berbew | bddad3fb25f1108a9ad83ee0607cab5125535e7d98afdb0c41fdf271d42ee3b1

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2024, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.Win32.Berbew.exe
Size

163KB
MD5

a455ce4b44ce84a85a9f896b9d8c9230
SHA1

8d0361e04cda2886c090fe126354671f1776a9dc
SHA256

bddad3fb25f1108a9ad83ee0607cab5125535e7d98afdb0c41fdf271d42ee3b1
SHA512

1a5083d07bcbaa0b1dba63b90b85c6d5c1056c06be4edf7f492396701d144b63d41a16f069b3a24bed1a530731a2c01397f414c5ad30389d6b2953dad33f5239
SSDEEP

3072:qXcVqPlgaXa89duhh+d+ltOrWKDBr+yJb:xoPl/mP+d+LOf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3316	Kbaipkbi.exe
804	Kmfmmcbo.exe
2712	Kbceejpf.exe
4160	Kmijbcpl.exe
4816	Kbfbkj32.exe
2720	Kmkfhc32.exe
1612	Kbhoqj32.exe
1708	Kmncnb32.exe
704	Kdgljmcd.exe
3976	Lffhfh32.exe
2748	Lmppcbjd.exe
3092	Lpnlpnih.exe
4852	Ligqhc32.exe
4896	Lfkaag32.exe
1464	Lmdina32.exe
2104	Lgmngglp.exe
2620	Lmgfda32.exe
4420	Lpebpm32.exe
4812	Lgokmgjm.exe
2268	Lingibiq.exe
3848	Lmiciaaj.exe
4504	Mdckfk32.exe
3028	Mipcob32.exe
1300	Mdehlk32.exe
2988	Mgddhf32.exe
3892	Megdccmb.exe
3096	Mgfqmfde.exe
1756	Mlcifmbl.exe
1584	Mpoefk32.exe
2912	Melnob32.exe
1404	Mcpnhfhf.exe
4780	Mlhbal32.exe
4800	Nngokoej.exe
4512	Ngpccdlj.exe
4344	Nnjlpo32.exe
448	Ndcdmikd.exe
4988	Neeqea32.exe
3640	Nloiakho.exe
1376	Ncianepl.exe
3276	Njciko32.exe
800	Npmagine.exe
2536	Nckndeni.exe
1196	Olcbmj32.exe
2408	Ocnjidkf.exe
1148	Ojgbfocc.exe
464	Opakbi32.exe
3476	Ogkcpbam.exe
4484	Opdghh32.exe
3608	Ofqpqo32.exe
4796	Oqfdnhfk.exe
1568	Ogpmjb32.exe
2872	Ojoign32.exe
3912	Oddmdf32.exe
1372	Ofeilobp.exe
728	Pnlaml32.exe
5068	Pqknig32.exe
2964	Pnonbk32.exe
4868	Pqmjog32.exe
3796	Pfjcgn32.exe
3460	Pmdkch32.exe
4392	Pqpgdfnp.exe
4984	Pflplnlg.exe
3860	Pjhlml32.exe
4452	Pqbdjfln.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lpnlpnih.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Dhbbhk32.dll	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Mnkhmbin.dll	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lmgfda32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Lpnlpnih.exe	Lmppcbjd.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5452	5208	WerFault.exe	218

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Backdoor.Win32.Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3316	3056	Backdoor.Win32.Berbew.exe	82
PID 3056 wrote to memory of 3316	3056	Backdoor.Win32.Berbew.exe	82
PID 3056 wrote to memory of 3316	3056	Backdoor.Win32.Berbew.exe	82
PID 3316 wrote to memory of 804	3316	Kbaipkbi.exe	83
PID 3316 wrote to memory of 804	3316	Kbaipkbi.exe	83
PID 3316 wrote to memory of 804	3316	Kbaipkbi.exe	83
PID 804 wrote to memory of 2712	804	Kmfmmcbo.exe	84
PID 804 wrote to memory of 2712	804	Kmfmmcbo.exe	84
PID 804 wrote to memory of 2712	804	Kmfmmcbo.exe	84
PID 2712 wrote to memory of 4160	2712	Kbceejpf.exe	85
PID 2712 wrote to memory of 4160	2712	Kbceejpf.exe	85
PID 2712 wrote to memory of 4160	2712	Kbceejpf.exe	85
PID 4160 wrote to memory of 4816	4160	Kmijbcpl.exe	86
PID 4160 wrote to memory of 4816	4160	Kmijbcpl.exe	86
PID 4160 wrote to memory of 4816	4160	Kmijbcpl.exe	86
PID 4816 wrote to memory of 2720	4816	Kbfbkj32.exe	87
PID 4816 wrote to memory of 2720	4816	Kbfbkj32.exe	87
PID 4816 wrote to memory of 2720	4816	Kbfbkj32.exe	87
PID 2720 wrote to memory of 1612	2720	Kmkfhc32.exe	88
PID 2720 wrote to memory of 1612	2720	Kmkfhc32.exe	88
PID 2720 wrote to memory of 1612	2720	Kmkfhc32.exe	88
PID 1612 wrote to memory of 1708	1612	Kbhoqj32.exe	89
PID 1612 wrote to memory of 1708	1612	Kbhoqj32.exe	89
PID 1612 wrote to memory of 1708	1612	Kbhoqj32.exe	89
PID 1708 wrote to memory of 704	1708	Kmncnb32.exe	90
PID 1708 wrote to memory of 704	1708	Kmncnb32.exe	90
PID 1708 wrote to memory of 704	1708	Kmncnb32.exe	90
PID 704 wrote to memory of 3976	704	Kdgljmcd.exe	91
PID 704 wrote to memory of 3976	704	Kdgljmcd.exe	91
PID 704 wrote to memory of 3976	704	Kdgljmcd.exe	91
PID 3976 wrote to memory of 2748	3976	Lffhfh32.exe	92
PID 3976 wrote to memory of 2748	3976	Lffhfh32.exe	92
PID 3976 wrote to memory of 2748	3976	Lffhfh32.exe	92
PID 2748 wrote to memory of 3092	2748	Lmppcbjd.exe	93
PID 2748 wrote to memory of 3092	2748	Lmppcbjd.exe	93
PID 2748 wrote to memory of 3092	2748	Lmppcbjd.exe	93
PID 3092 wrote to memory of 4852	3092	Lpnlpnih.exe	94
PID 3092 wrote to memory of 4852	3092	Lpnlpnih.exe	94
PID 3092 wrote to memory of 4852	3092	Lpnlpnih.exe	94
PID 4852 wrote to memory of 4896	4852	Ligqhc32.exe	95
PID 4852 wrote to memory of 4896	4852	Ligqhc32.exe	95
PID 4852 wrote to memory of 4896	4852	Ligqhc32.exe	95
PID 4896 wrote to memory of 1464	4896	Lfkaag32.exe	96
PID 4896 wrote to memory of 1464	4896	Lfkaag32.exe	96
PID 4896 wrote to memory of 1464	4896	Lfkaag32.exe	96
PID 1464 wrote to memory of 2104	1464	Lmdina32.exe	97
PID 1464 wrote to memory of 2104	1464	Lmdina32.exe	97
PID 1464 wrote to memory of 2104	1464	Lmdina32.exe	97
PID 2104 wrote to memory of 2620	2104	Lgmngglp.exe	98
PID 2104 wrote to memory of 2620	2104	Lgmngglp.exe	98
PID 2104 wrote to memory of 2620	2104	Lgmngglp.exe	98
PID 2620 wrote to memory of 4420	2620	Lmgfda32.exe	99
PID 2620 wrote to memory of 4420	2620	Lmgfda32.exe	99
PID 2620 wrote to memory of 4420	2620	Lmgfda32.exe	99
PID 4420 wrote to memory of 4812	4420	Lpebpm32.exe	100
PID 4420 wrote to memory of 4812	4420	Lpebpm32.exe	100
PID 4420 wrote to memory of 4812	4420	Lpebpm32.exe	100
PID 4812 wrote to memory of 2268	4812	Lgokmgjm.exe	101
PID 4812 wrote to memory of 2268	4812	Lgokmgjm.exe	101
PID 4812 wrote to memory of 2268	4812	Lgokmgjm.exe	101
PID 2268 wrote to memory of 3848	2268	Lingibiq.exe	102
PID 2268 wrote to memory of 3848	2268	Lingibiq.exe	102
PID 2268 wrote to memory of 3848	2268	Lingibiq.exe	102
PID 3848 wrote to memory of 4504	3848	Lmiciaaj.exe	103

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\Kbaipkbi.exe
  C:\Windows\system32\Kbaipkbi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\SysWOW64\Kmfmmcbo.exe
    C:\Windows\system32\Kmfmmcbo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\SysWOW64\Kbceejpf.exe
      C:\Windows\system32\Kbceejpf.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
      - C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        31⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        39⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        40⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        46⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        49⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        66⤵
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        70⤵
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        79⤵
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        80⤵
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        89⤵
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4508
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        92⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2740
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1296
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        98⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        100⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        108⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        114⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        122⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        129⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        134⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 396
        135⤵
        Program crash
        
        PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5208 -ip 5208
1⤵
PID:5360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
163KB

MD5
b78c91cc74956ceac63a0a72610747bb

SHA1
b09d59b8aafb18f97d7e7bde6fe7e16b6d354644

SHA256
2635fd2c45d21c8dc95a19f986ae13def4253d3c09ee09d2216fb22d27dca09f

SHA512
2065ac8914ad06be8afdf44e9ef243232631cbe4a53ab675a62c7f46c593904619d3f2368c04e027afa44528b1e2619a7aa632ba8e379bb7c9f553b90e1ced41

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
163KB

MD5
528cc53958dc8330fb7540d71b20197b

SHA1
ab0341af14df8519bef115707268764817f095a1

SHA256
5800f82f31c88a8fa60e5ceca878ba4dd09133572ec7d83047f889bcaf8088c6

SHA512
c4498527a1bddcd7629a4f56096ef807d76a626c19ebd95786fb26e0d48f63a805378c7a88347909d5b08c7a410179216f01c8cfa3e895885cc7fe2a3325fee1

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
163KB

MD5
8b8e83e854ead289d9b91777897b9417

SHA1
9e7ec3962adbb0f2352b9112950a04ff271b9a8b

SHA256
8de0831317107310662bba6604c951b74680b2b64e66801a6c960b0d0cec1112

SHA512
4394f2e989133f54e2945c46f253ab0c7231cd96455bd0fe88cd72c4d263674bae099fe4e970aac5531530245a78d43c9c1eb04a3c8fde2c90786c40af22cf4e

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
163KB

MD5
952d7393dfc2416b7bb23c4648126e91

SHA1
68b84eec22958583b2741006feb83e03a3ace7e5

SHA256
4e587738381d9ec1f5eaa7fe037f816d91ef6e92e33ac8676ed5ed20fd8e7a26

SHA512
a577c4e4f63e5c40cf5637a6ca8e2244644bd89756398acb61ce00a29dd5a449fa36259ed876c111d919bcb8491f337c1441435ceb0cb345a6c59aeb0d237f7e

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
163KB

MD5
6a13c6ff16fbca037cd668aabf4a35da

SHA1
05a65923ddd69c389a509843f970e85072df7819

SHA256
827ea1cf2b77de3804cb70e4df6a60ff0e9fd8317bffc3762ddc569f00a29d00

SHA512
c4aad679ef06b0ca738addaea28bbe0c6efbabf9b941d910faa9e34375065dcd825c90dc13c6060c7d829116b53e1752b394cd7d450b18b3008d608734f51e43

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
163KB

MD5
b8f043587134620116012819a0b1fb7a

SHA1
f8a988885e80b36114b79c56ec26331a251b191a

SHA256
ebb3faf6d0021a16cd552ce91f67517cf68d4c2a810db1ef78e3540d9ce67837

SHA512
191cb548c03c7d8de0f9da79f81fbf5ec0255c45fc70744378353715fcfdc5e304bf248f8d9dc0039da740af1a7c7b07e2d115a5572f11415e418ab35dc0ca2a

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
128KB

MD5
755905c3790254122e8ddeedb918cfcd

SHA1
f2351ba252eac3c02fc6ae67186a0032f375e5c8

SHA256
2cc2e586888f860d2a1ab65a8852b36629861fa8a9aacb2e539104451c67bb56

SHA512
c817c1acd7fe859d153b17e9b3fb0bd3ff118134fc1547388a041494198ca8d2a9ea8eed565191664a52c921ef7807d5e2b770a4f5818734640ca3f6c97dd7ba

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
163KB

MD5
a0ca562d3a08844ea6dde6e563812d1d

SHA1
e32d90bbc4d499ef17e453860b45a0a604f63f9f

SHA256
a98992e9f9f245942a1bd93486bba85e08eb6b9d5b8e09896b48587e684d7963

SHA512
5a1fc349a511becdf4febe67f125e614ae96d85f4136925dfac943858e4e2db5a7346977db265df85d2a8487bbfd5f0d9fa5726ebccbdd7022bc4df8701fde08

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
64KB

MD5
ba32448b81d0c181462b5c9fab93f54d

SHA1
9427b95a8349e3d9661b5e9de5ca07e02e1e2cd1

SHA256
cf34af29b54c3db8f4b4cf9c01934e01da29440f73ad55efeb4b35799f59e916

SHA512
5b47575a5a9f41cc3db6d945f4d6c37dfa251a040c69f63892b37c7bb4fdcd9df2cc6602e6c0fb586b37b122009cbab6c6e716995a80d8d873c5fb96689b91f4

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
163KB

MD5
00ac16a7901e2c209e8167414642a8aa

SHA1
a47ab9d9df7e85893ded425abbc8e49393e5625d

SHA256
5f2d950b25ab30eb61a501084dd8c797152b97cc3734b571c136fbd11b1fae19

SHA512
c74b8072455fecf4fbc40c6dca37aa78530beeada5f18e3df136f287d97ee4ba2a137818d50321f09b408bb95cbace3a7e94808b429165d125369d219353b874

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
163KB

MD5
97842011235192a905997b3657aea244

SHA1
3c1ec4d2f3009ba2ac5d8adf4380e9ef8320805e

SHA256
76d2b04d2adc25a5ba3d0378b731db917d9e79b43be0286b676ba5b30b3c4282

SHA512
c8cd18a9a1086904b9b6c486d1ffedaea60848569f0549d30daa324d391c26286f86ee8edcbc8c6d4cc532b24e203e284dfed5de83a8395e3a55b321f318c3c6

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
163KB

MD5
5b960fbc88dd28319dd90bef0b9da4ed

SHA1
d7094b88227ef60b893efff34f1bf7ffe29c8397

SHA256
ab5681a07d2526fae8025b186e014fbe6c2c75ea14346fd0c6d2e39a810a46fa

SHA512
2967142e12ad96ff6401a1837927961acf89d1196fcba77bdafc92466ff7f0b43abb3d732d739cbe787f052a914bacccfa3572bc1ae28db279ce4addffbac432

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
163KB

MD5
820baabc60d7766cbada4b9a99e2f562

SHA1
84783a6c992ccb2c28877a9ff1b83aeb74bfa852

SHA256
d0f9d198170802794bbddb3c9a890f2eb8500844198f2d5c2823bfb97a7ea564

SHA512
b6c5f87cfa2e73000cfe4d436d4ea4f6050169dcadb500d2c17ee5afff2cc25203d48df814f3f4d45028468bf3e998431435c2f3753e6d08bc2e912567784b6b

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
163KB

MD5
c6b620b6c9d9a2d37d4b52b3b52cf5dd

SHA1
d2a5ca40504629ae6398a97f8ec5c1ec102b104d

SHA256
963a95730f6820013a6d5eb8516765ed9f5c4840777e1defdee5e4135909d10e

SHA512
ed5aadac3b0856357062f81ef4c05035716d2a2bffbb6a63e8d67d00cec6673d9ccf0713c5f115666ee435877e79f2026722f7bff7104e4037d0a87e1ed8f03c

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
163KB

MD5
50a2d87337a74cef031b2b9b906cb7ce

SHA1
5eb70ce81b8cb6e95745f7aa487f5f99d413159d

SHA256
23e7983daac383f89def65823fd604afd16f3ff0a477eb89a51236163c7db475

SHA512
66759544789265060575d1dffc14e2da09dac3c49a351b18f380b5771876bc1164b21b9bc4fa7757e30c39da30d1b073b96c576d59dd04adc2840618c8124881

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
163KB

MD5
aa63ac3bd3bebe92be34b1adf3635144

SHA1
8df3616be9e867d9668d49710caea04cca246e0e

SHA256
1cb073eca043a584c728a666e7626ceba0d5a17421e7cd45e71409dea735218e

SHA512
9085af60d48156987a38d925fe3846bc4dc83a5618689a19e960993f36d6d18266555178671d65c987c47d48c94a87713eb857b4e31ef5571be9481e45d7876c

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
163KB

MD5
2bf047c6a06df1932fb6321a19cc47ca

SHA1
8ef1b467907a706f1abf02a5d97ddd0ef987b0bf

SHA256
31cd6ee242c6e6d0f9c8deffd66877098c44a3bb6506a4ae2a71db76634777b1

SHA512
93b1dffeffe5090ac937f37d03d06a66cec42e3b30ff4547b05de76ff7b119e9f79b826ad773192b7c2c4601e82ca7001a227a60056c0c4332411ff82e6278ff

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
163KB

MD5
b04efbe74192c9537c4b10f89de29d30

SHA1
3de1a3812fcb330068bf8340940cefe10643a255

SHA256
9f2e18e7fab557942de2ea117435663983ef4598755f03815e7bb7937d814d4e

SHA512
3c5e3fb7c3cafc994ee39d7ff7ab2e7dca0fde96887daf34c4541a85308f7c0f867b698e45465951214b97885a370dd3b9f498819e54b3ce2ba784e7930530b5

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
163KB

MD5
65fadf8968df3ff34b5ae4025092d70c

SHA1
d4aa647be7e9a510d6ce775a51d064a043e1e150

SHA256
973c95101b7d836e8595481dd2b403d47a261e7540128835eb3ace485c3763e9

SHA512
f1449182d584ab417351853ee63b48d7ab5c586615c22cf4d9bbb6237235ab2bba7337b8992398533dbf0befd2b4aa3a037293039a31087c77f26371a44143c7

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
163KB

MD5
3387bfab646bd401eb39086b2d8a0390

SHA1
2c813c73aed6f11ab9d6037d52cc8a8d23dea630

SHA256
1ba211751ee27e0dc581192edc61f95c6d20bdd86ddef305e41b154a9536e389

SHA512
93905aeeed731827be34388d9690ea04b962ab93169f668a67c62805d3c5b40ebe976a26b68d7772ac27eca8bbc03c60c3f4c70b3a4a4e167f175211d68a8d7d

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
163KB

MD5
660082b92596ac82e27bbc95e1754916

SHA1
b47d233e367c14f46042013dff5e3c1bb8ac8b56

SHA256
f037cf5518c17d16f2ab9aad555d2524368ce330be160db330a1210c50a16733

SHA512
cb478932e53769120b800d5da388804db2da02ab410e11b179d5544d03fc47c8f5989061f5f5012f82f53ba4626617ac8d77fe85cbcb0be68e013b32ca0890bf

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
163KB

MD5
f6ba927049f41e4e6078f8c3753c77ce

SHA1
e40061b75ec7c144dd7a19ff723027e6e3f91cca

SHA256
75a4743517e9c3b9e5a8d7cb452e86fdb45fc8951407c376d7dd6253d23f4875

SHA512
97ccbb4b7b0ba6f649c2f1546def3bb7da99845ddc7a57f44d728b510c1f945fb4ba666637057f73aa7039a3c19544679a9ee17558311677eef78134bda0be84

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
163KB

MD5
6ca179501a748b96f3457145abf21108

SHA1
8e634a7ab445e87adb4cf52644bfa6738a37421a

SHA256
8672f5d4d5d2fc4f6f2d0c64ef8abb455448f79b31e8bc2f46b7e5f7d5ee6377

SHA512
35501c3d09be9f0668fe0f64834a8d2a923e3485e99e64414be388b666661e470cc98cf7a848722ee9788cc9b4cad2ee12eaadc698bd2ea5d8f0ed50f04e5a78

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
163KB

MD5
ecfbd537917a83c898397c4687b2aa0a

SHA1
601ddb3d6c82e0e015067a7f2f2fc1b0c234927f

SHA256
93a81ebbb9c72696cc8a213c772dd31157f73f3ad82696631b6976d18889d67c

SHA512
27ae6acdee3a3ab14c22209d92ed9dec11fb327ad8703d6b9435c12f1571829338c804ad4529cf6f6a62160e5011555d24ee0d824a50f47b9ff99e70a46c927d

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
163KB

MD5
8f9020d3f8a640e4402978ab83e3625a

SHA1
bef44583879ff3b88992b335a303afaece9489c6

SHA256
86885cc38169994508e72489db848e09139d040da23d7a37e6dfb6ffeb4de747

SHA512
40c40273cd717133d5404bc75e0e3d3643158c62a51eb85893b5e2cf9f87e283804811ca2e6d35ef7aebd0d5b25631c3c2c1ecd070b7721d54e6dbf16c369c20

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
163KB

MD5
a566a4dc9e32c46574ee71f464ff282d

SHA1
d92d4eb193cabb89e08ea82c04fcadc4039dafde

SHA256
c6e617f84b83ec86226e5bd2634a3e4d183a8f8e74a3ee9caef43876713ac01d

SHA512
9390b4534aae61630d0c6293c51415a9b845705ee7a7c03cb1009260a2150bb9f1c46e213f5822a3f92443b85532c82275b8a5005442b6f2d6fe26f2e4f91d0a

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
163KB

MD5
0e0e7de16c37097ee926f222e2039a9e

SHA1
148b86c2cfd5e1cadc05907d4e970d40982254d5

SHA256
23c2ce74db724f3ccbb09db4d4f52868c9d7c6e3425d0023a77482d7f7d9e03b

SHA512
dc3a5d0f3cabf99ffae9c835e6950566e5b3dba398a77e8987f73ce6cbbb428c74ee76330a7255e0046abd0239e56fe298754b3b1420ce7b82422773e0a94785

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
163KB

MD5
0af7f9d5b27d121de88bb943ea8984e7

SHA1
c1c11582434513872c40ff107465ad6f234b85a3

SHA256
b563155b73856228744b4117128450f4a05cb4cdb7ae13c4c762caac357404e7

SHA512
75eb7f9b0719a12997e6f85da1d65f350486d9b2d07ab37ac98b0f2c4ca8978575e43fda7e3c0206bba5d60e677555ad57c27d5b090f806c72119507de13cb72

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
163KB

MD5
72b89ec50ec5a2bfc5984313c064a922

SHA1
ff03bc0acb8b92e02838c0afc61ad0b0ed7a4f6d

SHA256
453eecfe86067f9aee2f1bdc05cb7a7d1b2fe544fae3d5740c8af59e079f770f

SHA512
35f4bd8bf474239f2958368e2ea0e159cdaab7b084d6aca741cc7ee05576cfeae616b9b6a02a3a6c3336c633e8ef1773a7db28301fefa0837c8492ac3851b98c

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
163KB

MD5
bfe8a84be4b4f489f126846f8402e546

SHA1
efc757ad1fd340cf6a1ab51f0ffc628eeb8df106

SHA256
9195d458e2b09648d213722d8919c8dec965b023b4719f4b2a982a430aa18cd7

SHA512
60ddcd67d380924d8e028718eb3007e0a2aa19627fc7c46c9a23174e0040d205c5c1f5d8dcb473de1b8576bb39e9a8cc2abfcff59cbda8f19f2bb862213efa6c

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
163KB

MD5
ab5956446cf409621c726162598a4c84

SHA1
c2439972d6534538a35cb15b3b80e3056b67ba07

SHA256
ceaeaec645135c3aef410e932bd822e81d7bdeb53745731deea279db6edb7610

SHA512
a7637677de8a5d61b0e881c76aad09478f42e7878e23470006a99f4b29117cb6b93948a76872daeadced207a7e5d7fb3ea2950cb2883288765227cfb4e931aab

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
163KB

MD5
6e68e16b1bcf09655c0ea7ff93ffb84e

SHA1
d76e2be416457f4cf66201ec69e827f7d2efd991

SHA256
e35b8f459604b189f09633278afa61292b20fe0e6bbc298819bcce632c8a00c5

SHA512
627f472644fb2ec061c27a83c94a2c944ce6be8ebac65c252f8d9da74dac4fdb2539ca08aed9550be468670a9e4c473626e403ea1d89a5fdf82603919255dce6

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
163KB

MD5
474cc00d7e187b935b3c069e8d7ba081

SHA1
cef26a5e9baa7035129c70f615fdeec8dfbbc9ca

SHA256
1cba8c3b2ee2bb2ae245306e2169ee35c1a952a924ddade6fc5b04d5ebdac737

SHA512
d59de0ac81c0d82b08631c473c18c32ac3b82bcec6fa9c45426e0811d5d4a2d254ee50d69e1972f31f70defb45f0aec40261cba6974dc1dad143ae4b7b409f99

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
163KB

MD5
cffec950f52258fc6ca0a310dfd19d54

SHA1
d26f1c6d23b0913d5041911552257d69a0ba9b22

SHA256
70686526ce5c829cc2909efdbf6f54bdc37941ed9c6eef0393db01949f6cd5d2

SHA512
1bfdd964083ea7d083bd913f2d5ed67ccc0c8b7a89cbb526b9531a892d53228c7c64d80b61c7fc2a932af1b344be34d6791660bcd095053c88315ce2fc9ebbeb

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
163KB

MD5
f1d45e58de8032bfd9a7eea1951c4833

SHA1
dbf78bcb735f413127e0cc93e4dfe5def73394ae

SHA256
a1a0c24402a5821c5eb23851b556e9b6d01faa6ced56e911da640ceda317052f

SHA512
b9f23f8a2529c7fcfc5ee56335e0061b83620b201cc9fca72cff5c43297669653e966a452f75abebb3dd09194e270adf86bc348a07df1a1eea91d4bbedf9c3a1

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
163KB

MD5
5efba52f40ecdb31a297ab255cdd7422

SHA1
48c4a056d309ae0b67de3f8c576cc9e756d5dd83

SHA256
ea81e559428cbbdf2803e5a308b7961b3f9787a1aecb3c13928f25a1547d3190

SHA512
97388ae2c8c294806c159935319fc900fd89deb8b48c37d5648b87165c1b98a89414951953282685b7380a66c758e95e22f902281100f665c470bcc69f2a28a6

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
163KB

MD5
b0794cef36a14a8954b713ccf135fc5d

SHA1
dd33a1c2241f261bc1917a4dfe2401910198c476

SHA256
62d4e80a649a0ef5a991c699b8be8559346fd878a52f842d7aa26ac7ca02aabf

SHA512
f634f7c45001e09bb226ef0604e448a503224d33f34ca91147b61bc69827f4174810fb3662287e9c9d214a71d1da6ef2bbefd95f2f8f1d02fbae4cdc35f0b8cf

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
163KB

MD5
1d4507d3149674127ae292563cfbcb8f

SHA1
ddeebff84c021e60a4ae18edee0a8c9400e981d5

SHA256
cc1141c2560442df3fcfc9d66bbb848df06a462a1535d419f6f17cd4911336b9

SHA512
51e93bc7cbe846ab1d1808d544ff0b8d14d8352cbeee68d3df62f5c683c82c4a9f81f320c8ac1d845482aff24e5c8b5ba19128b290f2764d286f3fcd0468af1a

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
163KB

MD5
ecf660e4492a5a53f756ee594b64f695

SHA1
56b3eba315e7f4ee5e41c3775c93f8b49ed84436

SHA256
ca04a08d95dc236b6ad8fb5b8df2d13ecc7b534ccfc3ecdb9fbc8095a80f14c5

SHA512
6bc533ddd7c1a17bf55231f55be0ea8bbdd2271649c147af9f9e28b9567a8a37871f763f1b21783baffd9c07eff45d432b176ebfd0817598537df758e0776fb7

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
163KB

MD5
01606bc8902d999e2f2c49bffc8ff683

SHA1
eca4faf164d6aaa2a1c28a61efd9bfc07855c0be

SHA256
c08a318246c8f61d36438ca83a00250a39898aad1aca12352e2a970eba635634

SHA512
21edff53f06c199dec9bfdd5a13989969b392f497948fe24140fee529ed526a185f94da4215531e7a1c72f27fab2baa7b3fa93c8f85a9845be9210c3b3461859

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
163KB

MD5
a286419519f4134fecaa07ec3e14feec

SHA1
78b9a5c76b2e954a543944236755697187498ffe

SHA256
98ec3d5be3e857907fb283bea7e317a162f93b8cd6481500920508666b10cbe4

SHA512
31b16bdece273addc6c9cee20fa7167ba25ea8c7447492923799ab43dc7e0fb5bb55e1b8b2955051720ee182c8fb704beeec39dcd61358b92dfc840e9e85da80

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
163KB

MD5
fb0dcb01b1b9a4e56566503c8f09fc52

SHA1
f6882c4e104283c9e3fef61cb37a3c8bf954e919

SHA256
1168a93af8fc9a518ad82c5efcc5cad9795080761a8f3e776bbc10e32baebe0b

SHA512
353bc1c10a3b29dd7a1ea4367df5a7ce7ec4590bdd8212260f7221b422d7711c83081e7e64a09c178b99fe5bebc71a820d8671b28c48a717d16122008efec54f

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
163KB

MD5
713894553ce04bb414c03731a4c168ce

SHA1
2b9361990618c0ba8565e802ea449aa9ce78d6ec

SHA256
19bbaf2b602827ab7726140a0159cc945401e5e55156f7e24bcc85f1924a3a11

SHA512
285aa5b0048f6f1b73a3ab9f2d5784efe7fe42f2027e8a19e9104d67ae000dfdeba2e74e96b128dcd0b6e9a5be1ed785715498ac6e5e29ad756d5f875c53d2db

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
163KB

MD5
862314c9f6b48565d208d4212c22ddb4

SHA1
a8e4fba923b9caa5e3d1144b53e18702ca397ebb

SHA256
ca4bbd51196027a5efaabc1b673c697b38f1336b727945d4d29e6c3bbd52cf9c

SHA512
14034d834d9ecae3d3b66a55697023c2631403287aef6920f0c361687995da7a43d9992a22bdf8144f324519a04bc73c3fc300d33aca0744072c2510cb12d7db

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
163KB

MD5
b214c069367cfda767b7e3251b2eebab

SHA1
5134c0f7294d7b65b6704ec53c58ae9c5b0aad79

SHA256
8de51956524565f96b768cecd8f02efefb5555d743bf9d110742490d099f86f0

SHA512
88eb03591463ebf8d56f3b8b1470438ea12e0a4a372030bf9124814f116aec7829cbfb0091bbda2263f516877fb6a9ffa25e15e32744e62e0f3b2a5b8ad44d7b

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
163KB

MD5
120139eceb5b12a500fc320d1e3b5048

SHA1
abb0f633ad1413798129489eff1dcde47cd3f04c

SHA256
b7c08be562bdef392979f2ef21a9c1a23b96bb3f1dc6dfc60b53059d62ce9021

SHA512
2bdda892dca22d1070636b39523e73ccb52220d3049a081c00a540a3b3786aa1a70d60c2033f4a92131505bfb299114f9576a96ab3d275ca080d92c7be451b46

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
163KB

MD5
b7d051780fb0eb7b041842b360a3ebf4

SHA1
f9f67ceb9d1e26ff1038ecc2f0cb417d36f39224

SHA256
28447fd8cfe997adb9e3a928535ece1d7616f8a2b9cc3c148bc4c3b64b7ee2f5

SHA512
3f091262f716e621c7bd4b779b8207135710cb28e666c3f51f1eb22c737ab55cdc2f33653de43c09741852a0b67a211dbf6f3b4fd5c9b0431734e56a4c47d3f5

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
163KB

MD5
4eec1cec03a3527e11a38adbcbd47dbe

SHA1
1db05186a8a264334567bf15df93c73fb1995b48

SHA256
5e6c3e53b2a1a5ddd69119b762869c322cf0a14d2d3129d428cf4856280e3885

SHA512
51f05af4c262c1d9d78a302d019bd1849fc6443fb45aa6733a7e902dac20ebaa2d5a2afea33a9a972a2b9b717c063aa9e84111ee52bce58d298407e972de46d9

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
163KB

MD5
cce045a58516c82f49bbcc70302bf847

SHA1
888ff67dd47d26c1abd1d69d1f821432a4fb85dd

SHA256
6ce9452baa3ffb96cf1afa2f7c0d8a375e0d64900e2c24697e4376b186c4aec8

SHA512
6abd2c1918fbc237eda182dba34ea4f2d2aa63e5a19764165d0642d2cec4cc00d3499997c5b9f6e9d92ead701a9bc49735efba476a464ee4a3d2c1bd429035c8

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
163KB

MD5
e6db49865dbb111d69f566534baef0aa

SHA1
3c7fe7cb1ee5ca89f01dbc84abaa4e580503d46a

SHA256
6dde0b74794bb4e18e22d07b059ef9ea722cefc67e07151c83bf711a806d5b3b

SHA512
37e35a1fba0a66dbb09a1a3658c2010ce872df8f4937b23e5021be5df7181eac036b8ef2e3e2740e31a6a0397a5f890c85f3a8f82754780fb822072d08cc40bf

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
64KB

MD5
fc7e22807f93ccadf7c82fdff58e9b46

SHA1
a27a696ee020aa50ba55243128d796208b211b8b

SHA256
ec98c68a62e636c9d527190d44372cf91a2f1073d0ab394756c7478a6a84282c

SHA512
ff8677414a815983d6e1db6645e9e54b2f5cb71107ef511206decd600e535b7de92a65954f5c1a02d6e729fa5fa351b775cffbf5a5d3377e20ef4d81104116f7

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
163KB

MD5
0c13d98e5740dd3fa7eb5ece275aba7f

SHA1
dc0317f6691674105ca663163494c37d30bc8b35

SHA256
10c3bd90181bc831f22cf07926f87cd7cc01df555fc13a29ca2201b54b1fb18f

SHA512
9a723a19e0c13eeb9a80b919a094b849da2b3e0508cfda274abe6f0f6c9ad644382b0f9326da7d115e36ab1b1b955c67757a6d71ec2844b091875c7d997e7f7e

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
163KB

MD5
33ca9f3fd4261daa63060fcc8c73de15

SHA1
52890f4f80a5c6e1d6be2e1519bb1a536e2bdb58

SHA256
46799841ef7f6ad5296b19b17abc50f35e9d64a10901fb40edb88ecfe70f1655

SHA512
1442dfbfb5177153944111301698ef400a7ce74f5e13dabb770d80678097cca87aa9fd64a16f2750997062145a734b1612735d1f3b8755f85c13b2ed6d5d5b9b

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
163KB

MD5
ff2b66829c570c08628ec6738c1b1c55

SHA1
5d028596697d123cff0646c2b9f2d689db8676e8

SHA256
3dc011723965237e5310871895a204174b2d7612656f744c0259d3a9a2f2b6db

SHA512
85a5af29a27493b1cd05fd19626819c19c6cc63d0b2ee9ea84a3e51de9294ecd20c926a84491f6a3e49f6b6afdd33f056b60e08bea9ea481ea1aec6978007f36

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
163KB

MD5
d35f2f0d5b0f2441f3d141d9b129836e

SHA1
52e03f2cc64626364272d90bba6304249e799500

SHA256
d8c059d1edb60c726b850c82387d58f7b6954ffa45bc629eab8de5cf21fd1b43

SHA512
06c99081c0e1fe62f32ab9db0b02e9f9e5842961307bf65cc9ad348aae3463183ee6212aee0dc9795ab2d07c41d5bd46be7c6aa1a400fce00a01f0b38948200d

Download Submit
memory/408-527-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/448-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/464-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/664-485-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/704-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/728-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/800-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/804-559-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/804-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1148-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1196-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1300-197-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1336-580-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1372-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1376-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1404-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1568-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1584-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1612-593-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1612-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1644-503-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1708-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1756-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1900-509-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-491-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2112-594-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2268-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2408-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2536-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2540-566-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2620-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2688-455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2712-565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2712-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2720-586-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2720-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2748-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2872-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2912-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2964-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2968-587-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3028-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3056-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3056-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3056-539-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3092-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3096-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3276-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3316-552-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3316-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3460-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3476-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-521-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3576-515-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3608-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3632-533-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3640-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3692-479-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3796-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3848-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3860-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3892-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3912-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3976-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4128-461-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4160-572-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4160-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4172-546-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4344-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4392-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4424-497-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4448-553-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4452-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4464-473-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4484-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4504-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4512-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4568-467-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4756-540-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4768-573-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4780-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4796-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4800-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4816-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4816-579-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4852-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4868-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4896-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4984-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4988-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5068-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5324-979-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads