97ddbfc260fc311f58bda6a348fdd8d45df5540d1fe7059b17b1af59d40817f9b880922c8afac41b8023

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
320KB

MD5
136ca1dbd7cfbcb63778cb40ee8297a7

SHA1
eacba0bca58df47c17b2bfb80f865a25092eb26c

SHA256
3b132d2ad5ffb44a0bef7f15b2df22b75d5946cb2df7bbe69de4e369bc4bf139

SHA512
c74db957579a6ebf4b700381d1b977d8f4f76afed2e29bf0c13de49dc322cd78d1c0405261042f317678a1790368b7fb6dd9ebc38782626a3b59b9e9356c3659

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
320KB

MD5
8271fae660db209e4d966e9e6f63b2a2

SHA1
a8b2245ca890ad48e64909db2898cc883ca1df29

SHA256
fd542675350ac4ecd4de7fc982d063f45a360d10f12956896c46f58046404a52

SHA512
5c89ec9f5a374e68aa606e7a28cc4d7f8c2d8e71a121f2a4b403cd8c630722ddc051f8561d62a416d92217453294848d44c5caff20f267143c96228841847317

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
320KB

MD5
e75cb608e5092f11f71cd8eb209b214b

SHA1
9a98a0f4761700a3d8ccbfbfe7c1f0836301df4e

SHA256
caf9253d39afa15b728bc3b5f631aadb9a3bb0ce6a6df3da564d667a436abb05

SHA512
fd4c0deef832924c79f4822a5f257400415545487bb6899c927e8baca316237d9c65c25174a4549327a486606010c5f3807dfbb1f118c65dccc5dd891ea801c2

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
320KB

MD5
50ec01acaf98e1c9192789c9ead75b9c

SHA1
e15c90440987e639d719f292d67514d09f165970

SHA256
52962999bb2b8d6f1af416368368451976b52ef8fd191fdad78eefa1b6d11099

SHA512
704f2c0524ba9aaba6b81d08a5b3ac2ad5270ae84b63641447b6333fe040a4555f849c9e5f6ee61d45593bef24d4e321ad00618c8f35fd3b3e4c279bc6e68c09

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
320KB

MD5
2e8415cb7b7f36c27bb0a8d9a87a3a4f

SHA1
e6f823571936d498e139ed7addfa4cbaa08b98f9

SHA256
3246c9515b43effcfc439e58a403657ee23525f69193ba22b2440137e682b86c

SHA512
7147c2dbc8ecaea6e0064f0cf438730f7cc5813fd34609b97c75f66d82372cd6186a929b22389a7d1644ef93597cf172ac945841b5faaa6aa382879639e92093

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
320KB

MD5
7ac8224de59d02a92dd8cf6435b30cca

SHA1
1ff78ba7b2b797905057ea5767ab0eb4bc7cb644

SHA256
d2171bc820b7e78166f90465d9d2776d2d875d6c02f227d2eaac0c87644a4d14

SHA512
ec2e0ab8779f162cfc8d1746c53881d3738c0e3b527855c462f7894ab1fc3881b11e517d10a5c41b834c8fe4d80eb336506a0cb8249b52648696c1e0f5a52b16

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
320KB

MD5
4f230092994e53a68e4c1cadb8312617

SHA1
7cb2ce70fc14597092dc0f370b320782bf932270

SHA256
019d3e0e7a4613bb7487990acbc3535518dbaf74e0468a4c05ead673762edefb

SHA512
94721865efd05186870099647095c60031e4cb1fa039887276b641d982b85e9b721167b2b050f379e2ecfbf1c7d589ac36b7332ec14bbd3cb87dae890941b449

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
320KB

MD5
3085f1f524b4f677ff938c7a9363910b

SHA1
1237db8ad5b6d83b0f5e6e38944e464a38f9fc51

SHA256
e8cb03832b9e8197c1c533fa8327eddf839cb087f429293207abf821d0240b32

SHA512
5c1778cbaa3b77b78fbaa42c767c76ca489c2b72a39ae68d3d75a57b3713172635e0828ec6e47bacea437ec205879b4ff946dd6ed9d40490a247548791911eb5

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
320KB

MD5
70273cb4be23c340cc51f724a594df4f

SHA1
d7f0c26b60040d182d3ec3b9dc862d30bca36e2e

SHA256
0f90d10cee7c2123d1cb2ac27e9808c93f3b9fb9be8d934babf955858b888d4b

SHA512
16ce2ebb727d77ad39f64523c440ad861bc3a16c0cf3359e9f9d75167b369d55a2df9d92d9690fd0872a207af7b2651e63aa46c512904dfef5c47d0902a2b8e3

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
320KB

MD5
2a532dd1f806ae80cb27235c3a0f5918

SHA1
7a16367464398ff943c74b78f4a27e4b3508b010

SHA256
c9043a9500e64725de15de7e687ffbec4503561b1e47021dc3b3f4fb4e8e8b64

SHA512
2c5c69438c9b36f19ab9dce7a9574f1beb9fa4d7d4bc2e15f5ed1785cae7f29d7899ce3fcce66caaa0bf9ebb2fa1cedc744b6dd81282b501161bb6543445adbf

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
320KB

MD5
d7cae9912697107614536961ccef2ada

SHA1
bfd04e1e553fe397b92e45229f21e43604e6aab3

SHA256
d6c3e13113bc8f943ec5ff23f90083e9fd2c4d823ddcfa04eabd7e0c67b34605

SHA512
de94b4c3f381704b4921d44e79ec30bec02cec7c1c35728129d50baeec42c047598311e11ff76811cd535d07d9a37aef7c214dc13adc450aca0bfc986a0d0aa7

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
320KB

MD5
1cb8ab80f23a835fd568e0904b303b38

SHA1
9d0f08527b9d3341b3f614429eb3d160f0a22aea

SHA256
d95eb8698fd535792b006921f258c497ca5bbfdbc2954efc26f0c9b3fb1954aa

SHA512
7814f3a66f774d636223f8072dc39fc77a2e11f38a3bfc576a8fccb7b790c66aa00e033f4b9e16b364865d1feb4e9f1b56a532d62a57fe360a26ef7385835c65

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
320KB

MD5
73f6ab2c056d345119567e46bc0a1201

SHA1
0256309e043190f9b1024e2ded7f36f43cf62b31

SHA256
5e50fc260eddc3f2c54ffc1b59f1ac76755c21c6c3ad89fcc6d22fb17b34be63

SHA512
847072314ae89b66a93c144d59f22b83cd6308e8fcf5b8ae2e54c08202f4d7d76cb195e086e733f6db9b38918ebefd93717e3d1d5afdb7993d1b26437efbc317

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
320KB

MD5
94e5bf78a3c4b5bcd41d0a5f4c33f2db

SHA1
d590218f2a01ce917158a7e771b7c746f93b1086

SHA256
6aac1b6dc79af632306c28b71f1a9ced17b8804f7bb7428191205a59a804d762

SHA512
93d84a69676895027d0667ce6ec6294547b291ec8f6033d29c68a4e8e9fdefcf79ec90fddaeb178ca12ad84ca85ba936d381ade6e9f32c97ad8ede11a833ef42

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
320KB

MD5
42c4366c7777897f23e7f642f2011186

SHA1
43cc1a4cecd5b1bec032a70f521da90c1069d5df

SHA256
5ce3b37d28f2d8fc5de1a66e75aa6507b68c54cc6d00361fcbf26b9aabf9bd09

SHA512
35b9a334bda3109801dcb1b367239a7cfd53b51b0586607992441c6ac63f5d010c72570465773de60c17374a0c60f1828105bf551a4bcd6ab67680166d19808c

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
320KB

MD5
967759a8926ef2cb3a442aa782ae4618

SHA1
2a33890bc754f0ecb4513883334c8e4c62dc2e01

SHA256
58ed43157f3f0383d316f7d760f0d3d946bce2a8af32a2fe1098becbc8652333

SHA512
6b66cf06c612fa5b450cc8004ab1c0bf6b7b70776a1528b9b951b3f545d71fbd38b75ad4862ec86e32385c90f0c385ae31ceb2ee4a576fe0a20eaee176f8d22c

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
320KB

MD5
b58c4f6a66d7b8261646a58918ab0fc5

SHA1
b7aaf292657e10a8f96b89c77638075b4871b4a1

SHA256
adc215503d427b8c98bbc8d474257b0abc868d4e1c05e0b16de8a4b732b4c406

SHA512
592b7eaf09380edd95cb20821c094f71e6545c553400e7c7af9b539249a1ce21adb7eb1c8997f06487c621ba0e24033b586eae5a9b1de4b2f44342a478864e6d

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
320KB

MD5
d55370f042279e2860ec1d9196d5c1d1

SHA1
21963f84b3186e3fd5316b4d0d951301be0882d0

SHA256
faf8c04c8bec3039b6eea645eee10b8a3ee656e67897afaab2d1bc5607d15154

SHA512
a534988369da4a640a4f53f913ee51ff6a12084cc40d6cf9af6499c5ff5c443aba6ce7113bd12fa14bb37cc48edf3242257138b21c16d1871c05158ff1975bf2

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
320KB

MD5
158a3085c45324984bd041139097f2b8

SHA1
2ae19cbefa64691a35a59912fd87fe0f04fcf730

SHA256
26419475e775db7aa01fe73f2893befc156fce9e996297f8d9dad97f227d4fc1

SHA512
0d3967d5033e9635369b4dfd9ada9dd6687df493d1ebfc56cd679d0fb9032373a03b015a676598fb40977e6eba628eb70ee1a103bc4e5ef46cd21c782e93015d

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
320KB

MD5
3dd6a7bbfd3614b864bd2bad00a37c1c

SHA1
b66899e12b465bc94dc2e960b30c9a6f75a424b3

SHA256
e6c7db7f1baf6b5dd4419e43b9a7e5208f97c68d19f0fb6c45facb3c41b48d15

SHA512
7d2f5275ff0a099677cf10683b498887fe9f35d6c60f082a23c8dd6d0138decb71143317c992e3d53eef75623939e9979c043141a9d6bea797ed7efc35e731f0

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
320KB

MD5
ebb2a99b32d4f479b6ddb046afae3bb4

SHA1
025298fd6e7c81fceb65223703d449a50eecbfbc

SHA256
8bdf6b2739613e8fade8ba6d378f4be66d45ca90597f5e91f9aa600fa2857300

SHA512
cb902f17a80d60a8e683852e26828b633e78483730f344c9031b14ccef2a8a7813f8cf0e93c9f54c3a7d73a730ee78a46aaea90f45947b36b92fadea29fb9abe

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
192KB

MD5
90598cbcf95c4a333a732b0eef6bafe2

SHA1
641f221f3374421d102354e7ee1743b95c723b41

SHA256
aad7583cd00623e93c8d05a53519f8163826e5800a94073f6c5ad92a7232ea00

SHA512
b044b08675e089624c185bf8cc5974cb45d0e6ffadf262bf07ac2bcb365dfd23ef38965fcd6b70985bdf7170968a90da0aee87ebed010ebc140e370f4f85447f

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
320KB

MD5
ad697b4382afb896dbffe67b8b4f8699

SHA1
abc4b0f4932469b538c31fff728651422a232764

SHA256
eaba2fcd450e51ba7701391657584c774e2f86ea4a255170d69c72e57852465d

SHA512
8bf7cc9ad9bacd16abacebe0b5a00ec593d715bc4bb05dba8f080bceee80fd502a3f6284abb866a730d0a6e255c6b03516dcd0f960bec4266a06df5d7266416f

Download Submit
memory/208-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/208-399-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/232-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/232-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/764-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1076-422-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1076-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1172-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1300-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1328-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1328-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1388-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1388-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1404-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1404-423-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1500-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1500-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1512-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1512-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-409-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1756-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1760-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1788-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1972-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1972-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2188-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2188-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2396-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2396-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2528-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2528-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2720-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-397-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2920-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2920-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2996-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2996-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3172-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3172-427-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3200-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3224-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3280-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3280-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3336-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-404-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-421-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3636-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3636-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-415-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3768-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4000-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4000-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4112-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4112-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4172-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4264-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4264-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-411-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-391-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads