berbew | 1800dd1a1a01bc720564978a73bd2f8ba06fd04760245a6a514a2b049412adae

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1800dd1a1a01bc720564978a73bd2f8ba06fd04760245a6a514a2b049412adaeN.exe
Size

93KB
MD5

5ae7a00b91e7093120d75ca8f7885410
SHA1

a22b7921334b23d55ebaf7b34851b6f6ea037059
SHA256

1800dd1a1a01bc720564978a73bd2f8ba06fd04760245a6a514a2b049412adae
SHA512

1f523b47e666dcf8efebe53fbf1beb73bc199281e8f3575fb6f93397b32c8d3a3a04d8bc3a901238a0e20521b9fa0016d1867ba5df7f1aa18568f10ec3595f74
SSDEEP

1536:3iPX3K6jHTolHSyflp+2CSb1DaYfMZRWuLsV+1R:3i3jHTmlfuibgYfc0DV+1R

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifgbnlmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ickchq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcimkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedeph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iemppiab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbbdholl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1664	Gcimkc32.exe
2660	Gdjjckag.exe
2376	Hmabdibj.exe
3988	Hckjacjg.exe
1160	Hbnjmp32.exe
3696	Helfik32.exe
4860	Hmcojh32.exe
5104	Hobkfd32.exe
1388	Hflcbngh.exe
3004	Hkikkeeo.exe
2656	Hbbdholl.exe
4432	Heapdjlp.exe
4248	Hkkhqd32.exe
4944	Hcbpab32.exe
1236	Hfqlnm32.exe
5020	Hkmefd32.exe
3076	Hbgmcnhf.exe
4116	Iefioj32.exe
3648	Ikpaldog.exe
1624	Icgjmapi.exe
1300	Imoneg32.exe
2272	Ipnjab32.exe
636	Ifgbnlmj.exe
1240	Iifokh32.exe
4812	Ickchq32.exe
4200	Iemppiab.exe
1376	Ipbdmaah.exe
3980	Iikhfg32.exe
3516	Jimekgff.exe
4356	Jcbihpel.exe
1224	Jedeph32.exe
1280	Jpijnqkp.exe
5068	Jlpkba32.exe
4392	Jcgbco32.exe
4880	Jehokgge.exe
4272	Jmpgldhg.exe
1992	Jcioiood.exe
1788	Jfhlejnh.exe
900	Jifhaenk.exe
1844	Jcllonma.exe
2920	Kboljk32.exe
836	Kmdqgd32.exe
2872	Kpbmco32.exe
732	Kbaipkbi.exe
1320	Kikame32.exe
2696	Klimip32.exe
4012	Kdqejn32.exe
1356	Kfoafi32.exe
2336	Kimnbd32.exe
924	Kmijbcpl.exe
3944	Kdcbom32.exe
1032	Kedoge32.exe
4568	Kmkfhc32.exe
1896	Kdeoemeg.exe
2012	Kfckahdj.exe
4360	Kmncnb32.exe
1680	Kplpjn32.exe
5084	Lbjlfi32.exe
2032	Liddbc32.exe
1560	Llcpoo32.exe
4384	Ldjhpl32.exe
4956	Lfhdlh32.exe
4732	Lekehdgp.exe
1876	Llemdo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jehokgge.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Hkmefd32.exe	Hfqlnm32.exe
File opened for modification	C:\Windows\SysWOW64\Liddbc32.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Hobkfd32.exe	Hmcojh32.exe
File created	C:\Windows\SysWOW64\Kikame32.exe	Kbaipkbi.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Hmenjlfh.dll	Hobkfd32.exe
File opened for modification	C:\Windows\SysWOW64\Ifgbnlmj.exe	Ipnjab32.exe
File created	C:\Windows\SysWOW64\Qamhhedg.dll	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Oekgfqeg.dll	Hkikkeeo.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	Ikpaldog.exe
File created	C:\Windows\SysWOW64\Iemppiab.exe	Ickchq32.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Imhkcaln.dll	Hbnjmp32.exe
File created	C:\Windows\SysWOW64\Ecnpbjmi.dll	Hbgmcnhf.exe
File opened for modification	C:\Windows\SysWOW64\Kdeoemeg.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Bpdkcl32.dll	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Hmcojh32.exe	Helfik32.exe
File opened for modification	C:\Windows\SysWOW64\Iefioj32.exe	Hbgmcnhf.exe
File created	C:\Windows\SysWOW64\Pmdfog32.dll	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Pkbbae32.dll	Hcbpab32.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Iikhfg32.exe	Ipbdmaah.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Ipnjab32.exe	Imoneg32.exe
File created	C:\Windows\SysWOW64\Jmpgldhg.exe	Jehokgge.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ikpaldog.exe	Iefioj32.exe
File created	C:\Windows\SysWOW64\Iledokkp.dll	Iifokh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6244	7144	WerFault.exe	269

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifgbnlmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iemppiab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helfik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icgjmapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkmefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfqlnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imoneg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehokgge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ickchq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iccbgbmg.dll"	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iledokkp.dll"	Iifokh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liddbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamhhedg.dll"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcbpab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqjbebh.dll"	Hmcojh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbbdholl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekgfqeg.dll"	Hkikkeeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1800dd1a1a01bc720564978a73bd2f8ba06fd04760245a6a514a2b049412adaeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1664	448	1800dd1a1a01bc720564978a73bd2f8ba06fd04760245a6a514a2b049412adaeN.exe	83
PID 448 wrote to memory of 1664	448	1800dd1a1a01bc720564978a73bd2f8ba06fd04760245a6a514a2b049412adaeN.exe	83
PID 448 wrote to memory of 1664	448	1800dd1a1a01bc720564978a73bd2f8ba06fd04760245a6a514a2b049412adaeN.exe	83
PID 1664 wrote to memory of 2660	1664	Gcimkc32.exe	84
PID 1664 wrote to memory of 2660	1664	Gcimkc32.exe	84
PID 1664 wrote to memory of 2660	1664	Gcimkc32.exe	84
PID 2660 wrote to memory of 2376	2660	Gdjjckag.exe	85
PID 2660 wrote to memory of 2376	2660	Gdjjckag.exe	85
PID 2660 wrote to memory of 2376	2660	Gdjjckag.exe	85
PID 2376 wrote to memory of 3988	2376	Hmabdibj.exe	86
PID 2376 wrote to memory of 3988	2376	Hmabdibj.exe	86
PID 2376 wrote to memory of 3988	2376	Hmabdibj.exe	86
PID 3988 wrote to memory of 1160	3988	Hckjacjg.exe	87
PID 3988 wrote to memory of 1160	3988	Hckjacjg.exe	87
PID 3988 wrote to memory of 1160	3988	Hckjacjg.exe	87
PID 1160 wrote to memory of 3696	1160	Hbnjmp32.exe	89
PID 1160 wrote to memory of 3696	1160	Hbnjmp32.exe	89
PID 1160 wrote to memory of 3696	1160	Hbnjmp32.exe	89
PID 3696 wrote to memory of 4860	3696	Helfik32.exe	90
PID 3696 wrote to memory of 4860	3696	Helfik32.exe	90
PID 3696 wrote to memory of 4860	3696	Helfik32.exe	90
PID 4860 wrote to memory of 5104	4860	Hmcojh32.exe	91
PID 4860 wrote to memory of 5104	4860	Hmcojh32.exe	91
PID 4860 wrote to memory of 5104	4860	Hmcojh32.exe	91
PID 5104 wrote to memory of 1388	5104	Hobkfd32.exe	92
PID 5104 wrote to memory of 1388	5104	Hobkfd32.exe	92
PID 5104 wrote to memory of 1388	5104	Hobkfd32.exe	92
PID 1388 wrote to memory of 3004	1388	Hflcbngh.exe	93
PID 1388 wrote to memory of 3004	1388	Hflcbngh.exe	93
PID 1388 wrote to memory of 3004	1388	Hflcbngh.exe	93
PID 3004 wrote to memory of 2656	3004	Hkikkeeo.exe	95
PID 3004 wrote to memory of 2656	3004	Hkikkeeo.exe	95
PID 3004 wrote to memory of 2656	3004	Hkikkeeo.exe	95
PID 2656 wrote to memory of 4432	2656	Hbbdholl.exe	96
PID 2656 wrote to memory of 4432	2656	Hbbdholl.exe	96
PID 2656 wrote to memory of 4432	2656	Hbbdholl.exe	96
PID 4432 wrote to memory of 4248	4432	Heapdjlp.exe	97
PID 4432 wrote to memory of 4248	4432	Heapdjlp.exe	97
PID 4432 wrote to memory of 4248	4432	Heapdjlp.exe	97
PID 4248 wrote to memory of 4944	4248	Hkkhqd32.exe	98
PID 4248 wrote to memory of 4944	4248	Hkkhqd32.exe	98
PID 4248 wrote to memory of 4944	4248	Hkkhqd32.exe	98
PID 4944 wrote to memory of 1236	4944	Hcbpab32.exe	99
PID 4944 wrote to memory of 1236	4944	Hcbpab32.exe	99
PID 4944 wrote to memory of 1236	4944	Hcbpab32.exe	99
PID 1236 wrote to memory of 5020	1236	Hfqlnm32.exe	100
PID 1236 wrote to memory of 5020	1236	Hfqlnm32.exe	100
PID 1236 wrote to memory of 5020	1236	Hfqlnm32.exe	100
PID 5020 wrote to memory of 3076	5020	Hkmefd32.exe	102
PID 5020 wrote to memory of 3076	5020	Hkmefd32.exe	102
PID 5020 wrote to memory of 3076	5020	Hkmefd32.exe	102
PID 3076 wrote to memory of 4116	3076	Hbgmcnhf.exe	103
PID 3076 wrote to memory of 4116	3076	Hbgmcnhf.exe	103
PID 3076 wrote to memory of 4116	3076	Hbgmcnhf.exe	103
PID 4116 wrote to memory of 3648	4116	Iefioj32.exe	104
PID 4116 wrote to memory of 3648	4116	Iefioj32.exe	104
PID 4116 wrote to memory of 3648	4116	Iefioj32.exe	104
PID 3648 wrote to memory of 1624	3648	Ikpaldog.exe	105
PID 3648 wrote to memory of 1624	3648	Ikpaldog.exe	105
PID 3648 wrote to memory of 1624	3648	Ikpaldog.exe	105
PID 1624 wrote to memory of 1300	1624	Icgjmapi.exe	106
PID 1624 wrote to memory of 1300	1624	Icgjmapi.exe	106
PID 1624 wrote to memory of 1300	1624	Icgjmapi.exe	106
PID 1300 wrote to memory of 2272	1300	Imoneg32.exe	107

C:\Users\Admin\AppData\Local\Temp\1800dd1a1a01bc720564978a73bd2f8ba06fd04760245a6a514a2b049412adaeN.exe
"C:\Users\Admin\AppData\Local\Temp\1800dd1a1a01bc720564978a73bd2f8ba06fd04760245a6a514a2b049412adaeN.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\SysWOW64\Gcimkc32.exe
  C:\Windows\system32\Gcimkc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\Gdjjckag.exe
    C:\Windows\system32\Gdjjckag.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\Hmabdibj.exe
      C:\Windows\system32\Hmabdibj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        30⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        34⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        37⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        40⤵
        Executes dropped EXE
        
        PID:900
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        43⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:732
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        53⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        57⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2924
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        67⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4068
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2980
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        70⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2260
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        73⤵
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2228
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        75⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4592
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        78⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1412
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        81⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        82⤵
        
        PID:688
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        84⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4500
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        86⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        88⤵
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        90⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        91⤵
        
        PID:768
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        95⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        102⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        105⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        106⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        107⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        108⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        110⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        111⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        112⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        114⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        117⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        118⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        122⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        123⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        124⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        127⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        128⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        130⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        132⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        134⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        135⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        139⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        142⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        143⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        144⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        145⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        146⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        147⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        151⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        156⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        159⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        160⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        162⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        163⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        164⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        165⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6340
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        169⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        170⤵
        Drops file in System32 directory
        
        PID:6472
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        171⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        172⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        174⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        177⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        178⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        182⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        183⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        184⤵
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        185⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 396
        186⤵
        Program crash
        
        PID:6244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7144 -ip 7144
1⤵
PID:6204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
93KB

MD5
74367469d6d294325e8912c6ddc010e1

SHA1
cd67fc697b4d30fcf24ce3211ceec759a01ecff3

SHA256
3e5a837d2f4d58d4cb4b9a327bb0965707c060d4e579df1a3bfd2be06dece50f

SHA512
993bc34f9bf44d022e8545b9847dbe3c0bc74b325b9d740af5e6bfbadcb04610807bcad86702875bfc902cdfa4f85c7a055e0da80b4227c89007ec3cc7a893f5

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
93KB

MD5
9d67d8ea86c3b5379c39e5cbb59b4cfe

SHA1
c35ab10200124b54894fc36f08e30d3305b22bed

SHA256
8741a5dd973b51f2037d6494fc9dcc7db04bd92d49683470c14d1c92b9bdb17a

SHA512
a993666613f16b7432ef29912be49f21f9d6ed3aaa5fae38b8628f709575cfffefeeb07e40d0572a5c58cd7e922f5b2b77b3108db9ebb5fdb2428b79b4299e56

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
93KB

MD5
f508db1c045c3c6bfbff2ff7cef5de55

SHA1
5572378c2071550c11d5afc6dc8ac5c346db05df

SHA256
8bb9e0735558d0e72815aba022e2ce23c393204c91dd82ffea8ed19136adb22a

SHA512
3a95cedb5be1795a787bfab4b3e8d7c328f16a4a2392344d9f005ba09427a8c16de592aae04ddcb46bfa47632982a12f6ce80922032e17fecdc06a5eef0e75d2

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
93KB

MD5
edc475bd110d95d8cabf5c10a45a7fc5

SHA1
ef78edae33aa840f7c51f6c8d6db11afd60847e2

SHA256
5c3577b19847ea502a51858982cd8e5c7d8a6edcc109435cad70d5185e95d184

SHA512
4cf70aa9c1f06069ce50dacac9cb4474f84f5ffa02a9efcab478d2c18e4616a9a010ef1185d3842ac708a52030f96e7e71218390e52839d7fc0a46366083f8d4

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
93KB

MD5
ccb7426a36736ad68d3fda0672b7b324

SHA1
d7d845a2417f14601473fd637d51f80716345003

SHA256
94bd64a4f4f506c517e9ba0d40dcf7d347ee40d36d6e92b49641406bcba6fb44

SHA512
b2090800c57b113499cd3ef177ac4277052f40a6797157c1a819c0278de4f779b9dd5639d0538b86c5da75270798cd6cc944b676bb5ab48d2a0c0023227a032a

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
93KB

MD5
4f6ca7ef224b6e27cbed51715b48e66b

SHA1
b560220347de37a49adbccaebb81c56211c21d43

SHA256
430a7969b60861594f8a2b8a4a25f8cfc9ffec2b58fb40b622e9b0cd212304b3

SHA512
f5f91e5e43569b7a52d86f63edac1368fbb8df1237747ba78ea230684f14070e186e83979233c2b977a6f51ee7b12e1db237916f9d58fbc4e97a364b2750d158

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
93KB

MD5
7cdc407a5b9fc19e5179f08ea4565555

SHA1
7a7048e0af86bdfb18b0f77e77275932728f83fa

SHA256
09b4bfa9c13e9142aa092ff9d92201cfb995c52b8a492dba37a05f1fcbcdfb49

SHA512
31bb58f3c0f470ac1b1610129ff6edc014a4e6d7f3a5d3becde8b0990192061343e5535d2849ebad91fb2562fdfe9676a53cb4add41af00334092908bd1384af

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
93KB

MD5
33cdb0389562e80e93e1670015edaa7e

SHA1
3ae7b9eb4ffbbe8b64642504571cf7bf6a93fb8a

SHA256
d007188da472c5bd4726570621035dda0a84d0b9dd0635b8702190beb8d2649b

SHA512
dc01dc211e4278d7840fed366bd985340750f1ffabb951ee9f4030f280981644f856b46bc235b494eda9334353383960bd4096d2577aa975ded74651e4fd50a6

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
93KB

MD5
e0ae0c24f9c7f848e0e89292cb0a2e0c

SHA1
b22a46883ad02015abc61c8e1c97e5a7c729a065

SHA256
449baf5ad028a808b0006e8346078405d12194307f9c73641c01ba98444abdc4

SHA512
6fc633c0acfce44f4341aedbffd38873451dfcc526345dac72dcaf79afb413a2e25c66293b13308bb073fd7544118acc502ac528613286ea7fd818a0661a07ee

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
93KB

MD5
8781d6c95f27bf40bd8b72360c769f47

SHA1
38e2430088cf389dce4373f2f5bd0a6d2446b831

SHA256
d42d3e9e3084759d793fc8e3386da1610fe857de9210e8bfe2fb2653fcb7abd6

SHA512
b2d20a7c275b87da3d87c4314d9dc192ec0c3dd3f4e45daabcaabfe8f67f18da4036417c1c6351a6f704486d8c9526a0fbe18e031ca9e58611fa4c8973e4a27f

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
93KB

MD5
0a9bca65230fb0b1e3aa96b0eb13be17

SHA1
d15075fe498d1c4151faf0dd4c242e68918e2e22

SHA256
3f1d1320114cb5a701fab2175f65c7d68db1238c17b259095205bbee168d27f1

SHA512
a317040b2b7a1398d8c76c9915253a1260cdbca1c28c54b2a827e33d0fd8eca1eaf8249138dac36110ea10c17e83dc3dde94f12e039bcd1ee97f1d05c4a61dfb

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
93KB

MD5
15a82050ae14da6a2603e8c4a3a0c5db

SHA1
688c578bb1ed40cd796800e08eeba6382830aa6f

SHA256
cc59214b06be89899d09d7f1b3f2d962ce3808469681f9ff040ce710b10d939c

SHA512
d97bfdbb29fbfd2f98518589e80d732da3ac4a939b40bd9bc2043489cf1224b282a976880117a34a674b19401b5c4eb80680144876ba61c1578517c6bc4be2f7

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
579580fc2acdf11c45c25ffe89e50b64

SHA1
20b490bb33ab7fc5354af65a58eea1865b4c192c

SHA256
5629de3d28e1d50949eefb10b694bb1014ce9d439eb0ae79e1f749cbbda9010b

SHA512
a42fe0375e5b8833335db63cee72b603c98571411b962972ae8555007c38078389bb67248771e1b90a92768c0a14d49355182cf36ef0364eda1d11bd1e4c266b

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
93KB

MD5
b011a71d2fffa0dab16ea62da99e6f0e

SHA1
bc881703addbb9537e17b2f6a713614962c1d74b

SHA256
c5f0cd94a4e8d280b25dd589e4a6f35958f59dcf4e7cf916d23342ecafc17594

SHA512
a6996df4354ee274f381066ee2efff1a5b4ea1f3500f03f0c2ce266678e29b81f19b831da659d562a4ffdc23ef2e10ee025c441c444f36918e9a0a2ed9eab913

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
93KB

MD5
0501ec6c40351a430ce073d8c556ccef

SHA1
6712aaadc5d29524c5fa30dc75a2be8dbc6df959

SHA256
1ed95464563e803136f0e11653a5e7476642616ca95ee409aab293cc0e653e02

SHA512
d9b912d40b34e96abca6b8470ed7da0fd566047b423befde5f58b9cd353a4197c5888eadccf84191229c66371e9c8101dabae2b054d83f71c2b4f8103a945135

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
93KB

MD5
ea1466d6200ea26a46d7eb21b5b28f61

SHA1
fcc0efbb113a0f5809083af6d96347c025990c76

SHA256
98d408b2933722965b31615f81ddc66965f6b6eccdf6b80bd389fa45a7273add

SHA512
0fa036242d6d0faa9b0a015a42a621fa53256648bd73306c3bf0067b4f016c05f7d84689d49aa1dfb7df7705e40b51661d6c4497070aa2cc049ad63ae6a263c2

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
93KB

MD5
ed76b4174bb71405df81b4e877350c35

SHA1
7dc50bef6fa7b416090be71d1ce1f7306e710f2d

SHA256
c489d4ba6801fc37a9efee3705d8bfb6d48d1470581ca7d316192249068bea4c

SHA512
8969ce40d44cf672ddf4934c20bba92717e944fa7b39e47a1d4ba10d9f61ad80e07460bd138cf1bd30b8144662475f978a781d3641552c9498d3da262feacd4a

Download Submit
C:\Windows\SysWOW64\Gdjjckag.exe

Filesize
93KB

MD5
78c043bdbf90933a55abbb470bce7f4b

SHA1
583a23aac24fdff7b7a4b92fb78c621aa235b54a

SHA256
7169c91aff442e7e9eedabba49ce2f99932957d626e9e8b3975b3d5db2a41197

SHA512
fb471ffd3d1ba21f68e66b86ef39a87eef40eaa08f685b603f99fca9e6d7b391a72c521ace45ddae13c71470c0e02f8303560dfc20e28c33f15d92ef0e4264cb

Download Submit
C:\Windows\SysWOW64\Hbbdholl.exe

Filesize
93KB

MD5
f52102031f2f5b5021a6729f402541e2

SHA1
70cd6fd8632433e9a7fb6daeead81308a7d12ea8

SHA256
1bc3492cf762011550e7831b3e82bdd28e669455678e8495ca4aef749d1c2a91

SHA512
ab7520cfe0cdb9b9aaf3ed2fdcb4ce4cf250dad278a57755d6e20641756df2d9c378555f638dbe8934561379930539beccd56768c04a6259020d3ec0f5c61988

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
93KB

MD5
cedb043a8dcd343267359e624ca35aa2

SHA1
a03cf5516fc2d4e6a1c9be2a138cf5c25fedbb0a

SHA256
e30859d9da09edbaf3ec8b6db6abe0129118cf2b02006fb951edc1b4aa62e757

SHA512
78527c080a38a64ee948dec5b316daf1aa42f18623cfcb7d98b69454cd1b6ccf4aa01c2efc4bf40fe10f918790ac7bf30a029ebd255b12014e23e3f7036abba1

Download Submit
C:\Windows\SysWOW64\Hbnjmp32.exe

Filesize
93KB

MD5
09b2e9a8b874175646716e3277de5a8d

SHA1
6310272442bee7ecd22194f4ea2b761f25ffbe43

SHA256
823154f277dffdd4d4ed9b4246d8755d2117cbfaa1b3c5420136898701891c05

SHA512
6c06d4482e081e4390bb0ef8387edebed66201280ce8a521d76ade0fabe88b10086bb8b58836e7893f7e0a1b446e98d78c4c4bad0b27a3540ae502d72cceb8ba

Download Submit
C:\Windows\SysWOW64\Hcbpab32.exe

Filesize
93KB

MD5
02b700ca197180951fa1b726e54845c5

SHA1
e396ef8cafdc9987c5055b3614e071e69d7f1cf9

SHA256
24d308f22a2e38cd00a87c0a39c704b9849d48ced692b92199c1d592327bdfac

SHA512
97624312c7728601711c4f7af9ca3747829fdb2c9ced3e4b9edbbd85a59ae0af3b47c8d75b5e0ca8a50daf1d0ae2de5e1a4d737dda7583b219c1c3cf3506d687

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
93KB

MD5
78df6ea77acb174ceed528cd433a535f

SHA1
bc539a9b5ac8bd38c695ffd64b00a36718910531

SHA256
51cac7d6e9d2068bf102a806ae983720ec604d1a7dddd8f3c05fc1c3d1db78a8

SHA512
2e4ba1b7f3d2fcc45938ec91dcf3f344a22f0292198e6478a7f9b34eb97f371e126dd78f8ae5552a16771bf4df693bc6a2878911b70a794e603b03f6e4742159

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
93KB

MD5
04fdde802c0332c63f5bef39cec9908a

SHA1
bb4b0038699ee98050919916cbfe6a175b5837f0

SHA256
ec8eaade18f4bb0802dbc6b6e61a446f7415b1430ae74e13bb3d45a249cc40d9

SHA512
84982c54fd0362e164a761c21e7f35ec1a77cd412b659e1ae6c02e3be3edaad250b0cf91fcf526cf9ad8a86345fb6e5f4ccdf4f91d22800a42b7bd9251299a41

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
93KB

MD5
d189324d9a2f0e45914ff400406c8240

SHA1
57e94bc34d2b061bbdc1eb89ccf53bc5e76328e8

SHA256
47359ed6c9e6fc05a2aca4bebf056c90cfd54b9e589f4b753a71deae407bc1da

SHA512
e817564a810f16ce3e8f96bcb9f743d1de30b961b47cf58743712ea205cda333b4a6c1dccfebdfc36a97f51f432aa4ee3962a9c4822294127fabfb946d61cb58

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
93KB

MD5
7eb84da476ab0feea86f11635e5ecc55

SHA1
8944330bd24d6463cf9c5905bf1a7d11a3102f47

SHA256
757a389358c35437726d3a468d203a41539b356e8ed610cbdba6721bf81d6ce4

SHA512
2b5a50d2172dda101b37ef858c12a9e87542f6821995474c2d6582c0bd0ffbbb2d0ffce6e632234ed5fd22c5b61a7865fdd5dcc4f8aad4b3e4ce3837e94854a3

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
93KB

MD5
685157b131eba57a6d94869c89d2bed3

SHA1
ccb1e7a43ba22c2ed993a5efd587a98f5e1da419

SHA256
260c22864fc9d10014ad58e3ff2516857e4dfaea13769c6c5c4b107858e5bf57

SHA512
f6ac18072b742f212fdb59afb1d11d118633cc1c300c63302cd5c327215b7f910c7ac147f8bf6f8cb76f29134dba766b1de9233dc5a3af088d65773e6cf1dd3c

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
93KB

MD5
6bc484dc7e76ed709dbed5c794316f09

SHA1
4bc401d885dd8761995000baa16169b9cb2d8db5

SHA256
623b83efba1587f1e4dc07eacefa0d0dbafb81d8aacaabdbff7284c1632e5d67

SHA512
3f77de0143260e4ceddaa10ea2c9025722e39410b2702fdad076995bbad036020668fedc1a453f3538d22490544ac635685586b99d7a653c5c7784b119f4d4c7

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
93KB

MD5
1b21aa81b07d1814be3b970ff07254e6

SHA1
45976ce1981f02c8527caddc47e635b6e6094c47

SHA256
a67be46323134ccd648f540727ee84eba9ad75eaa27108978a4b0e09c54f9e26

SHA512
e803fc25b47ec8cf49007c84c03cc7bd094c51b1828396dc8f01828508c567b8ec9288ea118bed692b01550268e6410b873bc18ae3dc4be27e9b6ed9fc7779ec

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
93KB

MD5
450529848cb4795cab1e11aa5a75897c

SHA1
51e6ed1d3cbb339355c88e7212cd4eb47082f851

SHA256
7018810c5692d0d2a7913d80139ffad239b5557e4b73868398280e2a8c1b203a

SHA512
bbeec7a1043958a3bd0e6712d8189cb33c4ac02942f8e8dc55687cd2ebe77f3c0fd979332efd68f44d6a0ad69458311aae12eb3b14efba78dfc4b53e3f860bbf

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
93KB

MD5
1526cdae8057a5e8b40aa7fe1cd6764b

SHA1
6fb8e3747007d21bd0ed1bdbe6762fe4b4b753b4

SHA256
17964dc6bb0bc16eded93e8d8219dedd8a70e6e0109eacfa7270ff801fa87b56

SHA512
2936c2bd0769906d8960ebe2448ba907c62e950b99e56ff34960ba0f6c990806034fd490a8c0e715205151160fa14bc31d37573123e2232d7542ba52cf4a461c

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
93KB

MD5
9c2ee4866ebbb11045146a25a9a092e8

SHA1
3024d60ed5f2fbdf81774a960d98d2d73656e041

SHA256
f1fb1dff93517cccf97373b7fa9b47abe34305a8bfa42c34aa5a2a0444008ba6

SHA512
e626838ac0841b5317a03727be74d0ea3aa7842ba89436877c0f5689d7b59e3e18d4635c3111b28a6028114488b2ab4ad69f2d910b96e763e17703c66adeba8f

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
93KB

MD5
d977098fe8f29bd24bb7bd7f5fcc7c4b

SHA1
a860b79c18cee49ab5779d2963af89fefc28f125

SHA256
73a96d2e48fa7201c5de43080a6a7cbf76cd0ad1899331c648c285004752087d

SHA512
75a0709b486505e850d1a3ec93d7359dc74fffd2edd73852a1e0650e9b92b8d0172035ba1a4742ff53a319764625c421167177c64a5ae1b2d91044b7f2540bd4

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
93KB

MD5
c8b4a8a859952c23ccde92ab24c01ba2

SHA1
4e78355e126d5e000a2e57d48c36327304e59ce9

SHA256
4f4f77a16743f9239578a35d88627be80e786ca0438909ed6392761096777873

SHA512
7ad5c3806270d9d41861886fab2f004ab860821ec2813918bf70cc21e425a12d271ef1e68bdfbd8078ff192ca2dbba1eff8fad5afccc7d4ecbdb5fc85506a342

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
93KB

MD5
1b0b6e8e9c4cebfc57f9ecd853e930b0

SHA1
f477cca0b560952f0d710cd19029c74044861ffd

SHA256
a38dc8501f4cd9af265a1c79f5d2f80f8a3bfd377cad4eba9291bb0c3f911f14

SHA512
642c2163e0b1b8cb88915a88d3d471a486847e964f225d6464fb734ae7241a67c2aaa046ef676d08c5ae841b2266f563316b87f89be7c4db608d6ab69f7ebcee

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
93KB

MD5
91e70c02ec1f1fac2d9f345802fc0fa1

SHA1
80fa62eedf4cf0b77663108ad31f3a50ef6358a1

SHA256
ffc0123f75af4caa61618a76c344bd1f926e47947677dafaf523395aca808db3

SHA512
23ad61fd901c44a425e5f5e0a67e29dd41f372d9fb59ff00b48065cf6fe9c59c04f258e55c57384d70b41c8b10096d69b9fa77276f862220a99b656bb3d26cd6

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
93KB

MD5
13b3713bc991d29ac705b3e6c835dc55

SHA1
b8355f555eec53f247819e8a13936b1c0151502e

SHA256
d2ef3d83c07212185ecef98fbd22f8ea30b680d9c17395bc6c5e6138182c50cb

SHA512
c8cae3e7d44a74d4788ff1e0d7ff71d38bc5f1673398b836fda0f12944f29dd30dd874e7d8fdfd4c1d5f2bba8ee934e762f09f5cda6bc00f31aaa37750d87c3d

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
93KB

MD5
c02712967842fb95d2773d88a05f777b

SHA1
60b3de55c8e8166eaf8f699a53ac350ad32dfe24

SHA256
00ce2ef4268e28a40684e4e52642640b49c98ef89b308cc1041c0263946ac378

SHA512
1eb8b6aa7f0d3c5facc13261ff5ffde5983db3993cea7efcdeda929df98e98f3d3b694e9bd84a0c02bae85f93f72e907d6e2926f9359d4f3f323e4ac2670f756

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
93KB

MD5
66613e434cb17264f1caaf76d9e821eb

SHA1
d7bdd1cce74591738e8edf8394fc11cb3d56780a

SHA256
153c50762ac3b9f06b075238c98d0a7296a32df70cdee9ab29756053643bd779

SHA512
98acc405e6b58a010c4011e576180b066349a9ced37964c2fcb2a55a64f105f40e1c9b068d98da46bb89dbf66d9c40947dd6a6abaad71c95100ed07320bd7849

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
93KB

MD5
a184c0a25bb96a167301868546f542b4

SHA1
2d85d9cd611969ee80aa42d2b6b09d87304ca123

SHA256
a3e837d8b4e410d30717aab3048c15ec7cc53c82cf497d1c4b65f4aac0b05b05

SHA512
4b74e254a097574da6ccbf63b9dfeaf3c7535b421c28776e22ebb30f852abc7215394f34e792c7d711825d6027d98a54b7166d179ca5a561b419bd2db5821ae3

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
93KB

MD5
1c0f24c3ff1d1106029bc4947f5b5b6d

SHA1
71711c14940d51aecbc0da4056d4c6dda893e4dc

SHA256
aa85a816b59dac5d44efe48cac634de88c621c8767a5ccb8c8271930b00a52ed

SHA512
5184506e7840fe155fd8bc5086317e72a3c90af4654402b9f89f0720cb16977049ecb08c77e1be4336997e52e793935de7d964f98cad30baa04a34e1fff89e05

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
93KB

MD5
a8ba7897f0495596048c3b87923133b5

SHA1
c071ac13dc213730c9da3cd64036cbd89df8f25c

SHA256
b516abf677957ed4147df3623daffb4c01039a42215ddf8b208d3fb415d88749

SHA512
458af45266dfeb5fb55dba63e8e63edb7dd3d9d311978388d6a3048d6299067fb464d6db1cbe9f73273e34f4819f3134c37fa351edc0cc83bfebf5d442118a83

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
93KB

MD5
2e05669b965d9e01634a9c91b20ae207

SHA1
09d6603aa33c9ef909ad40fb3cbbdea70240dbb1

SHA256
052c5cade02355d3716b126e9696b5807dac9b32283d85931a4497679c9263b9

SHA512
f89e57e607180c2d551b2d5ffb181dc24ecb8cbf0c3427a0bd234232d4c4d68cd046f3691d5f32c1a4ed5a99de77923649da932eaeb3e41a6e7c2c785d4f99f8

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
93KB

MD5
aaff246b8fc0df5f55d50ba2717c43f7

SHA1
f4227911e48070bba796cd53cc107e38c7f3fb3e

SHA256
55c74b39e03fbe2f7f6207ab5a26b7dfc33d6101dc2276563c381c8d5bc61e4d

SHA512
e63b0d6079ff839493903d8132cc85570478a1d65d4ccc7c62352e0de7a8bd108bdc8b5d473515936f40e5a299e0750607ee43f39c5001aa0ba99c3468d75bbd

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
93KB

MD5
e96fed98f25a638813fc380457b638d2

SHA1
622723a42878de873b16e81045bf7537ba61f3b7

SHA256
9b50460c15ed6b228678628c1d7c79f7df73c5b0d8e463bed323bdd8fb7578e0

SHA512
2095b565109a7afb4dcb50cc7d952d22a1c772be7974340d61e95256584d6761d3dbcc4f5cdbc24d42dbe165b05486e9cc6bff49af9a05529470992630b87b2b

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
93KB

MD5
f9e57444d0bfc5f8ccc1831c30055d5e

SHA1
6ab9288ab86696d0f23667ebce57f831a3df0e06

SHA256
7ab365f60d4a256ff9e61c0686409219a65e8781ac194b6c2b536f533ec52772

SHA512
c9c5174324abd41743270ed4b45d1db1eed3af9fb1ef7390d6328e242cdc87062001bba052b8dde768a5d81c6ad150627f9b7bcb373df566a438ea745678f744

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
93KB

MD5
4588c4c0ca1962b660fe1c27f4f26307

SHA1
1fcc0b487585b72c3a561273dae8a78aecec83a6

SHA256
49dbed0c16ca265830896e480eb752737e48f00017f9f09404284258e0c8c9a5

SHA512
17b773d1dfd396b7109166cf0f4fda171b255069aa770419a297cb840b5c2e41bd6a679a61fbc6ccdaf015d5ea01aec331e9513dfe6d5541c3f4bd9f2638b9d0

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
93KB

MD5
e07b9296a075260799ec76ba5594bb6c

SHA1
2bbacaa71224691134597eb8cf09a75ab6f40cd9

SHA256
93f1eb07edd9509e533fb1ce4325dbbaf095bb01abca63d366039829f93b1179

SHA512
c35f1bfa1d6294cd19893028a5729740c45760934e44274b3f991d6084ec1df107952b7ef1c1b46d49a54e408de552508ef27c2f98dd5e54e8f52eb54c5bf0c7

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
93KB

MD5
a397a5aac55307a4f062b78dba13471a

SHA1
5a1f201568bb63c5de59da1449082b00637bfc0e

SHA256
bfeb3d20d466d8b9bfff9fd5209c14b9e8a683580ee72096d2cf93b439f76bf8

SHA512
da3f8686efc44003467de59f273af058ce379ef3619ad2119365a0de10f7a90fb65c3d739f6aa82f33ce8e2ff02c395ff7bd6bca39cc136a40f697d6e27335e6

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
93KB

MD5
58d530077ff2980ff1844cbf977e5269

SHA1
966ba99511ca8ce859121156fdde59dc5d0721a8

SHA256
a6fd1e6e1a64edfcfaf35948fd0b6c35a6bc43843119bb9107cd1cc110326d8b

SHA512
52d928e199252d6ac8812532bf842ce9de4464053d2779bc3148bac862bd6af223852b03a3898a28d25d85e550415c59ae64d431161d133ecf01fec96f612201

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
93KB

MD5
617d432be0aa44a4d5b4a5f389312a62

SHA1
c9da6b99936e61c2208bb548a7c14ecdd9f779d7

SHA256
a2f17a80882c32776f6e0f39dfb7915fbe975428890c1b737482b3962bd3ab82

SHA512
7ecd8fea9bf27d16af637b7b4b204a7e2a44cee3ce56af6ceddb073b5af338cd859e9b2b21ffcb206d23af3be4f0ba81b172f130abaf1678a72e077031ced3fe

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
93KB

MD5
197c8a16e132a60f3c0241d93b4f97fc

SHA1
31aa3cb51dc5345a7b67a8303390a283578fb1c0

SHA256
1283d449d045fe7592310dfa0b943b479f482f6984982303c422706011910f04

SHA512
1a78adcce690382379145a211cb0d1299df6697ae9d43756871220fd809cb0e0e043f17c3b30b95bac3213cfc237f377484e4110d9150529db82c84cd52c9de9

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
93KB

MD5
92c9701de39a1562391d5754b0f69ff4

SHA1
bb1d0bbcfd9521cab85c7df433ab79b5c7019bd7

SHA256
1218dca31c8ea3474f11d11c0a1d7d1758c3c303e04ac74d0ee7683fac886449

SHA512
7b838a2ba6242e3b5c4f797e2b92a56e3dc6c4fbd64b8734b6ff0bc1eee4004473da6b7c4be756a20807bd484cc1830658edef95ebf59d176a6fb1db957a2e8a

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
93KB

MD5
14bc56efb8b6ac9b5be2bf64d2bc3c00

SHA1
7c76135d85262bb1a5e8cfbd3448dcf50ae6c19a

SHA256
4405314b5ceccabd74048b9cdd9ca9692c75e5d439d5b1928558630bfcd9227e

SHA512
35e9a937541078a055043182b38c2129370e6b4c4592c9c92e78b24fc00f58229bd6496d192e6801abfbd1ae6c14ec142dcc69f01d23bf3ea26b98405d016730

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
93KB

MD5
eeb5f2731214446ba5e048d61a2c8989

SHA1
79b47483845b99ae6de8be0a1c69269b9f8c76a7

SHA256
81f5197dea4e6e68d52f680dbbf99f9a8b0161a6127e3e472f2e48b3c54d83e2

SHA512
6295e49605dd1f7397a07737c5f1e6e9b209c08f673393faf00eb9637baf08bfcbb7f4dfe24d9170d58962126b70dc4225921af8f9c83f4e8721d84d4a6e8d2f

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
93KB

MD5
87d75724da746b6d5ff5e585236e4f73

SHA1
5b2183e309870366110e12199abfca971d37e4fb

SHA256
e7d0015bae416881eceeb2b9e33ad0de5f1029f6c177733eab69177896007bce

SHA512
2e8938f2370228344412002affe8c87e08c9f6ec264ac0d563cb46c94f01564224b73628b65978244488fed99c0ceba57e8717962f0086c59db0bcc5e0c031ce

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
93KB

MD5
7a263c78ef6f2ec5ec0cea869e629e24

SHA1
1b6fe9758d36e928ccd64459333e04d44bd5b801

SHA256
2030154bb90e2a8eff7e84340c7c5a7f367f7830f46af6f25e19452d32a47205

SHA512
140f54bca53f5b9381481f99775efa6db934ddc8ba31597ab4fd5ba86f0485179b232f5233a1081a6e8010977a546251d2384afaf294c91df6e45fe549dfb50a

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
93KB

MD5
a6a4f224b7be7db6c5041512873f779b

SHA1
92ec0aa34e4899d53c579d7b18f3ac14de3da282

SHA256
b9fe80fb0f820c057f50f0cb3c0835409cce12055c9c6429bcdbd0632b27bff5

SHA512
fa6c5c56a3bb33ade00d2512d4e49cf535c4e21ac87fbebdfacfc7cd80f884f47c31158e4aa9711718051c3edb4dfbfa8e59141cf4e27c1495eeac5d595f9812

Download Submit
memory/448-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/532-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/900-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5432-1335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5648-1389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6252-1310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7048-1275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads