berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
97s
max time network
188s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/0576f4bbcb57c686dbfc66760a969b33.exe
Size

109KB
MD5

0576f4bbcb57c686dbfc66760a969b33
SHA1

8218cf48a6215f22c5dd0b476696fb7bcf5d1f2e
SHA256

884e757aea8afcd615131f9debd05036be089b35ee81d3a61da26583afa8f46d
SHA512

81ee495c58a4534165ed97335af060b5408f8b8b69346e059836df996086c0dc99d575b7222e519182558a424f64f5bd34b3e4c7cf194416a5eb56cdcbec8325
SSDEEP

3072:qOzE6W6Ggs7PuHH8fo3PXl9Z7S/yCsKh2EzZA/z:qEa7PQHgo35e/yCthvUz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqgedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpfbcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiopca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmhijd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooclapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihkjno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqnjgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doccpcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkofga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edbiniff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekcgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpdennml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebkbbmqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khbiello.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haodle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iolhkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kamjda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofefp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhqcgnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egened32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gihpkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1292	Dnonkq32.exe
1264	Dqnjgl32.exe
2708	Doojec32.exe
5060	Dbocfo32.exe
2372	Dglkoeio.exe
2136	Doccpcja.exe
1888	Ehlhih32.exe
1708	Enhpao32.exe
1184	Edbiniff.exe
4348	Eklajcmc.exe
2716	Edeeci32.exe
2320	Eojiqb32.exe
4920	Egened32.exe
4196	Ebkbbmqj.exe
708	Ekcgkb32.exe
3264	Fooclapd.exe
4612	Foclgq32.exe
1780	Fgoakc32.exe
5116	Fqgedh32.exe
4956	Fohfbpgi.exe
4388	Fkofga32.exe
3008	Gegkpf32.exe
2624	Gihpkd32.exe
3412	Geoapenf.exe
3452	Gpdennml.exe
1656	Hpfbcn32.exe
2416	Hpioin32.exe
1704	Hpkknmgd.exe
4888	Hlblcn32.exe
3372	Haodle32.exe
4256	Hppeim32.exe
1664	Ihkjno32.exe
1500	Iacngdgj.exe
4424	Ieagmcmq.exe
4488	Ipgkjlmg.exe
1280	Iiopca32.exe
4976	Iolhkh32.exe
3888	Iefphb32.exe
1108	Jifecp32.exe
3508	Jocnlg32.exe
2960	Jhkbdmbg.exe
4516	Jadgnb32.exe
4548	Jpegkj32.exe
3260	Jeapcq32.exe
676	Jhplpl32.exe
5112	Kedlip32.exe
5032	Khbiello.exe
3616	Kheekkjl.exe
3392	Kamjda32.exe
2476	Klbnajqc.exe
8	Kekbjo32.exe
1868	Kpqggh32.exe
660	Kiikpnmj.exe
2496	Kpccmhdg.exe
2616	Kadpdp32.exe
2340	Lhnhajba.exe
1164	Lohqnd32.exe
3668	Lindkm32.exe
2412	Lpgmhg32.exe
5048	Ledepn32.exe
3408	Llnnmhfe.exe
1752	Lchfib32.exe
4300	Lhenai32.exe
1320	Lplfcf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fkikinpo.dll	Dbocfo32.exe
File created	C:\Windows\SysWOW64\Egened32.exe	Eojiqb32.exe
File created	C:\Windows\SysWOW64\Kpbgeaba.dll	Mljmhflh.exe
File opened for modification	C:\Windows\SysWOW64\Nmaciefp.exe	Nblolm32.exe
File created	C:\Windows\SysWOW64\Opbean32.exe	Omdieb32.exe
File opened for modification	C:\Windows\SysWOW64\Pjoppf32.exe	Pcegclgp.exe
File opened for modification	C:\Windows\SysWOW64\Iolhkh32.exe	Iiopca32.exe
File opened for modification	C:\Windows\SysWOW64\Jeapcq32.exe	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Hghklqmm.dll	Kiikpnmj.exe
File created	C:\Windows\SysWOW64\Nfenigce.dll	Mfpell32.exe
File opened for modification	C:\Windows\SysWOW64\Oophlo32.exe	Omalpc32.exe
File created	C:\Windows\SysWOW64\Cohddjgl.dll	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Dglkoeio.exe	Dbocfo32.exe
File created	C:\Windows\SysWOW64\Olekop32.dll	Hppeim32.exe
File created	C:\Windows\SysWOW64\Khnhommq.dll	Jhplpl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqoloc32.exe	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Pmkofa32.exe	Pcbkml32.exe
File created	C:\Windows\SysWOW64\Jhplpl32.exe	Jeapcq32.exe
File opened for modification	C:\Windows\SysWOW64\Kadpdp32.exe	Kpccmhdg.exe
File created	C:\Windows\SysWOW64\Mfnhfm32.exe	Modpib32.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Ojqcnhkl.exe
File opened for modification	C:\Windows\SysWOW64\Ipgkjlmg.exe	Ieagmcmq.exe
File created	C:\Windows\SysWOW64\Hmjbog32.dll	Jadgnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lohqnd32.exe	Lhnhajba.exe
File opened for modification	C:\Windows\SysWOW64\Llnnmhfe.exe	Ledepn32.exe
File opened for modification	C:\Windows\SysWOW64\Egened32.exe	Eojiqb32.exe
File created	C:\Windows\SysWOW64\Bfcklp32.dll	Fgoakc32.exe
File created	C:\Windows\SysWOW64\Haodle32.exe	Hlblcn32.exe
File created	C:\Windows\SysWOW64\Ipgkjlmg.exe	Ieagmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Ncmhko32.exe	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Fpnkah32.dll	Ncpeaoih.exe
File opened for modification	C:\Windows\SysWOW64\Omfekbdh.exe	Ojhiogdd.exe
File opened for modification	C:\Windows\SysWOW64\Ehlhih32.exe	Doccpcja.exe
File opened for modification	C:\Windows\SysWOW64\Jadgnb32.exe	Jhkbdmbg.exe
File opened for modification	C:\Windows\SysWOW64\Oonlfo32.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Opbean32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbkml32.exe	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Ebjjgd32.dll	Dnonkq32.exe
File created	C:\Windows\SysWOW64\Gegkpf32.exe	Fkofga32.exe
File created	C:\Windows\SysWOW64\Jifecp32.exe	Iefphb32.exe
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mhanngbl.exe
File created	C:\Windows\SysWOW64\Gpdennml.exe	Geoapenf.exe
File created	C:\Windows\SysWOW64\Hlblcn32.exe	Hpkknmgd.exe
File opened for modification	C:\Windows\SysWOW64\Klbnajqc.exe	Kamjda32.exe
File created	C:\Windows\SysWOW64\Jlmmnd32.dll	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Oipgkfab.dll	Mofmobmo.exe
File opened for modification	C:\Windows\SysWOW64\Mhanngbl.exe	Mbgeqmjp.exe
File created	C:\Windows\SysWOW64\Nofefp32.exe	Nmhijd32.exe
File created	C:\Windows\SysWOW64\Oiagde32.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Clpchk32.dll	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Kekbjo32.exe	Klbnajqc.exe
File created	C:\Windows\SysWOW64\Faoiogei.dll	Mfnhfm32.exe
File opened for modification	C:\Windows\SysWOW64\Mofmobmo.exe	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Jibclo32.dll	Fooclapd.exe
File created	C:\Windows\SysWOW64\Ihkjno32.exe	Hppeim32.exe
File created	C:\Windows\SysWOW64\Iolhkh32.exe	Iiopca32.exe
File created	C:\Windows\SysWOW64\Dndfnlpc.dll	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Iiopca32.exe	Ipgkjlmg.exe
File created	C:\Windows\SysWOW64\Enalem32.dll	Iolhkh32.exe
File created	C:\Windows\SysWOW64\Igkilc32.dll	Ncmhko32.exe
File created	C:\Windows\SysWOW64\Pmphaaln.exe	Pjaleemj.exe
File created	C:\Windows\SysWOW64\Hobbfhjl.dll	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Cjkhnd32.dll	Obgohklm.exe
File created	C:\Windows\SysWOW64\Pcgdhkem.exe	Pjoppf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5528	5440	WerFault.exe	204

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hppeim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Foclgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eojiqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpioin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpegkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kheekkjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjhmhhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhbqbae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqnjgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeapcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfpell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omalpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edbiniff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpdennml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhplpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiikpnmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lchfib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqoloc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0576f4bbcb57c686dbfc66760a969b33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khbiello.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kamjda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledepn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgkgijg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiagde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgdcipq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekcgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfldgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njljch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmhko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipgkjlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhnhajba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpgmhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdieb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedlip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmaciefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohqnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqklkbbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhpao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlblcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lindkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjoppf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcgdhkem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnonkq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfojdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhijd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkofga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkbdmbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modpib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbkml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglkoeio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebkbbmqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhmjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iolhkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbnajqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplfcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obgohklm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihkjno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfiokmkc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5876	MicrosoftEdgeUpdate.exe
6004	MicrosoftEdgeUpdate.exe
6092	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dqnjgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olekop32.dll"	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibepke32.dll"	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkphhg32.dll"	Geoapenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll"	Haodle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll"	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eojiqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpfbcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likage32.dll"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eklajcmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpdennml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkikinpo.dll"	Dbocfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enhpao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begfqa32.dll"	Ebkbbmqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakbde32.dll"	Hpkknmgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfiokmkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbgeaba.dll"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcajc32.dll"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obgohklm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eojiqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjbog32.dll"	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lindkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfenigce.dll"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieppioao.dll"	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojehbail.dll"	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfmmb32.dll"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcomn32.dll"	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgnho32.dll"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dglkoeio.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 1292	4160	0576f4bbcb57c686dbfc66760a969b33.exe	85
PID 4160 wrote to memory of 1292	4160	0576f4bbcb57c686dbfc66760a969b33.exe	85
PID 4160 wrote to memory of 1292	4160	0576f4bbcb57c686dbfc66760a969b33.exe	85
PID 1292 wrote to memory of 1264	1292	Dnonkq32.exe	86
PID 1292 wrote to memory of 1264	1292	Dnonkq32.exe	86
PID 1292 wrote to memory of 1264	1292	Dnonkq32.exe	86
PID 1264 wrote to memory of 2708	1264	Dqnjgl32.exe	87
PID 1264 wrote to memory of 2708	1264	Dqnjgl32.exe	87
PID 1264 wrote to memory of 2708	1264	Dqnjgl32.exe	87
PID 2708 wrote to memory of 5060	2708	Doojec32.exe	88
PID 2708 wrote to memory of 5060	2708	Doojec32.exe	88
PID 2708 wrote to memory of 5060	2708	Doojec32.exe	88
PID 5060 wrote to memory of 2372	5060	Dbocfo32.exe	89
PID 5060 wrote to memory of 2372	5060	Dbocfo32.exe	89
PID 5060 wrote to memory of 2372	5060	Dbocfo32.exe	89
PID 2372 wrote to memory of 2136	2372	Dglkoeio.exe	90
PID 2372 wrote to memory of 2136	2372	Dglkoeio.exe	90
PID 2372 wrote to memory of 2136	2372	Dglkoeio.exe	90
PID 2136 wrote to memory of 1888	2136	Doccpcja.exe	91
PID 2136 wrote to memory of 1888	2136	Doccpcja.exe	91
PID 2136 wrote to memory of 1888	2136	Doccpcja.exe	91
PID 1888 wrote to memory of 1708	1888	Ehlhih32.exe	92
PID 1888 wrote to memory of 1708	1888	Ehlhih32.exe	92
PID 1888 wrote to memory of 1708	1888	Ehlhih32.exe	92
PID 1708 wrote to memory of 1184	1708	Enhpao32.exe	93
PID 1708 wrote to memory of 1184	1708	Enhpao32.exe	93
PID 1708 wrote to memory of 1184	1708	Enhpao32.exe	93
PID 1184 wrote to memory of 4348	1184	Edbiniff.exe	94
PID 1184 wrote to memory of 4348	1184	Edbiniff.exe	94
PID 1184 wrote to memory of 4348	1184	Edbiniff.exe	94
PID 4348 wrote to memory of 2716	4348	Eklajcmc.exe	95
PID 4348 wrote to memory of 2716	4348	Eklajcmc.exe	95
PID 4348 wrote to memory of 2716	4348	Eklajcmc.exe	95
PID 2716 wrote to memory of 2320	2716	Edeeci32.exe	96
PID 2716 wrote to memory of 2320	2716	Edeeci32.exe	96
PID 2716 wrote to memory of 2320	2716	Edeeci32.exe	96
PID 2320 wrote to memory of 4920	2320	Eojiqb32.exe	97
PID 2320 wrote to memory of 4920	2320	Eojiqb32.exe	97
PID 2320 wrote to memory of 4920	2320	Eojiqb32.exe	97
PID 4920 wrote to memory of 4196	4920	Egened32.exe	98
PID 4920 wrote to memory of 4196	4920	Egened32.exe	98
PID 4920 wrote to memory of 4196	4920	Egened32.exe	98
PID 4196 wrote to memory of 708	4196	Ebkbbmqj.exe	99
PID 4196 wrote to memory of 708	4196	Ebkbbmqj.exe	99
PID 4196 wrote to memory of 708	4196	Ebkbbmqj.exe	99
PID 708 wrote to memory of 3264	708	Ekcgkb32.exe	100
PID 708 wrote to memory of 3264	708	Ekcgkb32.exe	100
PID 708 wrote to memory of 3264	708	Ekcgkb32.exe	100
PID 3264 wrote to memory of 4612	3264	Fooclapd.exe	101
PID 3264 wrote to memory of 4612	3264	Fooclapd.exe	101
PID 3264 wrote to memory of 4612	3264	Fooclapd.exe	101
PID 4612 wrote to memory of 1780	4612	Foclgq32.exe	102
PID 4612 wrote to memory of 1780	4612	Foclgq32.exe	102
PID 4612 wrote to memory of 1780	4612	Foclgq32.exe	102
PID 1780 wrote to memory of 5116	1780	Fgoakc32.exe	103
PID 1780 wrote to memory of 5116	1780	Fgoakc32.exe	103
PID 1780 wrote to memory of 5116	1780	Fgoakc32.exe	103
PID 5116 wrote to memory of 4956	5116	Fqgedh32.exe	104
PID 5116 wrote to memory of 4956	5116	Fqgedh32.exe	104
PID 5116 wrote to memory of 4956	5116	Fqgedh32.exe	104
PID 4956 wrote to memory of 4388	4956	Fohfbpgi.exe	105
PID 4956 wrote to memory of 4388	4956	Fohfbpgi.exe	105
PID 4956 wrote to memory of 4388	4956	Fohfbpgi.exe	105
PID 4388 wrote to memory of 3008	4388	Fkofga32.exe	106

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\0576f4bbcb57c686dbfc66760a969b33.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\0576f4bbcb57c686dbfc66760a969b33.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\SysWOW64\Dnonkq32.exe
  C:\Windows\system32\Dnonkq32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\Dqnjgl32.exe
    C:\Windows\system32\Dqnjgl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\Doojec32.exe
      C:\Windows\system32\Doojec32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
      - C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        23⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        53⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3340
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        74⤵
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        77⤵
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        79⤵
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        81⤵
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        84⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:360
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1188
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4464
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        98⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3484
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        100⤵
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        105⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        106⤵
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        110⤵
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        121⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 448
        122⤵
        Program crash
        
        PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5440 -ip 5440
1⤵
PID:5508

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDExRDU3NEYtMDM0RS00MUZBLTg2RDMtMDhGOTkyMkY5NTU2fSIgdXNlcmlkPSJ7Qzk5RDQ0QzItQzUxQS00QTg4LUI2MkYtMTk2MjZCN0I3QTA0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODZDNDM1RDQtQkNEMC00MjgyLTk4ODItQUU5NEVENDg0RDMwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDk2IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NzUxNDQwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTM2NDUyNjM3MyIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5876

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5824" "1200" "1128" "1204" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5952

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDExRDU3NEYtMDM0RS00MUZBLTg2RDMtMDhGOTkyMkY5NTU2fSIgdXNlcmlkPSJ7Qzk5RDQ0QzItQzUxQS00QTg4LUI2MkYtMTk2MjZCN0I3QTA0fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntENjA2RjI3Ni0yNjAzLTQxOUMtODc4Ny01RDI3NDQyOUZFOTZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjY3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM0OTM0Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTM4MTg2OTk5MSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:6004

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDExRDU3NEYtMDM0RS00MUZBLTg2RDMtMDhGOTkyMkY5NTU2fSIgdXNlcmlkPSJ7Qzk5RDQ0QzItQzUxQS00QTg4LUI2MkYtMTk2MjZCN0I3QTA0fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins3ODhGMEQ5RC1BMkVGLTQwMEItOEM4OS0zNTc5QjgxNzU2Njl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBjb2hvcnQ9InJyZkAwLjk1Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjMiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezYxOUNFRDFCLTUyNDEtNEY4Ni1CMkY3LTc4QUU4N0QwNjI0Q30iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMiIgY29ob3J0PSJycmZAMC43MyIgb29iZV9pbnN0YWxsX3RpbWU9IjE4NDQ2NzQ0MDczNzA5NTUxNjA2IiB1cGRhdGVfY291bnQ9IjEiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQxMzk1NTQ3Mjk2MjAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSIzIiByPSIzIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7NDY1NzAzRDUtOTkyMy00NTFCLUE2OEYtREUzREI5QzU0NDIzfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjIiIGluc3RhbGxkYXRlPSI2NjA4IiBjb2hvcnQ9InJyZkAwLjI2Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjMiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezE5QTExQUFCLTZBQTctNEQ3RS05RTJCLTQxOUU3ODFCMEJBOX0iLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:6092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dbocfo32.exe

Filesize
109KB

MD5
a5f90636d4ddf114a57a9d52700377b1

SHA1
7e62ad146136226d420707c46f761d5b8f524feb

SHA256
e9413151093a2ac3e60b7e5c30a8a65836f11b5256b2b4a1b83d687c5d3362bd

SHA512
c28027496057aeb0ea4bb1e48f241376a4a197c4be1f8d928ce63bc614734214109f7500cfe2a04d49f654eff32655afb8e2375c7c4c286e772176ab6c8ce339

Download Submit
C:\Windows\SysWOW64\Dglkoeio.exe

Filesize
109KB

MD5
e0da8aaf45842266f5e70767329624af

SHA1
48b93e364100f51cd1bee53193087ae025d3c1c4

SHA256
11f1323ca6dffa910649b933c366441bb1ebe2c512fc40e6828392ea7a29791a

SHA512
ee252def8e6ddf97f54d39f5951e560c7c85836799f498c69f3e73f2eda5b9b71e9e26485bfc46660bbc58060cf069a540090db053d82448f3ba3867e7515e3e

Download Submit
C:\Windows\SysWOW64\Dnonkq32.exe

Filesize
109KB

MD5
a74eea548ab9570de1cc1d7ec2eb7b55

SHA1
2fe08455e2d56458da12cd0705c13481819440ca

SHA256
ecb7b719d7ceed8a51b7d7014f080a1c4dd78fff422dd4d1861017641227f014

SHA512
44f3944c024d582f171e21a0cb6b65c177682d2bcd6ef7ff5a9a96756176045cf543f84a043bcdf4444425952cc719f35398ff349cff49ea49a7a702821285f1

Download Submit
C:\Windows\SysWOW64\Doccpcja.exe

Filesize
109KB

MD5
5e5b5711214f528703f6dd6f6b413b81

SHA1
6266ce0f81a46bd704fceb632468a710a4c9f3a7

SHA256
72f28f4ba424da8980f53c2f1a5baf6e88e4c0814f8a853f96cbdab9b861646c

SHA512
ac4094aac502d9e69a93d73a091857297e93b385ef4b4d78229137055be4d09715afc91c2ade214a584a2a6a2aee8a6e8d69d51f1cfa172bcb6b08a79abfea36

Download Submit
C:\Windows\SysWOW64\Doojec32.exe

Filesize
109KB

MD5
abd4c39ca42e44b59a7bf816c5c21446

SHA1
bf2c1e6ea687ef106bf223542c2e5df6775d5de6

SHA256
81c7832ad2786841d20c5999a6a540d6acedeec956b21e821cc1100a8a5dfbfd

SHA512
b581e6696d6b64e4654af69629107468a16c53c57b9a84008f797f99663d1e496fa71c157455b13ae8843d07d4884b4b2cae04270e970886891c5524d75aa9f4

Download Submit
C:\Windows\SysWOW64\Dqnjgl32.exe

Filesize
109KB

MD5
f29ecf12aef7a263b9ad005a005fc2c7

SHA1
6156ea085554c176cf6e9a70a9300d528ea32fe1

SHA256
5014e04f5aa8308e0873a07653292e2b6eda5a441a615319cc237706bca4644e

SHA512
0b5e7cb3c27a02ce65a4d7c3fe3f889c4a13af0241f0487b5b3d09452aee2f1e5579b7aff21ac73c42a4916dcc9fa700449604e23a1912e5bdc1f798c2d8447f

Download Submit
C:\Windows\SysWOW64\Ebkbbmqj.exe

Filesize
109KB

MD5
739f2790e705a14587747c3bee93cbdc

SHA1
8d02efaa7a909f65f2c8cdf8e9645de87ddfcb93

SHA256
876a79224f99118046f62729f9aaad1a3def18ebde1a070a327fd860ac39d227

SHA512
af94774ca49d999977a075081ea7263b0c188f30a60154568ff4931cf68202efddd25be45adb615740979b578bb4387b5e1ee581cade984d178ff527a21df440

Download Submit
C:\Windows\SysWOW64\Edbiniff.exe

Filesize
109KB

MD5
a38fc472f38fc4f66291b7acece36590

SHA1
2059916d356ff54651a12696d67b1c8e0f9ce65b

SHA256
aadb8d7d75eef5c2bbad495ed69d094f82ca9ebfefe69e4db73994c535d7186c

SHA512
5c29eb3cab5b7850e19f8bca9469e0e84c0f37f7961d1ae3480a0746e98518b54fd9cf33a14a7dd00add603de7383c6ce09c23b43c2f3d7013976dab384c21b2

Download Submit
C:\Windows\SysWOW64\Edeeci32.exe

Filesize
109KB

MD5
64af5086d17c827f0e1b657cae7893e3

SHA1
8ea7a3424b0426671e741c76fcb75bbc9a552ae5

SHA256
6fdf4908613b802a22f5e15ea4d8bfeceab89308b1bab8d8660376bc3ec11949

SHA512
b2f581cc81854800a9816255953d51e3c814d9823e8242dc13e89e95551c9fba567863a098015f29c6ae52203eca19a72936f2598bf356fcd6f77164b5c60305

Download Submit
C:\Windows\SysWOW64\Egened32.exe

Filesize
109KB

MD5
7390c510cda0bdb7a6e9ba102f3e2a50

SHA1
2971aafcb1f0c9a417e7eefcf6040f5b0c29bd64

SHA256
f79deb480f53d7b909b5be729a688ebf67bab1b7178782642917b8479bc5839b

SHA512
7185fa0a30eeee625ee6d3d958edf4448265faa31ecca5f9da7f0a17d13ec968b00ff181f35dd4c2abb7fab6f6676bf0d41a3b5460519f73ea3d6edfc228da3c

Download Submit
C:\Windows\SysWOW64\Ehlhih32.exe

Filesize
109KB

MD5
0c6eda291614a84e06b1cebfebea4263

SHA1
5ef4f698826e658b86cba67645598b3619a46732

SHA256
bf117686a82304ea10b9d715b872d14c2c27b9a53516014996cb742a11d31fbc

SHA512
4fdbc86c94a0a083fbd11930fd56d13147f102e83570854f0588bf376b0e7c3d9697f474829180d51281fd1a1a754c687026c6401304eca6d729667d9b7ed98a

Download Submit
C:\Windows\SysWOW64\Ekcgkb32.exe

Filesize
109KB

MD5
31ef760cca441d4ecb4f0e278588431f

SHA1
46c2e135b2d68013a383befb9f1e8c40abaff9ca

SHA256
4c258ee35fbd525be7a4dc9c04713e60928528e9d4176b359d7d298f69adb969

SHA512
cc48d59b31de49e5974140e7d80f886c04f3067464c5d6faf624e199a46670d88869167d5c7de4a68e3685ca68c93c0a84e2b0a429c69bda5e11e1be6240c504

Download Submit
C:\Windows\SysWOW64\Eklajcmc.exe

Filesize
109KB

MD5
ce56798df18fb14fd3d81f47c31485f5

SHA1
6261a173e28875ffc14c606f646c8e21f581b6b7

SHA256
9b0d709f118dcbed62e24c8a8a38f48592e87ad23d085782505c353823518f36

SHA512
d016aa921881b2b6e3018d384c08ec0cbd8520933f568c2bf4ea1e9d43482dfd37f146cdd0d7fbedbde7f275287a6de7f91e4bf4033ed9402bca81a6b3fb7181

Download Submit
C:\Windows\SysWOW64\Enhpao32.exe

Filesize
109KB

MD5
ffd37efd076cf18bbb95e07aac33e631

SHA1
12f5edc555ac5e53d39ebcb03ff5b9f21839964e

SHA256
482ffe1dad97ecc658c0f612295499a6b4646a6129cc0f17d4519cfe313108d2

SHA512
63cf1c4e1e17a3356dc99e96bd96841d0265d5654b2866155b7075f5f8dcf5bb8b2f84a2dd4f7c562bea8e07523249f5622ae84afb197fe7f4f667c65e0165e3

Download Submit
C:\Windows\SysWOW64\Eojiqb32.exe

Filesize
109KB

MD5
65092dd887a3f44c7d810d44547d0527

SHA1
8a6f70c0c1c8c159af6d97bd747c6f83d392869f

SHA256
f57d4eb2401a006640ebb12673bcaad3ec8c9b54f3e40adefb5c25e2783b3322

SHA512
38128203c4344907337f5072ba60233869048f17f03de1c63c52a2fc9cea50b94d722ea8314a757e6f3bf9e2e58f6edcd7dd07978896838be2a53290503a94bd

Download Submit
C:\Windows\SysWOW64\Fgoakc32.exe

Filesize
109KB

MD5
66b90b33a8c8fb4e0366bfc4f4e7b9bb

SHA1
9a137fbee01db8e2f9121a5c2071902eff0db75b

SHA256
e2c512038e5ecd35be9ba9dda02be59c69f07ac392558ed55d407c8ef7a56b08

SHA512
61cb1d2494918a76e2dfcf2629540c2a7befbb1a8370cb31ed29d4e920c19c155303f4615ce216505b8e4c16aae1efb6a689ae422d3f189921501dbd9ace2fdb

Download Submit
C:\Windows\SysWOW64\Fkikinpo.dll

Filesize
7KB

MD5
ecd1253e5906a71d5318f3412b55c11c

SHA1
242b1c44e234713ec1d16d1cb775ab8c866d2526

SHA256
bf0377989d49bee01d4d0828f83ef2caadf83bbeef94f85f51b28b394cf3a8c9

SHA512
d6161d7c88a3313f431e37917337268868e4e460458021a45c69980716c7ef0370fe3981a7c01c89b351c7a146d1c1cac6d56868e9c6381732b04f3a66c095a7

Download Submit
C:\Windows\SysWOW64\Fkofga32.exe

Filesize
109KB

MD5
d5b341ea3acc612956c5f4994fc36980

SHA1
c6cc0eee3590cef5171079b723f926b12883d38d

SHA256
238c1d33a3102a9ff9f2e143d2e2c8444b28d8c4e36f002cac3a27c5753ab989

SHA512
d91ad1f724c3da6b99acc39f82c6686f867143768074bccb0fca319d66dc32b3606ef195522f85dee9ff67ebb925a452086d94f5592500ef050d1e0bb3a8e9e3

Download Submit
C:\Windows\SysWOW64\Foclgq32.exe

Filesize
109KB

MD5
cb06b31c65ca7cec1cbd45b1000fdd1e

SHA1
955c2ff0f7e5cb37007be1263e04d0bb1d6c2852

SHA256
a194057befdfb0ea742a373693fc4d35048a2f91773244d240aceeff8ecad510

SHA512
eb81dae6224ddcb3d9f68b21437aae17a597ba076c2d3ddc2238ad2a325459e749ae02a34972dd4ba71bb94b5631b0e0b7d3ea21be02c3d0471b7e3aaa52d5f7

Download Submit
C:\Windows\SysWOW64\Fohfbpgi.exe

Filesize
109KB

MD5
9df0a97d95138ced3fc81a6d10cbd7ea

SHA1
2b24408452e267a953bfded858104bdde8e16071

SHA256
084a031c7a6c49daca1e9e79b3d10ba427f0adfbcd0f8c16603fd09180136ce0

SHA512
6ae319f447ecaf2d9f63e610458ee0b524a57e613ace882e6b27ac965843192f6ac5212317153bdcd00bf28f49baef624d3d71a726792a5b8567da54f16049e9

Download Submit
C:\Windows\SysWOW64\Fooclapd.exe

Filesize
109KB

MD5
7c452b21d9497864c08736f665bb84f5

SHA1
66db9d1bcf2c7051680e3673886b6c6c7b3d61c6

SHA256
fcb93c73383d64a43cd761b24c6ea5c1c5619f9182d2eb7212aea2e7723d8c15

SHA512
81849d14461df08f7aedefd92b7ad2da52098867377c8f83dfdd8a00984d619bcbc5c8ece140bb417b4b5656875cd982133445a7bc68d2895d89c346de0f264a

Download Submit
C:\Windows\SysWOW64\Fqgedh32.exe

Filesize
109KB

MD5
d1182fdac36fc99ab60b7d2d943cb82e

SHA1
95119ba7aeda897b223ff9306d08bc587ff25bd5

SHA256
13069357a10c19fd3bc4e51c80583019fa58f2d9b953923e6736b690d4f6e725

SHA512
3bd810476dc6e9c7e4b1956d6aeb9ce3614330575f12bf860048ebe94c45b750fb34274984f20ee708df076d7be3e7092f9a8f422016df06edff6c9015c24c17

Download Submit
C:\Windows\SysWOW64\Gegkpf32.exe

Filesize
109KB

MD5
78a3225b5bcc6aaf8a8474b90c0939c2

SHA1
6e4023e8501840500b8debb699104efd47edb9b2

SHA256
2442d6aad3adb1ff5ca081e7abbcfee238bb463d166a8a0ab37e9dd803d049dc

SHA512
a02837faf2c5ce79eb7357e9bf871274cb9460b48e0f5ecd91406c40dc72a3ed306b244c33c024bfff6416ac2bc253a0c09de6b8c1f5b373fcdff43df4389ccd

Download Submit
C:\Windows\SysWOW64\Geoapenf.exe

Filesize
109KB

MD5
4180c54e02acd2d2a1716dce0ee7dd13

SHA1
827cfd03a1c79bb27d79d4e857dcef5020d1764e

SHA256
878a32fd5f740d5af8fb6f8c8d1b43673a76cf71f1210a61f4a7cfb0924a632f

SHA512
f205a98bea73c3cdeaf2a84e6d16fd950e9ea7108eff049bd202715b83d4ff97cee96fa1e2172d8ae4a01d8d08ed1fdcfe479f6eed73cad90e9c9531391a475b

Download Submit
C:\Windows\SysWOW64\Gihpkd32.exe

Filesize
109KB

MD5
a16911b4b1df8e15bbd38cbffacc6edd

SHA1
5fc9195914946cf9a845c5200bf4d880f40c16ba

SHA256
76c60572c5de56aef7e900f209141e412d54de48ed03bd7d5be03d367ef9b21d

SHA512
2a618dca3a3b2a50dbe2d609ae97f1843865016745921e530461b74bccb3e22f2d9de01e20339a6d3eaedc63a81918d3be7574bc03e4c9def29bfed44565a81c

Download Submit
C:\Windows\SysWOW64\Gpdennml.exe

Filesize
109KB

MD5
8cbe83c9a999b90f77d4548e8c4bff00

SHA1
cd79a0e88e283ac80a7a6020bc2e01866878064b

SHA256
5bbc799db9285afe85586aec7e9173488ab0245f715575efca92c5d028e6f4f3

SHA512
a4b397a26912948b33533eb88f3b5e4889c69fd52d02a4ac17824bcbae160229d9466ea656526839be97a018bab68d15f465f67c9a07d172b62787d2bf961c7b

Download Submit
C:\Windows\SysWOW64\Haodle32.exe

Filesize
109KB

MD5
f3699ee51771559a69c309108d6617d5

SHA1
6e2b02ba9a7923fb050ef55d4f92df9aa8989968

SHA256
1d00e732f4dbc56a3562d0608408bcf170bd2492b873d0717cfdb65d72b72a1f

SHA512
bfcb067254f73b83f67c24297c2d3657d33109299db889f3cf11f784bf31df12f00e9984a7d26d427541eef98cc7932c12fd59d7c14978d513d8d772c1290286

Download Submit
C:\Windows\SysWOW64\Hlblcn32.exe

Filesize
109KB

MD5
20f0c7be29eda2b0cf580c90e46dc4f4

SHA1
a3b19399e845bc6932a02b5fbae30f6d80898814

SHA256
8358076b9c5ed167f12826b9c9e216942d73655cf6b1297a073a29da3c646846

SHA512
ed751b8fedfa93810a18040980b8b5458867a7d061bad924b5452efc084ce321ae13c9f75a8cd8751b60cb31b107416303d2fd7eee3e9ad9c7af6b19e4710789

Download Submit
C:\Windows\SysWOW64\Hpfbcn32.exe

Filesize
109KB

MD5
4c7f46997bedfd723581d6ba36e3a974

SHA1
641fc540ebf4d5b64836f2e8732d71babd3230a9

SHA256
a20e8ec52a30875421ebfd4ac626058e5b44e43ef202c7597edbf994b3c1be33

SHA512
8bf5863643bba40b0a9fa0d87995c94d3a5252db97644c8f39639acfc4784b3975f7ca935952d4cf2f1e05d2546b1228a244765e91ee5f8721694846d9cff93b

Download Submit
C:\Windows\SysWOW64\Hpioin32.exe

Filesize
109KB

MD5
ba276562bbb612837e5229c950ff627b

SHA1
2e15ab344b8dfd2f621dd36be2f3b70c36c88bb3

SHA256
121435979966788d25f09a9011221255dae1498905961cc0f724bcc8c80726dd

SHA512
f3053d6cd66c91851bb7c6fcf19c7b39aa465d4a3681e03a83a2fb713642097ed5002a680614bd234935de243f809620831e7e67625ac723e31864b2a51ce38a

Download Submit
C:\Windows\SysWOW64\Hpkknmgd.exe

Filesize
109KB

MD5
ac27be3aa57a1e4cda788b580b9e87c1

SHA1
b61995ce7badaf17e471e4b7698360b70b45df2b

SHA256
038d70629cd127d025d1d05b6fec7689b4e156f7a3f421a6bdabb8e145e4f442

SHA512
32d938128c461d7bba0d0b641010c504129d88b0fcd181b12f8862bfbe9bddbe1b8f16ca456e8e14067d57e4e4b1716a6f2372fc27e7b67148d3b79c531d2d0d

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
109KB

MD5
7e2cc47574008045416287902f73f54c

SHA1
5217fa09dffe3cd496c8b2441d33f82e318826ef

SHA256
5c24364ac86be3b8a00a8a91cf7ad281168ded6359144b4a1d57282a5cb37d9f

SHA512
10541149c011e93cef01c72f678e374342fea270228a7c7e6c186e443b98e858362314a703d0875d3b35c3050c48967bac6c830548f6ace03e00ba9dce7a823f

Download Submit
C:\Windows\SysWOW64\Ihkjno32.exe

Filesize
109KB

MD5
b576cf09196075ef264f802490f2869e

SHA1
008d7609f49869152b4be21b84082d70d115b25b

SHA256
ea7a4fdafdf961d9807498d81e7a0ae4305bb111632156515111bd7503714e77

SHA512
e57a7a4481db0a0e8d83553c80ae42f6c254ac7b91ac01bf9c6d819d3aa4cb3a841499c0b246b4503145d23b4df9d2e078bad0ffcbe4934446c190b9961f0f91

Download Submit
memory/8-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/676-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/708-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/708-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1108-250-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1108-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1184-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1184-122-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1264-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1264-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1280-235-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1280-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1292-66-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1292-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1500-220-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1500-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1656-234-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1656-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1664-264-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1664-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1704-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1704-186-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1780-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1780-185-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1868-315-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1888-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1888-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-101-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-35-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2320-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2320-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2372-30-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2372-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2476-305-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2716-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2716-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-213-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3260-275-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3264-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3264-171-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3372-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3372-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3392-300-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3412-158-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3412-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3452-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3452-229-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3508-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3508-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3616-295-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3888-294-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3888-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4160-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4160-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4196-157-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4196-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4256-259-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4256-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4348-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4348-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4388-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4388-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4424-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4424-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4516-265-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4516-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4612-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4612-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4920-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4920-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4956-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4956-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4976-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4976-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5032-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5060-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5060-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5112-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5116-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5116-123-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads