berbew | 066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 18:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe
Size

100KB
MD5

ede0378489c5d3452d928aa23f10801f
SHA1

00ce2b133d41e1312d0061019fc0141b8965fd77
SHA256

066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f
SHA512

7f6dc524ddd15495b62fe0785b98fc54aaeeb956bbc54704f4c0958057e7301ec100d5e9bbb9f5425cce774b5c19017c9e532309ea8b4b61e1a3cfb6dcce2f72
SSDEEP

3072:aHtc9qlhv30Iow04q4n5LOkkgb3a3+X13XRz:aHD30Iowbq4npOkh7aOl3Bz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbpefc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgqion32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dochelmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oehicoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmmqmpdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Plbmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfaqfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbjdj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnjeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffjagko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjbclamj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjklb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oknhdjko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhgba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecjgio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkdckff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plbmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efhcej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejabqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Empomd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlmoilni.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhflcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncjad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmqmpdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amhcad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfkclf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkjhjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldbjdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgnjke32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhhiiloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfglfdeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfnnnhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lglmefcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oknhdjko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgein32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lglmefcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndafcmci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afqhjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camnge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbbakc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppipdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbbakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbgkfbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncnjeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eebibf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkeoongd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dochelmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlmoilni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maanab32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 62 IoCs

pid	Process
2816	Jmocbnop.exe
2780	Kjbclamj.exe
2604	Kbpefc32.exe
2584	Kbbakc32.exe
740	Kpfbegei.exe
2932	Lbgkfbbj.exe
2024	Ldkdckff.exe
1516	Lglmefcg.exe
2640	Lgnjke32.exe
2988	Ldbjdj32.exe
1112	Mlmoilni.exe
1984	Mpkhoj32.exe
1308	Mhflcm32.exe
2184	Mhhiiloh.exe
1712	Maanab32.exe
1628	Ndafcmci.exe
648	Nnjklb32.exe
316	Nnlhab32.exe
1068	Nfglfdeb.exe
1624	Ncnjeh32.exe
592	Omfnnnhj.exe
2500	Oknhdjko.exe
1704	Oehicoom.exe
2428	Okbapi32.exe
360	Pncjad32.exe
2240	Pmhgba32.exe
2768	Ppipdl32.exe
2728	Pmmqmpdm.exe
2596	Plbmom32.exe
2608	Qaofgc32.exe
2544	Amhcad32.exe
552	Afqhjj32.exe
2156	Adgein32.exe
1608	Aldfcpjn.exe
2112	Bdfahaaa.exe
2832	Camnge32.exe
1740	Caokmd32.exe
2668	Ccqhdmbc.exe
1720	Clilmbhd.exe
2364	Cfaqfh32.exe
920	Coladm32.exe
1972	Cffjagko.exe
1944	Dkeoongd.exe
1644	Dfkclf32.exe
2264	Dochelmj.exe
1788	Dbadagln.exe
1900	Dkjhjm32.exe
1716	Dbdagg32.exe
860	Dgqion32.exe
1064	Dmmbge32.exe
2652	Ejabqi32.exe
2812	Empomd32.exe
2756	Ecjgio32.exe
2576	Efhcej32.exe
2096	Eqngcc32.exe
2168	Ebockkal.exe
2044	Ekghcq32.exe
2272	Eepmlf32.exe
456	Eebibf32.exe
2144	Egpena32.exe
2120	Fbfjkj32.exe
2188	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
1364	066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe
1364	066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe
2816	Jmocbnop.exe
2816	Jmocbnop.exe
2780	Kjbclamj.exe
2780	Kjbclamj.exe
2604	Kbpefc32.exe
2604	Kbpefc32.exe
2584	Kbbakc32.exe
2584	Kbbakc32.exe
740	Kpfbegei.exe
740	Kpfbegei.exe
2932	Lbgkfbbj.exe
2932	Lbgkfbbj.exe
2024	Ldkdckff.exe
2024	Ldkdckff.exe
1516	Lglmefcg.exe
1516	Lglmefcg.exe
2640	Lgnjke32.exe
2640	Lgnjke32.exe
2988	Ldbjdj32.exe
2988	Ldbjdj32.exe
1112	Mlmoilni.exe
1112	Mlmoilni.exe
1984	Mpkhoj32.exe
1984	Mpkhoj32.exe
1308	Mhflcm32.exe
1308	Mhflcm32.exe
2184	Mhhiiloh.exe
2184	Mhhiiloh.exe
1712	Maanab32.exe
1712	Maanab32.exe
1628	Ndafcmci.exe
1628	Ndafcmci.exe
648	Nnjklb32.exe
648	Nnjklb32.exe
316	Nnlhab32.exe
316	Nnlhab32.exe
1068	Nfglfdeb.exe
1068	Nfglfdeb.exe
1624	Ncnjeh32.exe
1624	Ncnjeh32.exe
592	Omfnnnhj.exe
592	Omfnnnhj.exe
2500	Oknhdjko.exe
2500	Oknhdjko.exe
1704	Oehicoom.exe
1704	Oehicoom.exe
2428	Okbapi32.exe
2428	Okbapi32.exe
360	Pncjad32.exe
360	Pncjad32.exe
2240	Pmhgba32.exe
2240	Pmhgba32.exe
2768	Ppipdl32.exe
2768	Ppipdl32.exe
2728	Pmmqmpdm.exe
2728	Pmmqmpdm.exe
2596	Plbmom32.exe
2596	Plbmom32.exe
2608	Qaofgc32.exe
2608	Qaofgc32.exe
2544	Amhcad32.exe
2544	Amhcad32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nelafe32.dll	Bdfahaaa.exe
File created	C:\Windows\SysWOW64\Eebibf32.exe	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Lnfhal32.dll	Kpfbegei.exe
File created	C:\Windows\SysWOW64\Kaemmggl.dll	Lgnjke32.exe
File opened for modification	C:\Windows\SysWOW64\Ppipdl32.exe	Pmhgba32.exe
File created	C:\Windows\SysWOW64\Maanab32.exe	Mhhiiloh.exe
File opened for modification	C:\Windows\SysWOW64\Pmmqmpdm.exe	Ppipdl32.exe
File created	C:\Windows\SysWOW64\Efhcej32.exe	Ecjgio32.exe
File opened for modification	C:\Windows\SysWOW64\Ejabqi32.exe	Dmmbge32.exe
File opened for modification	C:\Windows\SysWOW64\Eqngcc32.exe	Efhcej32.exe
File created	C:\Windows\SysWOW64\Gfdeopaj.dll	Lbgkfbbj.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhab32.exe	Nnjklb32.exe
File opened for modification	C:\Windows\SysWOW64\Dochelmj.exe	Dfkclf32.exe
File created	C:\Windows\SysWOW64\Fdjcfm32.dll	Oknhdjko.exe
File created	C:\Windows\SysWOW64\Qaofgc32.exe	Plbmom32.exe
File opened for modification	C:\Windows\SysWOW64\Cfaqfh32.exe	Clilmbhd.exe
File opened for modification	C:\Windows\SysWOW64\Dkeoongd.exe	Cffjagko.exe
File created	C:\Windows\SysWOW64\Dochelmj.exe	Dfkclf32.exe
File opened for modification	C:\Windows\SysWOW64\Kjbclamj.exe	Jmocbnop.exe
File opened for modification	C:\Windows\SysWOW64\Mlmoilni.exe	Ldbjdj32.exe
File created	C:\Windows\SysWOW64\Ddhbllim.dll	Ldbjdj32.exe
File created	C:\Windows\SysWOW64\Afqhjj32.exe	Amhcad32.exe
File created	C:\Windows\SysWOW64\Caokmd32.exe	Camnge32.exe
File created	C:\Windows\SysWOW64\Ekghcq32.exe	Ebockkal.exe
File created	C:\Windows\SysWOW64\Fiakeijo.dll	Egpena32.exe
File created	C:\Windows\SysWOW64\Lgnjke32.exe	Lglmefcg.exe
File created	C:\Windows\SysWOW64\Nnjklb32.exe	Ndafcmci.exe
File created	C:\Windows\SysWOW64\Pmhgba32.exe	Pncjad32.exe
File opened for modification	C:\Windows\SysWOW64\Fbfjkj32.exe	Egpena32.exe
File opened for modification	C:\Windows\SysWOW64\Kpfbegei.exe	Kbbakc32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjklb32.exe	Ndafcmci.exe
File created	C:\Windows\SysWOW64\Pmmqmpdm.exe	Ppipdl32.exe
File opened for modification	C:\Windows\SysWOW64\Amhcad32.exe	Qaofgc32.exe
File opened for modification	C:\Windows\SysWOW64\Clilmbhd.exe	Ccqhdmbc.exe
File created	C:\Windows\SysWOW64\Mhibidgh.dll	Ejabqi32.exe
File opened for modification	C:\Windows\SysWOW64\Kbpefc32.exe	Kjbclamj.exe
File created	C:\Windows\SysWOW64\Mlglpa32.dll	Mpkhoj32.exe
File created	C:\Windows\SysWOW64\Aphdkpjd.dll	Mhhiiloh.exe
File created	C:\Windows\SysWOW64\Bdfahaaa.exe	Aldfcpjn.exe
File opened for modification	C:\Windows\SysWOW64\Dkjhjm32.exe	Dbadagln.exe
File opened for modification	C:\Windows\SysWOW64\Dbdagg32.exe	Dkjhjm32.exe
File created	C:\Windows\SysWOW64\Ldbjdj32.exe	Lgnjke32.exe
File created	C:\Windows\SysWOW64\Ndafcmci.exe	Maanab32.exe
File created	C:\Windows\SysWOW64\Gofbagcb.dll	Ncnjeh32.exe
File created	C:\Windows\SysWOW64\Cpoodc32.dll	Mlmoilni.exe
File opened for modification	C:\Windows\SysWOW64\Ncnjeh32.exe	Nfglfdeb.exe
File created	C:\Windows\SysWOW64\Ccqhdmbc.exe	Caokmd32.exe
File created	C:\Windows\SysWOW64\Pggcij32.dll	Eebibf32.exe
File created	C:\Windows\SysWOW64\Bcpaqn32.dll	Kjbclamj.exe
File opened for modification	C:\Windows\SysWOW64\Lglmefcg.exe	Ldkdckff.exe
File created	C:\Windows\SysWOW64\Mlmoilni.exe	Ldbjdj32.exe
File created	C:\Windows\SysWOW64\Bjcmdmiq.dll	Cffjagko.exe
File created	C:\Windows\SysWOW64\Elfkmcdp.dll	Dbdagg32.exe
File opened for modification	C:\Windows\SysWOW64\Empomd32.exe	Ejabqi32.exe
File opened for modification	C:\Windows\SysWOW64\Pncjad32.exe	Okbapi32.exe
File created	C:\Windows\SysWOW64\Kcacil32.dll	Camnge32.exe
File created	C:\Windows\SysWOW64\Cfaqfh32.exe	Clilmbhd.exe
File opened for modification	C:\Windows\SysWOW64\Ebockkal.exe	Eqngcc32.exe
File created	C:\Windows\SysWOW64\Kjbclamj.exe	Jmocbnop.exe
File created	C:\Windows\SysWOW64\Iidbakdl.dll	Caokmd32.exe
File created	C:\Windows\SysWOW64\Cffjagko.exe	Coladm32.exe
File created	C:\Windows\SysWOW64\Hajdhd32.dll	Pmhgba32.exe
File opened for modification	C:\Windows\SysWOW64\Ekghcq32.exe	Ebockkal.exe
File created	C:\Windows\SysWOW64\Fbfjkj32.exe	Egpena32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1860	2188	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffjagko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbdagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbgkfbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgein32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfahaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfnnnhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oknhdjko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfkclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhhiiloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maanab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfglfdeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkjhjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhgba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afqhjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eebibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbbakc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lglmefcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmqmpdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plbmom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebockkal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbpefc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okbapi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfaqfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbadagln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpkhoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppipdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgqion32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgnjke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjklb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnjeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Empomd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldkdckff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbjdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhflcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhcad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccqhdmbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkeoongd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejabqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecjgio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqngcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmocbnop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlmoilni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oehicoom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaofgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmmbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepmlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpfbegei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndafcmci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aldfcpjn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camnge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilmbhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjbclamj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caokmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dochelmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efhcej32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhhiiloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maanab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnlhab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omfnnnhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aldfcpjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clilmbhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmocbnop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbllim.dll"	Ldbjdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjcmdmiq.dll"	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdkpjd.dll"	Mhhiiloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndafcmci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjklb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfbaik32.dll"	Ppipdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Camnge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccqhdmbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldbjdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efhcej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doejph32.dll"	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhflcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omfnnnhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okbapi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfaqfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiakeijo.dll"	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhal32.dll"	Kpfbegei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbgkfbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamcoejo.dll"	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfglfdeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qaofgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbdagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecjgio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbbakc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Plbmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbpefc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpfbegei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbihnp32.dll"	Amhcad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpmdgef.dll"	Adgein32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfaqfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dochelmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmocbnop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjbclamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfkmcdp.dll"	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfjh32.dll"	Ecjgio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaemmggl.dll"	Lgnjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpoodc32.dll"	Mlmoilni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oehicoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaeieh32.dll"	Plbmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amhcad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgein32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpidibpf.dll"	Kbpefc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldkdckff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmfjeap.dll"	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejabqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnngnk32.dll"	Empomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocjgfch.dll"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clilmbhd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2816	1364	066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe	30
PID 1364 wrote to memory of 2816	1364	066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe	30
PID 1364 wrote to memory of 2816	1364	066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe	30
PID 1364 wrote to memory of 2816	1364	066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe	30
PID 2816 wrote to memory of 2780	2816	Jmocbnop.exe	31
PID 2816 wrote to memory of 2780	2816	Jmocbnop.exe	31
PID 2816 wrote to memory of 2780	2816	Jmocbnop.exe	31
PID 2816 wrote to memory of 2780	2816	Jmocbnop.exe	31
PID 2780 wrote to memory of 2604	2780	Kjbclamj.exe	32
PID 2780 wrote to memory of 2604	2780	Kjbclamj.exe	32
PID 2780 wrote to memory of 2604	2780	Kjbclamj.exe	32
PID 2780 wrote to memory of 2604	2780	Kjbclamj.exe	32
PID 2604 wrote to memory of 2584	2604	Kbpefc32.exe	33
PID 2604 wrote to memory of 2584	2604	Kbpefc32.exe	33
PID 2604 wrote to memory of 2584	2604	Kbpefc32.exe	33
PID 2604 wrote to memory of 2584	2604	Kbpefc32.exe	33
PID 2584 wrote to memory of 740	2584	Kbbakc32.exe	34
PID 2584 wrote to memory of 740	2584	Kbbakc32.exe	34
PID 2584 wrote to memory of 740	2584	Kbbakc32.exe	34
PID 2584 wrote to memory of 740	2584	Kbbakc32.exe	34
PID 740 wrote to memory of 2932	740	Kpfbegei.exe	35
PID 740 wrote to memory of 2932	740	Kpfbegei.exe	35
PID 740 wrote to memory of 2932	740	Kpfbegei.exe	35
PID 740 wrote to memory of 2932	740	Kpfbegei.exe	35
PID 2932 wrote to memory of 2024	2932	Lbgkfbbj.exe	36
PID 2932 wrote to memory of 2024	2932	Lbgkfbbj.exe	36
PID 2932 wrote to memory of 2024	2932	Lbgkfbbj.exe	36
PID 2932 wrote to memory of 2024	2932	Lbgkfbbj.exe	36
PID 2024 wrote to memory of 1516	2024	Ldkdckff.exe	37
PID 2024 wrote to memory of 1516	2024	Ldkdckff.exe	37
PID 2024 wrote to memory of 1516	2024	Ldkdckff.exe	37
PID 2024 wrote to memory of 1516	2024	Ldkdckff.exe	37
PID 1516 wrote to memory of 2640	1516	Lglmefcg.exe	38
PID 1516 wrote to memory of 2640	1516	Lglmefcg.exe	38
PID 1516 wrote to memory of 2640	1516	Lglmefcg.exe	38
PID 1516 wrote to memory of 2640	1516	Lglmefcg.exe	38
PID 2640 wrote to memory of 2988	2640	Lgnjke32.exe	39
PID 2640 wrote to memory of 2988	2640	Lgnjke32.exe	39
PID 2640 wrote to memory of 2988	2640	Lgnjke32.exe	39
PID 2640 wrote to memory of 2988	2640	Lgnjke32.exe	39
PID 2988 wrote to memory of 1112	2988	Ldbjdj32.exe	40
PID 2988 wrote to memory of 1112	2988	Ldbjdj32.exe	40
PID 2988 wrote to memory of 1112	2988	Ldbjdj32.exe	40
PID 2988 wrote to memory of 1112	2988	Ldbjdj32.exe	40
PID 1112 wrote to memory of 1984	1112	Mlmoilni.exe	41
PID 1112 wrote to memory of 1984	1112	Mlmoilni.exe	41
PID 1112 wrote to memory of 1984	1112	Mlmoilni.exe	41
PID 1112 wrote to memory of 1984	1112	Mlmoilni.exe	41
PID 1984 wrote to memory of 1308	1984	Mpkhoj32.exe	42
PID 1984 wrote to memory of 1308	1984	Mpkhoj32.exe	42
PID 1984 wrote to memory of 1308	1984	Mpkhoj32.exe	42
PID 1984 wrote to memory of 1308	1984	Mpkhoj32.exe	42
PID 1308 wrote to memory of 2184	1308	Mhflcm32.exe	43
PID 1308 wrote to memory of 2184	1308	Mhflcm32.exe	43
PID 1308 wrote to memory of 2184	1308	Mhflcm32.exe	43
PID 1308 wrote to memory of 2184	1308	Mhflcm32.exe	43
PID 2184 wrote to memory of 1712	2184	Mhhiiloh.exe	44
PID 2184 wrote to memory of 1712	2184	Mhhiiloh.exe	44
PID 2184 wrote to memory of 1712	2184	Mhhiiloh.exe	44
PID 2184 wrote to memory of 1712	2184	Mhhiiloh.exe	44
PID 1712 wrote to memory of 1628	1712	Maanab32.exe	45
PID 1712 wrote to memory of 1628	1712	Maanab32.exe	45
PID 1712 wrote to memory of 1628	1712	Maanab32.exe	45
PID 1712 wrote to memory of 1628	1712	Maanab32.exe	45

C:\Users\Admin\AppData\Local\Temp\066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe
"C:\Users\Admin\AppData\Local\Temp\066df5952814950b4fe1aa0fefd942b773b9e43ac5a0b02dbe7f07bd4cf3ce7f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\Jmocbnop.exe
  C:\Windows\system32\Jmocbnop.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\Kjbclamj.exe
    C:\Windows\system32\Kjbclamj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\Kbpefc32.exe
      C:\Windows\system32\Kbpefc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\Kbbakc32.exe
        
        C:\Windows\system32\Kbbakc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\SysWOW64\Kpfbegei.exe
        
        C:\Windows\system32\Kpfbegei.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Lbgkfbbj.exe
        
        C:\Windows\system32\Lbgkfbbj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Ldkdckff.exe
        
        C:\Windows\system32\Ldkdckff.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Lglmefcg.exe
        
        C:\Windows\system32\Lglmefcg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Lgnjke32.exe
        
        C:\Windows\system32\Lgnjke32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Ldbjdj32.exe
        
        C:\Windows\system32\Ldbjdj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Mlmoilni.exe
        
        C:\Windows\system32\Mlmoilni.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Mpkhoj32.exe
        
        C:\Windows\system32\Mpkhoj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Mhflcm32.exe
        
        C:\Windows\system32\Mhflcm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Mhhiiloh.exe
        
        C:\Windows\system32\Mhhiiloh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Maanab32.exe
        
        C:\Windows\system32\Maanab32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Ndafcmci.exe
        
        C:\Windows\system32\Ndafcmci.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Nnjklb32.exe
        
        C:\Windows\system32\Nnjklb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Nnlhab32.exe
        
        C:\Windows\system32\Nnlhab32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Nfglfdeb.exe
        
        C:\Windows\system32\Nfglfdeb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Ncnjeh32.exe
        
        C:\Windows\system32\Ncnjeh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Omfnnnhj.exe
        
        C:\Windows\system32\Omfnnnhj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Oknhdjko.exe
        
        C:\Windows\system32\Oknhdjko.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Oehicoom.exe
        
        C:\Windows\system32\Oehicoom.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Okbapi32.exe
        
        C:\Windows\system32\Okbapi32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Pncjad32.exe
        
        C:\Windows\system32\Pncjad32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:360
        
        C:\Windows\SysWOW64\Pmhgba32.exe
        
        C:\Windows\system32\Pmhgba32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Ppipdl32.exe
        
        C:\Windows\system32\Ppipdl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Pmmqmpdm.exe
        
        C:\Windows\system32\Pmmqmpdm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Plbmom32.exe
        
        C:\Windows\system32\Plbmom32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Qaofgc32.exe
        
        C:\Windows\system32\Qaofgc32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Amhcad32.exe
        
        C:\Windows\system32\Amhcad32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Afqhjj32.exe
        
        C:\Windows\system32\Afqhjj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Adgein32.exe
        
        C:\Windows\system32\Adgein32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Aldfcpjn.exe
        
        C:\Windows\system32\Aldfcpjn.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Bdfahaaa.exe
        
        C:\Windows\system32\Bdfahaaa.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Camnge32.exe
        
        C:\Windows\system32\Camnge32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Caokmd32.exe
        
        C:\Windows\system32\Caokmd32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Ccqhdmbc.exe
        
        C:\Windows\system32\Ccqhdmbc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Clilmbhd.exe
        
        C:\Windows\system32\Clilmbhd.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cfaqfh32.exe
        
        C:\Windows\system32\Cfaqfh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Coladm32.exe
        
        C:\Windows\system32\Coladm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Cffjagko.exe
        
        C:\Windows\system32\Cffjagko.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Dkeoongd.exe
        
        C:\Windows\system32\Dkeoongd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Dfkclf32.exe
        
        C:\Windows\system32\Dfkclf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Dochelmj.exe
        
        C:\Windows\system32\Dochelmj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Dbadagln.exe
        
        C:\Windows\system32\Dbadagln.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Dkjhjm32.exe
        
        C:\Windows\system32\Dkjhjm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Dbdagg32.exe
        
        C:\Windows\system32\Dbdagg32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Dgqion32.exe
        
        C:\Windows\system32\Dgqion32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Dmmbge32.exe
        
        C:\Windows\system32\Dmmbge32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Ejabqi32.exe
        
        C:\Windows\system32\Ejabqi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Empomd32.exe
        
        C:\Windows\system32\Empomd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Ecjgio32.exe
        
        C:\Windows\system32\Ecjgio32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Efhcej32.exe
        
        C:\Windows\system32\Efhcej32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Eqngcc32.exe
        
        C:\Windows\system32\Eqngcc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Ebockkal.exe
        
        C:\Windows\system32\Ebockkal.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Eepmlf32.exe
        
        C:\Windows\system32\Eepmlf32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Eebibf32.exe
        
        C:\Windows\system32\Eebibf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Fbfjkj32.exe
        
        C:\Windows\system32\Fbfjkj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 140
        64⤵
        Program crash
        
        PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgein32.exe

Filesize
100KB

MD5
c0bd84bd813cd77aa0724e1329157c14

SHA1
09284b8368242872cd6a33739e0662567c397575

SHA256
a209b50223d13ad6d376e350911519424d1c19ef4950af0a52b439b22c41865d

SHA512
7593090e72a06dda393056fc1f7de2696c19bedaea3589e35934deb52ea8228c8da9f39b7ab9bcf0e50ec369aff4ac11a51cd2758a4f801690dace6f5946fc08

Download Submit
C:\Windows\SysWOW64\Afqhjj32.exe

Filesize
100KB

MD5
784dfaad926e4f5b44a8678446bc103a

SHA1
720c6d2ebfdde1f0b5ae009fe9641ac19fd69c69

SHA256
d774eb866ac6fe41e0aa09e15fe5c50bb251c04cd3242c2b299ca87dd50ce140

SHA512
929fdf909958c95ece44313991596f863c671798ecc6e240cdd1eebc3abc00034b9f6c576eb9870a62a68dc9967b1e41c7390239404046d15ba20b860fd0c8f0

Download Submit
C:\Windows\SysWOW64\Aldfcpjn.exe

Filesize
100KB

MD5
e6cff1bf79383ba01c1729a39d57896e

SHA1
be5117b2fcffec8c28d34f02bfd20f9f37946498

SHA256
4a7850f24999408615bed58f3b5aead2f5e9c5de0926ca80e78f0fbb1328f6a6

SHA512
5522594881d4972d44bc355f0db6246c061b0cfa6fd501b4871a94332d3d2a6d7fd15f8859b84889afacad0cfc2019dd98b1fd4da1e07fa441b8b9126eace028

Download Submit
C:\Windows\SysWOW64\Amhcad32.exe

Filesize
100KB

MD5
ade9f039d68c57ab20bbe6df0225ea0b

SHA1
9600ad6763e3d881473811dff1f719596ce1429f

SHA256
6b9b75e51d66deea8174a38e11a7296035d0351fc035ed06d4c6d9e8b2f14530

SHA512
b0bdb6124f268f776c0be027098ef89316fdbd71dc2332d3b2da33a718eec5a7fb061e1632f67cf14dec89ab5976120589fcce512b244ed2aac16d8ad92e5813

Download Submit
C:\Windows\SysWOW64\Bdfahaaa.exe

Filesize
100KB

MD5
455edc7fbd5676929c8a696f105e4be2

SHA1
2d969475347b2567d2d7abd02a7cb7ee865f69f5

SHA256
fa6b06a4b3de55364903e741873ddc32ec8ec7797714d0cacd30e52af95f0d4d

SHA512
e8655fc283824b2eab94a6b26f23d32d0af8581d54d6eab49feca5f6681553a5e26853b1ed38a42193ae189a9ce9f9d892f72e501a3af9024cf7500881319259

Download Submit
C:\Windows\SysWOW64\Cahcle32.dll

Filesize
7KB

MD5
8af986b45046b47cfb84d898c5133158

SHA1
cff63e001625b6c4ce3734d98187c786a4d3ef4c

SHA256
17d88996f90cbfb9ee0baa3ca55526755ec1b126476d003b76bac0db4f251066

SHA512
06ad3943c918b255a721b2dfce4868a844d06a04ee06d3189742d2d77c8e113785c3caefb99916869441e40a0e3bcb134dfb48682504b9b0d0b4a5e9135af71b

Download Submit
C:\Windows\SysWOW64\Camnge32.exe

Filesize
100KB

MD5
ae098d434fbc0b43da50bfa57b745741

SHA1
431f3b9154c2fb85e20232a208bea6504b068883

SHA256
3fd820d1adb31a6176b0edc57fceb812dbc51942a1515c8e93a577b7f85ac6d3

SHA512
0f3d9ef470f320ac64837d75d23c56311fc07f554aaff6ff46bf7ded0570dc6d99b01e9f286a0eb2d45019aea4c31f51c97a5eb38a0858b83cf3f423e04c1ba6

Download Submit
C:\Windows\SysWOW64\Caokmd32.exe

Filesize
100KB

MD5
5d179018c6eceffa165eb26db981ff21

SHA1
214866210d7b53090cf9732f7ccbe208ef58b18a

SHA256
21cf4fa109b07492f224be46e3a681e2f09332a67bb9c601c06b81ece0084627

SHA512
3d59ce75c1b536d3e3d4ee6497787b7ee524929567d4589071d2e15d28300bec9b08e124d0292d4fa0edb10c1635ec0f1cb76523cd413c3e800138d51eee64c2

Download Submit
C:\Windows\SysWOW64\Ccqhdmbc.exe

Filesize
100KB

MD5
137d10fa1e6f5840244ed88947208d04

SHA1
fc96bc58b83023920b89bce8fe3da1a1bb593233

SHA256
6fcac9f4ae3f5a8e46c4629477aaa8b558c51a42caa86e6b0c636d6b359aca83

SHA512
29f20ab8b2becf56ac1c62b5a2aee2efe68d729b508ae3a9acef149c04b50aa625d212bae17900d72ee3e65dc79d0ad8cee4ef57bac1499a78f5b94d2513e184

Download Submit
C:\Windows\SysWOW64\Cfaqfh32.exe

Filesize
100KB

MD5
58f1bdeaf568a231e70ca29ce82c8047

SHA1
002c9d86ca26d80b3337a21452178a1fbbaa42ad

SHA256
9db3d2670a14f210a798998ab7667b351e8082553b0b8086d490ca9aa65dda17

SHA512
d2c2cea5d85147d0e2135a4973646ef157b1f7dd7901f58c885c8997fd366b504479cdceb65bfed719687aee0ac26fe8a6af47f8794c08fae41beb182bda33ad

Download Submit
C:\Windows\SysWOW64\Cffjagko.exe

Filesize
100KB

MD5
17a0e9bdcfd6c818aa56254f44963b55

SHA1
a81bd472a9f9c0704d80c08841057137e7f67604

SHA256
24ece966c3dcdfa190c4ae90ab9a32517ade66cf0b28dfaf329df1ac5c234a52

SHA512
12329c83fc56b5ac33dea04663c236b645c6da399db972752abddaa56c5bbe2c7dc1b07a83ed3ca3154133c8c7cf209331e6d6c24b35f146c2b34554d5a62866

Download Submit
C:\Windows\SysWOW64\Clilmbhd.exe

Filesize
100KB

MD5
d2cbdf0488624a5226f109339e432201

SHA1
420d83d9072b7e1a4059d7984ca8ecf1d069ff1f

SHA256
227fcde3496bde32a365939d9e4faf05e4911ebbc7de6408b72ee72b3573da7c

SHA512
59fa0010480b534aa8106956f101e80668e2c4860409dda647134b1f6d6dbe474b28c621a16af8a7f7fb6aa5f87c6c89fd20ada59733e190e5e40313ebd7b010

Download Submit
C:\Windows\SysWOW64\Coladm32.exe

Filesize
100KB

MD5
6c64de51b8448d36de1b8d488c3df757

SHA1
a7fc65c21b1fc9c43cbe818ef0de349e3946fbd0

SHA256
fb1f649cab8ccfe559dc72c058fd668b612046a811f5002c554f043d35e3d56a

SHA512
fa61464d814e15bcca188cfbe18f4f86c576fbd53f8dc5d85b3bdbc5b26af649c2881659e43a16f0f63d39e8621f1401fb73fc8e6f5f060cf5474efcea6b4e7a

Download Submit
C:\Windows\SysWOW64\Dbadagln.exe

Filesize
100KB

MD5
d6c8abe82af1765fe01228fa6b4f33c4

SHA1
00f94577b17358d2dd02ef307545ee3c5f07e834

SHA256
b921efe601f2348584aaa791ab160fb0391631a4d9a457b3e1613a37d3bdb31f

SHA512
a8fac8e58d7a56b7db7d3dc1183651dc0c1c1de916a7ddc6cad6d3830436bea633b27c65f86dc7fbb74f9d0fbab3f2f074cdd540891a4624428ecbf9c167ca3a

Download Submit
C:\Windows\SysWOW64\Dbdagg32.exe

Filesize
100KB

MD5
7776889fcdceffd05837075e916cd65e

SHA1
25a59912bd861dd4f17917678b647ed3b93c1e8b

SHA256
d6f9e04ed816628f4d955453f3e1293d32feb2d3ea10b1dfac2c3009c2ca0eee

SHA512
00083c025ee752355a643fe59d966f19aaf5bb2fa98be531d174595d472c0dae7e3c547b666c7b4da4bfc00b8e97a48e96f10a8d188f8bb48aa36b5544f3c803

Download Submit
C:\Windows\SysWOW64\Dfkclf32.exe

Filesize
100KB

MD5
ffac389053980a5abf0f29d5696eef72

SHA1
131d65972969f15f56c8db2edf9a906b388d4a0f

SHA256
2b65cdb37bc79389ff5d197510fe4a9641f91f7ce9d0991016533f280d664db4

SHA512
7f8e4fe7e0e3d776ea61e25cf55df0a3ff72e39e600797ba7580defed088049131535ec631cfb94b4e6db219b26cb90e28e94d815621f6579c858b727f802edb

Download Submit
C:\Windows\SysWOW64\Dgqion32.exe

Filesize
100KB

MD5
099c876e0088eb907e27568ed790c2f7

SHA1
27044c04f73a7d096eb7a1e5f5e62c7abc6a2e73

SHA256
0a7fab1f413b41d5613e7cc3adee1f3a81150dc8a68ce162c2ca781770797fc6

SHA512
97d712b4c931655d5a62678f00054494980accecd32c492964c264bf382f619b9a9bc2b70167bb06ee9f571112969885386c7db2d99ad968844d5a457d50928a

Download Submit
C:\Windows\SysWOW64\Dkeoongd.exe

Filesize
100KB

MD5
39a34b41bf4c7f08490715a8c7941d59

SHA1
f0702fa2adc4da20f37675f4f4c159988b034188

SHA256
72be37abc5646c817c00e9b12a0c44bd408b5ea54985177927ca9ce39ea31f90

SHA512
3b6e31e9550d27672f49a6aa01613c9c214978cce34981300f74730a61942267edfd2ba8c98f073f9dde1aa10425e0854b5fe18a82f34a2f37ec14deb145a790

Download Submit
C:\Windows\SysWOW64\Dkjhjm32.exe

Filesize
100KB

MD5
1f7a04e5da7be332f0e1242b06bfd84e

SHA1
7051f22c82da2c2ae668ca9fc2c904e10a666016

SHA256
772099c5b28ecb2fb4dafadea06e23057d91e0136900133302ab14175e3831c3

SHA512
95205a5002882666da309272536da1482eac0120cc8a00fcb725d493e56d6cf4f8947e4b1c187baf27c813e3fb14e9ea952f36e22e1e3888a1c83763a4212e4e

Download Submit
C:\Windows\SysWOW64\Dmmbge32.exe

Filesize
100KB

MD5
cf82604c9931cc9f83c23449e056a8ee

SHA1
438d58d9a506ad2557dc120453e4586aa84a34ba

SHA256
99ccf513aeaea5eac81bd8bfb73597cc776ff0e5cbd71ef3d9b0a458f4f9fdf3

SHA512
67299c29e4c4f2ab5dd5bfad00794d3d1d4684fc6d94c576f91f50dec13d9ea6ceaa76da95e5c8ac70503030ff80da4ea74892907e5de55e495894d61b0963df

Download Submit
C:\Windows\SysWOW64\Dochelmj.exe

Filesize
100KB

MD5
cd0435a3a6b74b861dda8156d61d322d

SHA1
89cb051f98280d69d48dad9c4af6ea6c111bc293

SHA256
9065d360ea837370c8c9364bd7e7bf79572f685c3ba4420b56b05f7cd29533f6

SHA512
b7ddcad96a76b30d512e8fce419b3daca9b2a9ecb2260f44e16f58daeb993fe5697b27037330660f18fa68ea795138366081fb4120f6aefe3e5704981384ef16

Download Submit
C:\Windows\SysWOW64\Ebockkal.exe

Filesize
100KB

MD5
9cc34ed2fe3036b7bbddb408c660f92f

SHA1
6ca45d674243860127c3fe59139efeca486092c2

SHA256
92882f6ea9127a57a56980a4ae48c2dcf0336ca04aad6bb923eb30b301dd1733

SHA512
557b8c7dc94cda74890c14a61f15b1b7d302791b4557d518179ce5a3908bd8fb428150690d7d83c3d349887180010eb74df6d7cd68c8a03ac837316acb938bd5

Download Submit
C:\Windows\SysWOW64\Ecjgio32.exe

Filesize
100KB

MD5
99c31ae6dc55b737dfcbcca9372c5b18

SHA1
7164b8b86d8a2c2c261594c45e013a3325b58c30

SHA256
baa4c96b7b36e8d0ce62e53fdb385d2f58c144c1a8f24982517fb8e4ea11d885

SHA512
a3feacaff4c83a93e3e4e8bd219396f7c4cc115563ad272e3375eea38581c192ef1926c3c09023159a3970abe67517367d3c18201a70bce528b66a1de3f5f06d

Download Submit
C:\Windows\SysWOW64\Eebibf32.exe

Filesize
100KB

MD5
3e149bea123b9b6cb107484920beba96

SHA1
2d3c2f19fe6bac19bba3f06a486cf776e38e68ec

SHA256
b87d6cdca97eb01cf9c48da29fcf0ff166aac9ff6caf06365806a7cfe43dec9a

SHA512
7aeac718119d1e47092cde541e66308e6e5d5b8390aea6faf77e2dd2fb9998d5b4b118978f3b4d9d550f7b399e4f03e67e58c033ddb6cd9c4acf050713b6a28d

Download Submit
C:\Windows\SysWOW64\Eepmlf32.exe

Filesize
100KB

MD5
940a097158c48d10398e6c3ab30ce309

SHA1
de050e93a46d52e81af03a7f79d40af05c8e0cfc

SHA256
671b6dc92a6416fbd92aa47d5d07965d8f046b33c4cc79f8013aa2ff892b94e7

SHA512
a94b118421cc1dc61398006490ed9c9fce8b001d5c6f5d6900bc4c8a865b5cb6578bf0f019cacf017d23ea6578e5bfb747372dccde9b7172200e0aad4c883a32

Download Submit
C:\Windows\SysWOW64\Efhcej32.exe

Filesize
100KB

MD5
4a08a38b77cc6c69a2eddc37e6000a0d

SHA1
5981f39b4ebb3dfbbcc9aa4bf15e43973842045c

SHA256
5944b5fb7a690cf1dce471909ab49e0c400175eaf6e042d2f8659b057c4cf8c0

SHA512
c28355844fe6cc4ecb3fa22ab776b8b6e53c07311edf250b68e1d6e9c2989e808329c90a099550818e2702f9afd370495f1d7eb7b15acaedc05b211149048ffc

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
100KB

MD5
86c5bf1f6c86a182c3787208c0adfa7b

SHA1
ab9dc9539c131b4776db12f8e64ff4eeee269f52

SHA256
cb7349066c0c56322dd1fc082827e5592ecb313117c2a3c3acbc679bc2cc98e1

SHA512
ae3146b7a4f0149eff34eb2097ee1b0ff69ad0070c76146a86fbfc54bc0fbf4853a837f9aeb56f0e61507b81c930fa6fc95893f7aaa99cf75c304c5f258c31b2

Download Submit
C:\Windows\SysWOW64\Ejabqi32.exe

Filesize
100KB

MD5
d9189881d46ba95e2c6e0e175e995a26

SHA1
8a778d982efe6004ac7bfae7df3e3463ee6d6866

SHA256
414383cb6242504e4cb5e79307f29c42cfebcfa06af6441c23bb88424369c484

SHA512
f8edeaf82dfdb859d456848b8c44cff4053acc863824e5c324744083a9886a04b5c048fbca58140bb00a03c4a8e55a2bff100d95e28cc1ecb51fcf0a2f395d77

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
100KB

MD5
b49e696a74fc1b68b9316efe2059c607

SHA1
a4a893899a29aba91bf2d2c7cbb443529d98aedb

SHA256
afec1789e010cf57957636a226ad0904ebb14b63ea9e481708984de60cd2f304

SHA512
917cbf5ef3ae113186580766fc83db4cca0b0845290d946b72e8103550599bd2e171635b76e390f151ed2dc8e331b9826363f9e26fc2f499a2fea05dbd405216

Download Submit
C:\Windows\SysWOW64\Empomd32.exe

Filesize
100KB

MD5
388fb26276412000604342fc6921746f

SHA1
e96e4bdeb2a1264789764578c9948a85872ac0d6

SHA256
9308e252a9feb12aa9b9e156624229e9adb95ecb9ec6587626e37fa17331f20e

SHA512
8916d03d80199989618e135f8756a3feca6af8faa74d6707357cffde2e6551b48c273fe671594006da53d08e983ede7debbb2bd2e3cb5d8bf5f508fc0a835bae

Download Submit
C:\Windows\SysWOW64\Eqngcc32.exe

Filesize
100KB

MD5
a80e4ee32388cff31446e17fbebcc9db

SHA1
8d943a6e186fa86154ac70afa34109e648cecfa1

SHA256
492fdf0ad82e477b1c0970ea1d3566001ed72c9a70950f45a92d5aef0318c5d2

SHA512
9ec355f9f470438f22e933c6aefc8edfcd22adc07f97c6b87b6caffd1c5faf4f0855c46610525e835c4c367b0f25ed1e3440b876a374d11189726ef1e81293ca

Download Submit
C:\Windows\SysWOW64\Fbfjkj32.exe

Filesize
100KB

MD5
d5065aadec5d1423005726738ea326b5

SHA1
18a20dcf48214702335c85c1d600ad0158c57419

SHA256
470c434928fecc195d71384c30e357499371561458f51f8c74f1869a321092c9

SHA512
ed95ecb2fba9ebb8fe3e07dc3f3fce2d533a3ad13a9584dbf51acd2dfe877e91027dff40cb8201c07dfd8cd876c291dbad56fae550922eac9d2251f077cf817d

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
100KB

MD5
6aceb5d54b6783fc241577bd39e8a902

SHA1
f675da016e5b31b8809991e7ce2651a4512e48f3

SHA256
542ae30dcbd4b52cf18f09c4c625fb09659998b9d12d0e7a9860ad2dc4d001b0

SHA512
cee7ed42db8ac148c8c48a760a3431dc35e34051eaa8a04b87b0f58ef6f88a480a4229b75bc59764a03839c9143ee663b705fbabacb60dfd4332a18cb06c5bd1

Download Submit
C:\Windows\SysWOW64\Kpfbegei.exe

Filesize
100KB

MD5
4d8e62af94581b2eb10a8b2519587e4b

SHA1
48e9a94c94fe26468bb3e92f9b3ebadb3ba8fd77

SHA256
d8c2ac71fc33d38b13f8e67c982011e1405193749f758c933b3329aeaff82143

SHA512
da8e7c3268bbdd628c201e4b73b2b3385d8d2eb5f9d8c96929f328f318fc04ef7c8eeca89cf0e974e739f345d726fae4b4c37037d347ff7976232c6c7e1c8d37

Download Submit
C:\Windows\SysWOW64\Lbgkfbbj.exe

Filesize
100KB

MD5
474b350d082996463da344dd004b7216

SHA1
0c1b280759bbfa28bd012f1dcc6dfe2a0ce67ce7

SHA256
85d81eb8990b2f9595c5d98d4e5c9a2cb665bb4705c503315f3804fa01eb7a08

SHA512
f7e5c865f27c14f20d96779defd6aaf1d90ba6c6712be6065ecf4c0b032ac333a6e433f164468f368f5317e9b6c675c98bda6fab4cb241a42ab1ca62f94e19bd

Download Submit
C:\Windows\SysWOW64\Ncnjeh32.exe

Filesize
100KB

MD5
83b6185e4ac74c36138f278ca1489e09

SHA1
49b61a610b71fa433da1c3fd5047fcfad7327939

SHA256
371ca99c14903a764f150c56274aad4f7788a1ac13d9b3bd6c5012500a3f684b

SHA512
0de3cc45b514d2c272e4f059adeed09b9ffe4344827529a49dd86dca1f6623a2b7e3f220a2b01bfb6dd6fc1442b3d2503f31f52f7558364e894c2ef77d51830a

Download Submit
C:\Windows\SysWOW64\Nfglfdeb.exe

Filesize
100KB

MD5
9f944fe75ddec87c200d5c0530e6f0ec

SHA1
b98082c5fbf34f7fbc00f0865518506f298db8dd

SHA256
b20fa34e911332f7f8ed6369c92dedbd2854ffc769ac21ee88c7b6c21033f205

SHA512
5f40d65dce00457c6da7288472022d1f2f4a36f7b305e03e5b10583574e1a2201ad683108485e180cf98b3ea04b86ddfd4b54aa775af488c339c7459ba441d7e

Download Submit
C:\Windows\SysWOW64\Nnjklb32.exe

Filesize
100KB

MD5
7cc29ad29caf926953d114150c9e6b69

SHA1
0ad65a52831f44d0658998183c02007087d07fb7

SHA256
9417fc7311eef9eb200072eba66b801a3ea1d0f28638bb7d2290f261302e38e7

SHA512
c6725b36f50033655b9a394bc22c5c876c4cdacc88ec5d80b9578fc9c0e84bf3693fbf52631631d948071f4fe449f17d3b2382eed4c0ad4c385527463397ac3e

Download Submit
C:\Windows\SysWOW64\Nnlhab32.exe

Filesize
100KB

MD5
4a6f4efeadb55e1f7c7cf19e33e6848d

SHA1
05f6a7bdc6c9fa78a036246988efce8236a1a5a4

SHA256
bcd71d3806b7a2828e6f55fb495b3c599742caf3b065215bbd91be1ff544c861

SHA512
bd6a3c416fac1198d7dbc41aa52f13fcd8c53f2d417839f4a2df9b57abf493c6584c1ba0100379b8643deb72210ebf58a239b8b6d13332ce499666fcc63e28f2

Download Submit
C:\Windows\SysWOW64\Oehicoom.exe

Filesize
100KB

MD5
a1f54807162c43506557cd4fef81f6c2

SHA1
85c21449c07d410dea3d255533442d5c94b5b7ef

SHA256
026bc1950dcdeee6e45fc66b1d141fd05bb9ccc11ebc8df0c9e3cd64c9d79c77

SHA512
d95c6ad9bcdd978f1ac894a8109b8918f719958d9eff75e87ef4575d8dcd140c2853c22d0391fcb656d92970b6c8ee64e9f17fbf494aa20bbc3aeabcfd04b40b

Download Submit
C:\Windows\SysWOW64\Okbapi32.exe

Filesize
100KB

MD5
f8d76240ec768219405fbbb815347fba

SHA1
7a1ef616e5c582f0096395947837e95e9180d91e

SHA256
ceb0e27c56f3733ff20f8f0d1e4b958ed5ff7ab30fafb704a0f2e738fc112425

SHA512
9317ea4e21b1d523a92417cf29fc52924818f19ea0e4bbd5b1e31cec34f3d128d7f4fd6a959cbba02ada86da8ca6c3112e80fc38ba3368d7835241c076ac72aa

Download Submit
C:\Windows\SysWOW64\Oknhdjko.exe

Filesize
100KB

MD5
300c18c5e309c411a99a02d373aee120

SHA1
1df21fe84aa4f313a94987f06d7416277e703bf5

SHA256
9311d13626ba25ae33193bd79c663be8c4b66b2ab59f3146c7135e256dda8e59

SHA512
921c40eef9b99acee5cae1b2402067cc212a468fabf7a8836e4456423c66d6fba51dc11f4497b17d0c933fe5f52a320739a4396e6a667c83907cc53796598bdd

Download Submit
C:\Windows\SysWOW64\Omfnnnhj.exe

Filesize
100KB

MD5
56d18614a534593185ce6feb9f510b3a

SHA1
c905210fd6e0dc3bc0564a265c09a00704e73a43

SHA256
d042d6fadc3743d7a8a141a5fb86bcc75dfe2870d46346d0b1a4764f5d794e24

SHA512
71dc5745095a93eea5479b68d98be2002b9d133fe7001a9db738f19abb0e6f685ef1b3de819abeea664e19b0b0817c66514a908a77040adf7dbd6a58c69a3b00

Download Submit
C:\Windows\SysWOW64\Plbmom32.exe

Filesize
100KB

MD5
57e4ad876b44f729be1d9a77932bb71c

SHA1
46c4e28d67d9246db8cce4cdf2f2e73f7dd153a5

SHA256
654c970783714bc30f37819020c78490db69edc37480e57d0cf8a9e6f3ad9f3e

SHA512
78d65af95c7a8bda0bd688b9f4ba5fc85ee8e47f14518d58464d61c9cd884bbb9487f11d0d8abffd6d05bac850475a24a8ec10abec2c4ac76746d33b8be70255

Download Submit
C:\Windows\SysWOW64\Pmhgba32.exe

Filesize
100KB

MD5
77b556ee8d13d3b739dfdda65afcd408

SHA1
2f8146c480fff593f1ff16850b4a57853d9792b3

SHA256
b50d63b8247b92d5cb4a7dcd8cce065d0bc61b42d956b3df7962227c1bda0743

SHA512
594709743fed719b54cc47dbfe9da48761f623ddc4921b8bb22f2b3a4205917d1925f1e6b7e515268fdbbad9e3fbc4c309968f0e8d03c3115d735c0b8e5a17aa

Download Submit
C:\Windows\SysWOW64\Pmmqmpdm.exe

Filesize
100KB

MD5
1b7e7660ea91909086fe64bfcaf8fd84

SHA1
438cc3289af3bdd8641bb85f8751f0d9b66c2e50

SHA256
d15691f315f9fcfbbe35245418c5a39da26a9468b61ca0bd02d07c71d23d0c12

SHA512
e0ee78e3397c4dc62b51fc90d2e99e175ed3ac857b691a9a82bdc2ae3c8d0d2ea1e893705a61d7d09915c4aeb9bbc611d8042a6c29267af9abdc5c81842aa3aa

Download Submit
C:\Windows\SysWOW64\Pncjad32.exe

Filesize
100KB

MD5
d0d61dc3c45195cd4857d4b63f8a3e76

SHA1
11ff951b4c1c89bd6f4df0919e03b8c3968e82fc

SHA256
739a6a19d7d688de60526aea52ca96fa76e5a1a276639ab29cde373784a4651b

SHA512
fde43bcea33450a2cd414cc823a9584585cfd3ff885ce609d6a0753034bb0d1faf2e592073ef46e40c8aa6e70b4a429590c539e37ad1c981d323693e7ebfdd00

Download Submit
C:\Windows\SysWOW64\Ppipdl32.exe

Filesize
100KB

MD5
192038603340683c8c3efe027ab05c8e

SHA1
d562f525f0c25b88906ab1533c5b1be94ba52702

SHA256
09b50b1d4fa296bded2eb9bd7b7a78baa6be7d4f223d03cfb684e25637516920

SHA512
43bbc89ea9601b55636ebcc22124e457a6bb252573dc67f2ac0a4e93f942bb5466dcdabb1aeb79c7047ff2da9f0030174df5462f5258c48386bca3451bd58e0a

Download Submit
C:\Windows\SysWOW64\Qaofgc32.exe

Filesize
100KB

MD5
d8baa1a33840c3d7f49ca8197d8040eb

SHA1
585786c46eda13ebb1aa375ec77d6da1cd8414cc

SHA256
c48fb641d557bc6960833386339f6d3200c5cb5cc3a34598c89d6bc95a57509b

SHA512
4f530885f07117c9a13bb9a87a88dc499a496b8455d5482a3e4983c28381a7e54dde08cfb667a1a43f6c6de6e23ec27eed11bbcac701cbe0f09bb63fd2cda0fb

Download Submit
\Windows\SysWOW64\Jmocbnop.exe

Filesize
100KB

MD5
f42dc7618a7a166f62c7454ce028a6b3

SHA1
4b1c726a724c7c7f8d774306d6f3e5b91a8b4ccc

SHA256
be4ec38a79285b1e2dcf41033964f61238f5623ed8d1dd299644ba6ffff78c86

SHA512
dbf1d7430097dbe4da6eb23aa3f066ac448f456e62136dca5be3943479f2284e4cf7d390857308daf0ff6a2219d0b2da25798333f385ea3d4004a7d62218d267

Download Submit
\Windows\SysWOW64\Kbbakc32.exe

Filesize
100KB

MD5
122518276574a54431c8bc76e98ca6e9

SHA1
005a051f8dcadb24c402f6a8838e99ad00de974a

SHA256
5eb027563349b4dbf4156d94d7c66ce4827e9223333b25ca463a6b8afec785c5

SHA512
073d59540779507caf682cc67a24ad7d8ba42ad6d2218c2269e18c89e758fb0603444c4a6be711106d57b43584b71888f05ecec4a6627a649ad95dfec3016405

Download Submit
\Windows\SysWOW64\Kbpefc32.exe

Filesize
100KB

MD5
35d15fc69e903deea568fa05d69b817c

SHA1
12a5c62f78b0737724d3071e4691c0facc742a2a

SHA256
c932bfe25ebf84be17af9b70d27eb2f36809d64796112e8efd271535c8be429e

SHA512
b0bfb3cb81e3b4cbad119bdbf180e8d4bb1df2bb8bbd86172e54be1c868ae5df6d11822e8d597bc013b2ec9bd585a3f9d205d1cbedf6fd18fa004a4477048c8e

Download Submit
\Windows\SysWOW64\Kjbclamj.exe

Filesize
100KB

MD5
8a790d9550f822b1fc93cb554a218f24

SHA1
97dae19364ca6e4f1f1e399a1f4a8cd1bb194ff8

SHA256
1adfeb7498eaca07b6a91ff7d4183da1532b2454b47b27cd49e8df37b21d7905

SHA512
f23bcdfb6cfd939ca41e38eccf37a587edd254f5fc9ef6a435a21e0ca25fea16390532b42ab52aca0fd9d218a2e4ec720d00d572c400f0ff006ffd6a83636d22

Download Submit
\Windows\SysWOW64\Ldbjdj32.exe

Filesize
100KB

MD5
6ef8286ac819c9907fa2fe407d2912fa

SHA1
6f6ed73024fb3d05516a77bb7f253931495941f4

SHA256
cd186a9ffc890d034f88555aac195cd674fcae15f74b1eaddaf5ceb8467d05da

SHA512
3815f1b9358d03e01ef171c50f35b6512eb821888c1898426c0c1956bfcd9be6dbc86021d91b13fd15c5721eaa2232e595e4b7072a9fd0713094fb452cca10dc

Download Submit
\Windows\SysWOW64\Ldkdckff.exe

Filesize
100KB

MD5
c69deecc606ebde389072f214c5c1d8e

SHA1
25337608f4ee4a5f67da8633a3b183bf13e3fc9c

SHA256
f8d6a831c7eadb69fe4602e67a59b3bde9ca09a2476dcfd139fd7fbb671ddbe6

SHA512
45d9ab42f9b22457c4afd65bb3b78d0fc940f62eee62edfe220a251480ff4391907209eecc27fbf93bffa5e5fc0443f4106f308d744200f08d06e6155fe3252d

Download Submit
\Windows\SysWOW64\Lglmefcg.exe

Filesize
100KB

MD5
0aadf7b7a44a98541aa8d77ba342dea5

SHA1
637d873f3ebfcbdf9b4e080f1fab9d4ead791189

SHA256
7f8b59b96c07042c7335617c42cc30afe964cf245a8ca6336137c47d02ee86e1

SHA512
88ef29f2b99f1a035fc0817b62d095c226b5cec7ad62c8765c6ae69ab1d02f2c26c8040ab7ed7a273c9c112e1e4a712cd01cf13de4c6f972107f7626575a38cf

Download Submit
\Windows\SysWOW64\Lgnjke32.exe

Filesize
100KB

MD5
242291ddc530a0b0e61226aebfc49f9b

SHA1
45e62e283d8e172c593c906fc79245210b083ab7

SHA256
f6722dba53c60723ad53480ccc8835164214df0e24358c016a5dc56d9d874b8b

SHA512
bacb0c7055f64458e963b096c2d075faff6fb395348bd7df3c367b6254f0d9e5818a12e7cbe13d240b36679e2ade6023fe5e7fad3e8127c740f3026590f40271

Download Submit
\Windows\SysWOW64\Maanab32.exe

Filesize
100KB

MD5
9b142778b1c691b1ec702b05cc401033

SHA1
ea3a4448c9de27d56e68dd99d37a3d602ff77f5a

SHA256
3ff45e562e89ba822908993546c3125a80d17b6cb7b5ac26ee293597df8ec09a

SHA512
f9d369235b3de029c5712f4e8406477659f12557f6b9e6a13e23aa2f5104905a0433a29d903b09d1887059a18b2fff8c4e9843722d789b3c80be6486b9e15665

Download Submit
\Windows\SysWOW64\Mhflcm32.exe

Filesize
100KB

MD5
2f1855ec7c78f9ca78dee9691f4253f4

SHA1
b58454fabfcd9557487a356fc0de1f730640c65c

SHA256
d941e609fb3061022877167180e16f05133bb0473c30313d4fd30b7c98a8849f

SHA512
1ba90593ae0d86ae073eafdb4e54ad32ac49c8bf5a4a08268c5fb50cb7e7f296dd961668e46ca0eab3a8604e187f0a2c5f56e79d34fd3cf0fd2b035e668a2944

Download Submit
\Windows\SysWOW64\Mhhiiloh.exe

Filesize
100KB

MD5
3b4434676019984de7da68b21ff8b5d8

SHA1
c64f49541f89d19dfff0e61029e2e4afc63acb5d

SHA256
d004ecf47a0d49dce9b3ac195dbb141666f666ad058019a7e0f49b8d0bb5a240

SHA512
dfaaab90bcc85b8882a9723c6e68e0183da3f425691d209df8dc2900becc025926258845617211d198e19c8a1041a1d3f409ad88028df6326e90fa6de24772d0

Download Submit
\Windows\SysWOW64\Mlmoilni.exe

Filesize
100KB

MD5
d95a5ae7ceecd9103d6168cced1e49ae

SHA1
8a82b8691643fe7d7aa0fd2153d2fd999fc35d74

SHA256
674209e7fd3f144484935968be6a19e8ee4309385bd3b9b71c54c2a29d3f0ae7

SHA512
573bb60f979f2a9008d6e5654de36f56652e104b4a5ee666eda6f702f1a4a6862fb5d66a6c6c99c500165ff061797ad4d28e9e66d0ba1362ce912f9b86411a21

Download Submit
\Windows\SysWOW64\Mpkhoj32.exe

Filesize
100KB

MD5
c598cfb47dbef197368b903d4cd232a4

SHA1
d772178575ee3cf43531fdd217034a375aad58f1

SHA256
a8c1e93fc1fa0fd6a114a4090e515f281ed3f3f483dd4993362de527489f712d

SHA512
009dc69b20262f39d3ea43d0546bda9157f9d05ad2e6b8df580f77c39e32c2aa16a90f41d78214cae2c1d583ca386a0cb23a0d5cb181c3bca36e68a2177608d8

Download Submit
\Windows\SysWOW64\Ndafcmci.exe

Filesize
100KB

MD5
1012048bbf268855bf11d36f9af06443

SHA1
b5cf1e4454191d8c66fe570134f647f131f718ac

SHA256
e7d3d8d96838e14b5a709d4142f52fb56e83695b1deb8eb66b476bc92a61f93e

SHA512
aa27ecb0266a54c51fdb7cd0b8bbbd4f1dc7913fde4777dbca76fd7dda870363985b07a91f9a9e63338318588c19e8b9d500c9e05c7e3c9fed6cdf5958c4a1b8

Download Submit
memory/316-247-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/316-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/316-245-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/360-323-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/360-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/360-322-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/552-401-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/552-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/592-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/592-278-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/592-279-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/648-235-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/648-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/648-234-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/740-423-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/740-69-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/740-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/740-77-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/920-486-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1068-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1068-257-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/1068-256-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/1308-174-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1308-186-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/1364-11-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1364-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-12-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1364-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-356-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1516-451-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1516-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1608-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-268-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1624-267-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1628-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-301-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/1704-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-297-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/1712-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-213-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/1720-472-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1720-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1740-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1984-166-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-107-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/2024-440-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-444-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/2112-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2156-409-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2156-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-333-0x00000000004A0000-0x00000000004E3000-memory.dmp

Filesize
268KB

Download
memory/2240-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-334-0x00000000004A0000-0x00000000004E3000-memory.dmp

Filesize
268KB

Download
memory/2364-487-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2364-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2428-312-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2428-311-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2428-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2500-290-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2500-286-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2500-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2544-390-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2544-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2544-389-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2584-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2584-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2596-361-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2596-367-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2604-55-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2604-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2604-48-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2604-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2608-379-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2608-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2640-129-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2640-471-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2640-122-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-463-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-467-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2728-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2728-357-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2768-344-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2768-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2768-345-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2780-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2780-39-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2816-376-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2816-22-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2816-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2832-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-90-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2988-143-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2988-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads