berbew | 2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7c

Analysis

max time kernel
112s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7cN.exe
Size

89KB
MD5

447d9363e9a54377583a4548609c4b70
SHA1

17aeb8b9dc6c272bed1f7ecef6fd7e1516442b99
SHA256

2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7c
SHA512

d0e2d23574ded8ee63ccd339cf1c00b264a89a92d2c07d879d6963a58a2298a26bc27acf3803c941402239d9cefdbb2f38a632995e3218ca859149855c122290
SSDEEP

1536:Q1F3Oq+7cIvvtVj8AZ2rRc+Sw83gPxAPPv922cSUtI0lIe4ErvbafDK2QyRQ6UR+:QuBiOBMEfDK2QyeRjb5ZXUf2iuOj22lN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2348	Kbaipkbi.exe
4120	Kepelfam.exe
2352	Kpeiioac.exe
2896	Kbceejpf.exe
1240	Kfoafi32.exe
4864	Klljnp32.exe
2956	Kdcbom32.exe
3888	Kedoge32.exe
4964	Kmkfhc32.exe
1944	Kdeoemeg.exe
2912	Kfckahdj.exe
2248	Kmncnb32.exe
4468	Kdgljmcd.exe
1592	Liddbc32.exe
4076	Llcpoo32.exe
944	Lfhdlh32.exe
2160	Lmbmibhb.exe
368	Lboeaifi.exe
1340	Lmdina32.exe
3752	Ldoaklml.exe
2928	Likjcbkc.exe
3416	Lbdolh32.exe
1464	Lllcen32.exe
3644	Medgncoe.exe
4480	Mpjlklok.exe
1420	Megdccmb.exe
3940	Mplhql32.exe
2140	Meiaib32.exe
444	Mdjagjco.exe
712	Mmbfpp32.exe
1344	Mdmnlj32.exe
4896	Miifeq32.exe
3768	Ndokbi32.exe
1908	Nepgjaeg.exe
2964	Nljofl32.exe
4952	Ndaggimg.exe
3720	Nnjlpo32.exe
632	Nphhmj32.exe
2336	Neeqea32.exe
5068	Nnlhfn32.exe
1956	Ndfqbhia.exe
3048	Njciko32.exe
1948	Ndhmhh32.exe
3988	Nfjjppmm.exe
2564	Ogifjcdp.exe
4104	Ojgbfocc.exe
3668	Odmgcgbi.exe
228	Ojjolnaq.exe
2388	Odocigqg.exe
3724	Ofqpqo32.exe
3328	Oqfdnhfk.exe
3832	Ogpmjb32.exe
3360	Oqhacgdh.exe
4800	Ofeilobp.exe
3196	Pmoahijl.exe
3944	Pfhfan32.exe
2888	Pmannhhj.exe
3256	Pclgkb32.exe
4744	Pdkcde32.exe
1112	Pflplnlg.exe
3948	Pmfhig32.exe
4916	Pfolbmje.exe
1652	Pdpmpdbd.exe
4508	Qnhahj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kedoge32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Aceghl32.dll	Kepelfam.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Kepelfam.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Allebf32.dll	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Meiaib32.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bhaomhld.dll	2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7cN.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5884	5664	WerFault.exe	225

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdeld32.dll"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dobfld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 2348	4012	2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7cN.exe	84
PID 4012 wrote to memory of 2348	4012	2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7cN.exe	84
PID 4012 wrote to memory of 2348	4012	2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7cN.exe	84
PID 2348 wrote to memory of 4120	2348	Kbaipkbi.exe	85
PID 2348 wrote to memory of 4120	2348	Kbaipkbi.exe	85
PID 2348 wrote to memory of 4120	2348	Kbaipkbi.exe	85
PID 4120 wrote to memory of 2352	4120	Kepelfam.exe	86
PID 4120 wrote to memory of 2352	4120	Kepelfam.exe	86
PID 4120 wrote to memory of 2352	4120	Kepelfam.exe	86
PID 2352 wrote to memory of 2896	2352	Kpeiioac.exe	88
PID 2352 wrote to memory of 2896	2352	Kpeiioac.exe	88
PID 2352 wrote to memory of 2896	2352	Kpeiioac.exe	88
PID 2896 wrote to memory of 1240	2896	Kbceejpf.exe	89
PID 2896 wrote to memory of 1240	2896	Kbceejpf.exe	89
PID 2896 wrote to memory of 1240	2896	Kbceejpf.exe	89
PID 1240 wrote to memory of 4864	1240	Kfoafi32.exe	90
PID 1240 wrote to memory of 4864	1240	Kfoafi32.exe	90
PID 1240 wrote to memory of 4864	1240	Kfoafi32.exe	90
PID 4864 wrote to memory of 2956	4864	Klljnp32.exe	91
PID 4864 wrote to memory of 2956	4864	Klljnp32.exe	91
PID 4864 wrote to memory of 2956	4864	Klljnp32.exe	91
PID 2956 wrote to memory of 3888	2956	Kdcbom32.exe	92
PID 2956 wrote to memory of 3888	2956	Kdcbom32.exe	92
PID 2956 wrote to memory of 3888	2956	Kdcbom32.exe	92
PID 3888 wrote to memory of 4964	3888	Kedoge32.exe	94
PID 3888 wrote to memory of 4964	3888	Kedoge32.exe	94
PID 3888 wrote to memory of 4964	3888	Kedoge32.exe	94
PID 4964 wrote to memory of 1944	4964	Kmkfhc32.exe	95
PID 4964 wrote to memory of 1944	4964	Kmkfhc32.exe	95
PID 4964 wrote to memory of 1944	4964	Kmkfhc32.exe	95
PID 1944 wrote to memory of 2912	1944	Kdeoemeg.exe	96
PID 1944 wrote to memory of 2912	1944	Kdeoemeg.exe	96
PID 1944 wrote to memory of 2912	1944	Kdeoemeg.exe	96
PID 2912 wrote to memory of 2248	2912	Kfckahdj.exe	97
PID 2912 wrote to memory of 2248	2912	Kfckahdj.exe	97
PID 2912 wrote to memory of 2248	2912	Kfckahdj.exe	97
PID 2248 wrote to memory of 4468	2248	Kmncnb32.exe	98
PID 2248 wrote to memory of 4468	2248	Kmncnb32.exe	98
PID 2248 wrote to memory of 4468	2248	Kmncnb32.exe	98
PID 4468 wrote to memory of 1592	4468	Kdgljmcd.exe	99
PID 4468 wrote to memory of 1592	4468	Kdgljmcd.exe	99
PID 4468 wrote to memory of 1592	4468	Kdgljmcd.exe	99
PID 1592 wrote to memory of 4076	1592	Liddbc32.exe	100
PID 1592 wrote to memory of 4076	1592	Liddbc32.exe	100
PID 1592 wrote to memory of 4076	1592	Liddbc32.exe	100
PID 4076 wrote to memory of 944	4076	Llcpoo32.exe	101
PID 4076 wrote to memory of 944	4076	Llcpoo32.exe	101
PID 4076 wrote to memory of 944	4076	Llcpoo32.exe	101
PID 944 wrote to memory of 2160	944	Lfhdlh32.exe	102
PID 944 wrote to memory of 2160	944	Lfhdlh32.exe	102
PID 944 wrote to memory of 2160	944	Lfhdlh32.exe	102
PID 2160 wrote to memory of 368	2160	Lmbmibhb.exe	103
PID 2160 wrote to memory of 368	2160	Lmbmibhb.exe	103
PID 2160 wrote to memory of 368	2160	Lmbmibhb.exe	103
PID 368 wrote to memory of 1340	368	Lboeaifi.exe	104
PID 368 wrote to memory of 1340	368	Lboeaifi.exe	104
PID 368 wrote to memory of 1340	368	Lboeaifi.exe	104
PID 1340 wrote to memory of 3752	1340	Lmdina32.exe	105
PID 1340 wrote to memory of 3752	1340	Lmdina32.exe	105
PID 1340 wrote to memory of 3752	1340	Lmdina32.exe	105
PID 3752 wrote to memory of 2928	3752	Ldoaklml.exe	106
PID 3752 wrote to memory of 2928	3752	Ldoaklml.exe	106
PID 3752 wrote to memory of 2928	3752	Ldoaklml.exe	106
PID 2928 wrote to memory of 3416	2928	Likjcbkc.exe	107

C:\Users\Admin\AppData\Local\Temp\2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7cN.exe
"C:\Users\Admin\AppData\Local\Temp\2f37a448bda3cc0f3080e5ce0aa8973c7e62769dbf850df426d89fddb7f28f7cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\SysWOW64\Kbaipkbi.exe
  C:\Windows\system32\Kbaipkbi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\Kepelfam.exe
    C:\Windows\system32\Kepelfam.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\SysWOW64\Kpeiioac.exe
      C:\Windows\system32\Kpeiioac.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        30⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:712
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        38⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        44⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        50⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        61⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        62⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        66⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        70⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1200
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3508
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        82⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        83⤵
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        84⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        87⤵
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        93⤵
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        95⤵
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        96⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2192
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        99⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        113⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        115⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        116⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        118⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        119⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        120⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        121⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        123⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        124⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        127⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        130⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 408
        142⤵
        Program crash
        
        PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5664 -ip 5664
1⤵
PID:5800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
89KB

MD5
e4f1d859f08b69093c668164d3b8eb94

SHA1
31897a73ab9d10d79a73fd8073a33b712d1d96f0

SHA256
8798a05f90703eac26bee99e90fb519b9db590f98a1eae46b292ec909f98c546

SHA512
150e40b09e3aadd5e1521fed69a4ebfa3024902aa0982f49d1ed351a93c99922367d44025aa55cd047ba75437a3cf7d4a7a3e2364c7368ac94e96182ceafe5ce

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
89KB

MD5
2567e55a5842b9340471e062374728d0

SHA1
cf4c40893a43036a23d8f713a02da016f9b97a60

SHA256
d53eae5d203d001fc88b198c41356769cdee90767ed5dcfdde01da1072dc25b9

SHA512
887bd6f05e4e1cd83d0b65b93b9a80248e1cb13498c24b9e91b9b0d9e81961856f8cdbe49d77da57647da7e459b62f09ec47f210fea53eb820185175d73fea16

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
89KB

MD5
3c5cbb0ce04007594da10764bf9ee2ce

SHA1
0ac6d51ac3f65b9aac80a13ff80d3e8c414b11ae

SHA256
1536c10bc0d0ccf260620e9ceba4444df8833f1b2a8a74f42fe864bb39dbfa08

SHA512
e488b37c7142f955a006907025c8c82e7450d10dd397b16eba9cf4bc200a98157ce475b2b9ad0f65201a91f7238b5e9ec2f0dd0054ac9f179ab3871ce495af99

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
89KB

MD5
0e0e8f560bdeba35caf02e1809075470

SHA1
a8c13854cd24e4db8ab638736a659b11c9846ba1

SHA256
de5af7e1cc6b486ff333d1fd4f2d27c9c75bf98ca078dcd159c4738609133d69

SHA512
9401c41687fe092e0cff914046f81dcd24523f5dfa3bfa240193df81e00248007e7a4e0a9deb0171df69e62d3abe2fa1349885f2385dfac1747de901fbc5a2d8

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
89KB

MD5
57793ae46f91c54ed4db907637953688

SHA1
2f9ca5dcba345b8f44bcb5971e9ea455a3c8f7a2

SHA256
57003cc11c75847fcb4466cb77d87306ca6988cbc65b54a81da1a0da2de95e4a

SHA512
c33eb482358d282e504f9d8bd3f3a1c76a174aad52b39b830c92b5c351d870b1e21813acc829c77162e74af6de1fbf6d584853da3bf6ba637168007bd2f9d419

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
89KB

MD5
12751327b8ba273682f3969f3a620a27

SHA1
e66dba13e381d1d65ba86b2bc6fa2bcef845c9f4

SHA256
f2481eb56a70257c7963ed913156119f208719a391db06e6d63b81f4dbed42f5

SHA512
3ea687d33cd9c88d2ff19d726960cf3bbe42a2fe9fc1ec875830cab256d70e66447a19c255f5fe703785bd14a9a45bdaec932861d3acfeb3d88f10035df6cb9b

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
89KB

MD5
c99d1ed313d459bdda562c8a52f8fb57

SHA1
785234feac6a790513e05be5cd02a31cf1060267

SHA256
0ae0db599657636793292c5ce6bebe06ddc5cc4590a0e555892c607245ede25f

SHA512
b3f952c6f8f9692848504d25e06031ffbb6e88c392ead9bcbd93a49e296d0a3dd9755c16f4b0b0576a4690cfda1d5efa41670c8499aef1b65376ad333714e057

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
89KB

MD5
02146283ae9e3a4ed132a51815de2263

SHA1
4c9b6e554453498105e3463db78735c7554b2d4e

SHA256
30db9f7215629656839ba18615d24953b2aef946b56bf7aa3e6c0418715ff673

SHA512
ca883aaa10bc281179273daf8b33680b07d46063181649a308e244abe6f68306d3461ee1f14f088e68a3abe46ff52e7cb3f6866db880f592824df20998dc50ad

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
89KB

MD5
b3a3277740cbc8fbf92734acfb4249dc

SHA1
7ccfc4ce0bb96e71763e212364e638e87a8163db

SHA256
f7973be7e8f0f2b6cdbb0810aca34d27f008e37f5774c8a3ae59f5928795a308

SHA512
24d7c06ba71282dfb8fb85efe376fbb330a2a19c5498d537a36f46f74fc8f871dd99551c05688b055ec277b59dc3a57311cca7efe05867c2716c70002d43155f

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
89KB

MD5
1df3414cddbd95b3aef124cde76b6864

SHA1
e765ae4c86f48ed96755bce8ce50a4ae5616e2a8

SHA256
e4fe35d39a41b452d976abcfd4cd2aa9e43c3f3f636ed913ec6f0e760ad107f9

SHA512
da275f2d42c3db96dd02da7e35d8830633fa3c9386df033617662855305210538e77a4a1d4b62bda1694d08498acce359f69e42b4fd7ba3d06f295a8275543b3

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
89KB

MD5
432d5bb93c468efc790fedffadcccc52

SHA1
a66db729777efa3716588a4473b19edfd70cd050

SHA256
9486fef104e380da590b5a12522534afc58e5008549dd1bdc7ea68dcf04331fe

SHA512
b098e8c0f777eeeca5ec64552f4a2208acd86fca88d5a55214e75530946493c7af7a4c24b83c9cd89bf14c5c4f38e519cd9948e281673e61a92b86996b22ac5d

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
89KB

MD5
e39c6e723ed95d6b4f104863b18094ac

SHA1
4b0758535d40b47f5d5dda261ab7b5f78aa27a22

SHA256
ea93c05655242cf872cb074535359054ab0df42aca322c6a01e9a96f975ae456

SHA512
336901bdd8c9ec3a136be73e5a9d8e0def7daa7d7c35fdc04c97a16d2dc87ff0937c241b43b82f44969bba90e420f399b5b181ed14927a20ce1d1d5e3b88af72

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
89KB

MD5
7f31415fc163d12b81e52bd25c0bf361

SHA1
6858b1aafff25a9f5ae1fde7f6b8d0f93edd0da9

SHA256
f04bbe170cd15ce191858500d8bd74e9381c9d5c7d935a02e9c7d2c7d42d55e4

SHA512
3b216759420742e21af57ec8b95df596fd46a9b6d85e8943eed9f74b5c996f3811adbac8984c5740cdf98761a044390b1fbe5b139592c56f66fc09a84360fa54

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
89KB

MD5
bf40cd0cbe168b5c447c7f051cc7366b

SHA1
13020a7c911211a4c61b6a915d7cc2454377cb7a

SHA256
1b9737e9f2c292d7cbddd5c1f2619a2ac0292c71f2364684fa6d3bb825ee579b

SHA512
ecadad5385f1467e717cf8750b23ce70f9daacd464b3c93938252eff0c5126e0d55433cd30c2116b93a92d04734cb6940ec1670b744b7d440f1d8b11e1b92f3a

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
89KB

MD5
ee989e93b52356b75aeda6fbabd15649

SHA1
492412c1d7d2dde33fedbbda34580224543ef723

SHA256
ca80ef5714595d90a29a859c2edd4c9b89c57f3b57881e93b7ee46cf010a5702

SHA512
ad8d6c1eea5b60292eb77239c44566803bd914b47007d17341927c045bce83f4965716cb3eb1aa91d6071ef60ce7595987e19ffcc73132662d39e4a0fda024f6

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
89KB

MD5
6653b9899463270698dd8b7edc173185

SHA1
5753d8c42c97e97c643466cbf9dd0ff2281bc72a

SHA256
49a180464e34741fce9c3f03814f37302ccf4da3934a604ad4c6c20926a74f3f

SHA512
c65ecf315e1219163cbd91c08da4c7bf3def69857d04c6b39a150526627022bd39c08f29a93475e74aed260fda4d8923155e2ffa4f19997c2cf55a87c202ea47

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
89KB

MD5
5b8f205a417b7ff45ded1146b27b9f43

SHA1
74728ff96a66c67b8c3660e2782273e2146307e4

SHA256
a1e1a731d644c24e895a80e07652d3404a54c44f189c039ff01d490f4c33f042

SHA512
6cd608fe4c77e3d202eb93514c79fc34f880540a657edf1291d87951916e98c3e084f309f7c14aeccf13e1831705d56496382905439fbc683cea2ef331500e8e

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
89KB

MD5
b145e0f9cf18385293bd04edd25c3f6e

SHA1
239d957720e2cb97cf66c853f70784804a586c62

SHA256
97d4bdb19b6aea1a6a249bbaef887ad61143d1b02db845fe1dc9711628f151a1

SHA512
19db188559c780756efae005ad6fc95b392953b5c3851794f20bd407c329ac7b324fdf79e58d60ee46a3445e2efaea5533cf037eea9ef38228b1825608009484

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
89KB

MD5
4832700782b045d70e249a5421685b69

SHA1
adf423bcb42cc596f0b4b8cabfc9dcfac853915a

SHA256
b262ce12767685ac45bae3003491d3aa43a314ef93bdedd4e9ec56017da647ff

SHA512
1b40f2a9de247a156d49a92dd7af7c392e89ee0497b30ac4cf26885f0c28a46af8b1d8c046d5e1033e5fad9f334134a37fcdebc2f1fb3a418216c6175592728f

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
89KB

MD5
b91a1d17b20a535a353310036ef80a4a

SHA1
b542ab21f0d4f1589011573c7cbc2326e09e2b29

SHA256
8d90ecd5f3602b0d7a6a7686f6a9716ec58f3150c9924af914245cfcb9ffc148

SHA512
c746d52c37117bef85f5a044f731c5573ab3e0af7efa5359383d9d88ef3320a567cc2280d77db9dac6b8e1f163b6dd51bd43ffd3cfd325e2994a3ae34724f222

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
89KB

MD5
ad15b4f2c429de49428cf6df0621b828

SHA1
05f6509d746a026a00a2899dc461297cebee1ec8

SHA256
76a63c5caf1c1bf9e3c23066eb565d3a5d6ef1d603be93f6bf3dfe1784bda86e

SHA512
8109482af70925f6282363092ca944154158445b7e93d59d7fc022595f321659a9b4f0803805e0c3b48d9e550b7f57d8500e98d05c5f3d69b119de66b91f6b0f

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
89KB

MD5
1635bc6454d1fc9bd25060605482c707

SHA1
4742060d2c48378e28b867e31e72f745668d0426

SHA256
305e044d55b27e0707a25f2d9f376021d83bce0da83bd68397f401a719ebe588

SHA512
b2635cb27286d18ac3d52ffaf41b0d21931d38d36d161098997ebfb05a103e3eadf97758de87ac9e4d923d0f04e04fd8338a95af8c5d04847cc8970eae06f625

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
89KB

MD5
3a770238ab3fe0790ab4e28e14dc2f19

SHA1
ffc65797d9bcddf6bded97d9a52a32ba17d499cc

SHA256
5cb7c102a7ae50750d48640601436c2cea08a5c0d4565e9b39583cf32b0d8c63

SHA512
36e8452e5259f4bf28fbc22cde81b19c5fbe0d8dd61ac1d72ea0dafbc8831b3c35a562f1f61a1412895a319da30b315b61b5de847be34474c35f3cdd1859a8cf

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
89KB

MD5
e6222f6f0ce429a8d7b758dbb2dd4160

SHA1
d1b306cfa0d818d2f15390e8d093b7e45f21f59b

SHA256
bfd9038f6bb7f0816af71ce438846ceff4e880a37d929c4e3bd95b734df8b2cc

SHA512
e0c32a14312fb648935b57504ce80b40ac5be0cc8a371c703488a9611b8dddab1c96af963fe361e8fdce769d3eeacf241ef1bf54d02cf7dbed74658cd74a9c9f

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
89KB

MD5
38371456d515dafffd07f9c532d668a2

SHA1
df505d8740eedf2be242a50e27198355717f6442

SHA256
c1ec46e7f6d0c9b802a2f785cfa57e534f72a6eac2dd0a20a69c900724759e01

SHA512
314296ced24df3210839f69f4ae69847b06eb3dc34ae995a6ab98e86327bbb17c0997f2a165c20e7aa856bc2e2dbe8ad3158165e6fa982bd0ed7a0f8d9e28012

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
89KB

MD5
4d21a5e71ad7861b06b2ecc0718ad586

SHA1
0d8103855093e6b9dec9819ec3585e4a9ee43e59

SHA256
5fc423ba49e565f4148ad1c06b745007ae04fab1fc316669c50d91fb8371581c

SHA512
58c1058758bdde46ee0bb055a6de4626083538fb8d948a9b3584402d9643b5ad2b25833d2b9af1866071a49c886dc1674c447306cef2a9b93d198cc1afb9f925

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
89KB

MD5
5484cc261d1aea8da4e88cb5f82dae00

SHA1
77299ef7c8ae1b6ac913aa821bd4c3a7832b21d5

SHA256
6e8979c1b86ac7e28eaa5295cc5b84a49d975d457fe1156b71649b07e6ff78af

SHA512
65e279759292cc372dd65ca5c5e366fb96f290cf8563ed5942a508f3a3572fb639766d6d6aa01fce12731b664bb88d7b504387c9a23a0b825467b4c869aed8ed

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
89KB

MD5
9245c2453c8f3d15ecd7e2a32db43d4a

SHA1
839030ba7f80f42546ad9c905c4cb6439d40efbd

SHA256
c6e157c84427fc742fabd33a656d0a960b745d67c9d6af621f1d3c480635e0d2

SHA512
be840e736ec5d2b700a42ced63354fb8a0244a96240bcffcbf130a02fcf4952d40ed48b9d7de71a01f026641c45d013f6b9949a724900fdbc5171e2aeafa9183

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
89KB

MD5
122bc3d3614dae3a257064c465c38812

SHA1
b37dca78ea29c63be2738d148b7d8cc174fa739f

SHA256
416c594cfd970c40c2e3915e6157e2f78abdecf544a800dd0727672776e827fb

SHA512
dfe60c623d0b29dfc8aa2a5fa7f48c4ad97a5181201a3fde0625a242f1d120704513f61b4088423b7d7997ca39890109881d7c16886830c4fd41c3769c041bc9

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
89KB

MD5
ec1f942502b0a99af042bd8255900f3a

SHA1
892af653bdc41fe3ef1b61bdbcbc32f89b4c0802

SHA256
534dbf8775d16dd1f60c74c2094f6a3b71d45911cef691e975a6dbd8540c36b8

SHA512
5223cfac05ae6920f56463b8243775607969420d87d9e9e83dcebd2cc2f88de7cef08edd9b84a16923199f74a381dcf73b0d2d9169498986a511a2663220a16d

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
89KB

MD5
bc6f4fdae927af23f43f048f2bafe0c3

SHA1
74e5130e57fa9232f9d29d0301c580e6c3bf39b5

SHA256
cd9f33a2847b7ae066b8eee2aa154581584fc38e1e314a5ecf01595b9ce5cec6

SHA512
a69ec0873fd994726bb8c879a29e5a698d153897c788b2163ec6b81f0fa539ff05f85fa122b46f1e51364219345320b5345df04d79886e5087865d03f8f8e380

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
89KB

MD5
5c4405bb45a2228907e6ff258bc41f9f

SHA1
10af89a11a3f409fa8746ab5b93a59a55a1fb4d6

SHA256
1ad0035de2444f2bb8aeb6efd4e2ec190215dce1fb3e39277fa424b29b1c765b

SHA512
112cbc88f8126465037eb066923a0963e76f81b27f6808f7850de96d0ca9282a52b517f640a91321f65d1814ac77277e808d62d4a6b4a86fc78083d6cbb60223

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
89KB

MD5
1cebd957f659f1171729d789890f7749

SHA1
d4d57d1fdbc913b4481fe1446076e5171d4c6369

SHA256
64bc56e3127c92daf27fbf12416be588dbd4a31c24cc0907fd52f33990dd2171

SHA512
641bc9982c3978dac1dd727da19270409b4e21b5d38e6ea5515cb678a16e2a7b0cd80ed37cc280ee8ac04222cf0cfe0ef9574ccd44fb4374f73969dcbccb698e

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
89KB

MD5
d3935bd99cc4d57e36238e07df54d7bf

SHA1
e49d31ba77287605e8424916e087da9fccdfd82a

SHA256
d304eee7fc787aa0f325932d9ee4c81eed9a0d5395bdce3817489750f60300f2

SHA512
076fa44107257e7b76d9f4ee04726c3acc26b724974287fe6d623f930d2f883a7cd6bd99788cea4994d4f0d609462f31b7613b6a5fe439d4c6fef86c4d9d260c

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
89KB

MD5
1a0826aae1721efd17cb410101117f0d

SHA1
2835a6a1cade7f58e7f56fa90a0aee5181d68fc6

SHA256
eeeded6906e5128d01ac71e21721e27214b7644a839bf893ac5b11dc34fa1064

SHA512
5a5d429d15f5abc7d5447b64c629c7200f35510b5f8560414942eb8073106e155ee1edab453e9685d1294c3388e0bfce2ddc02b0f554f041666e5b6c4da8e85d

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
89KB

MD5
f251c39af7fa4ad63056d8cc853d4177

SHA1
767e18149e0ab11be2cca399d513a10cc6c6de1f

SHA256
07d26c7344c0dc72fcb8abca4c24fa73ec8fac69da50822e52df0d4e23617079

SHA512
321e28ef4cadb95236e1db2184b27b1ed49758a95a65150c4f40f6914bb3ea9e47f3b47aa970256da8c970d7f6c099b806c6c3d97637f319d5b5c233c107f951

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
89KB

MD5
4e3a3194e5b624e2c4862a9b506299fc

SHA1
a3da353d3c4c5a06b709dc75ea3ab6cce2590904

SHA256
9acfd05e47a1471d87584b1e460bacfd67cb78f24cbbf9403771b567b9f03c5a

SHA512
fb3d2260506d19a2f51a4f2d336ec6a24e14db9e2de3555ac695150dc7076c6e0b6138b1c59a5cdb83af0b7aad1f11bacf458c2c30c599c98a0cf0be62d7a859

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
89KB

MD5
622028c3e177e6060a3103a30877aff9

SHA1
c7a103cd52aa32a4d501f4999bf04238c3757473

SHA256
af84b77061975d9699e041a43d66cc685934b34fd1509947ff864873c61b7930

SHA512
d37432537965b63325da40f677676120b1751c2aec80fcc5daaea7ba5688d6445dad62749ffc4dd79a1c2e468cf68a745f03164983e122ad4f9fd57151dbad1e

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
89KB

MD5
5ccf16ea6109517a1355788383acb863

SHA1
19461fb23107fdfa7067f73ce85770bf4c2669c2

SHA256
b2fe543fb2df24c91fd5f3e31ee2007748777d93feaee2b575d6cbcf6a792f99

SHA512
d66ce35691ac2674615b471303bd7f84ee777f46f070a3f74c3e06be037b70a1cdb3ab5b993175797bb37b110da1d0c6de548b8509e460654bf5a2e99f51eea7

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
89KB

MD5
0173836ea9e7173ab34e3f4966e154b0

SHA1
6e464d1abfbf637a47a9a6f234b62528af74ed20

SHA256
c00737e4c3ec004c35d2d154a2b1de7828b38970c6c2fd6b3a9ed45d76a8cf24

SHA512
57406a5b5e8d98f23de3e2fdb5ceffa326facdc3d3aaf9f8f763d50a59fd14ae2e8c45cb3294488d050a255e4e7277c7aa79ea342a4f31e891914f120ddf50f4

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
89KB

MD5
83c26928a64644e3ad92dcbe49a196e4

SHA1
1a59b3d4723ac3c1b3a537213a64579b0b98b9c2

SHA256
6a9963fa8038451405f7978433f34d236d7f5a733b5d4fbca94b0e9beac98cfd

SHA512
286b15d95cf54022cf04fd0135a1a348ef214bc60233fefa14c8329f06d7b33836d560eeb8ea7a75b388a9c2ce56ac07958862000a8000d012826f2d32a4e969

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
89KB

MD5
5a49823480cd83e405800ed1d60a34ea

SHA1
0737380308c9bbfe888ff7bfc4940ad147c0d0fc

SHA256
b8555ecf39f76e6249b3cc77836c8fa8b73a989aae6bd2ea68d4ae9d4de322b8

SHA512
f4fdd99c41d9c2b0ed64b650604b62a9b0ddcd4636933ec39f19d4646b386afdfd6d72932fa920b288c03e4b151dd23869a7d8a9d2223ba16d47cdf0d4c52267

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
89KB

MD5
3a96643e9fa59abf551cab3b44cc759a

SHA1
c6c2ac0063f81196ade3ca9c27682aa45e690b89

SHA256
ecf337c2d773a6c746a9a7f5544bb6fe7da84105f9de28b1f6d9f09331d7311a

SHA512
85fef91267cad8666bc76cfb0deb0e886cb3beed2c8e850d39e42ac40c8f0b4fb784e7a363a0b174c1cb2d6d13c238f4dc7fa61964f0b65b0fe000ccba38c11d

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
89KB

MD5
b54774c0325335a7f5a9567e43f19dee

SHA1
6d7e534e5ad3fcea0f2bb26a3061097ff1a4aa99

SHA256
645643367e31dabee0cbc4d3c257631208f5548dee4e9e7929fff3c5644534d3

SHA512
4a24a658ee6c8a72ab5bff3c7b1a5d51d59095cccb305d041213c60222c44da02ce9e5eec9efd42d2bb75e27e7366f73a5328567a17e585c17d6bb11e8bfc20e

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
89KB

MD5
da0e2c7015a2f64d187650866787ea93

SHA1
d531e1b091bfb7bf00f22b40714d26899069a7f7

SHA256
ce8d45d22679fdd9d99b1043b901f3220158594d8418bcaf64d15b15b50beb93

SHA512
edd29a8b359c4fc1eb21def43f3370948488e72497437f55ef7ba3fa4d20542aabedb7b412c14b8d324b65ecd52250b906cafac22c78201101a29a5313dfe463

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
89KB

MD5
ad0db54e7547e5134b6236aa72511566

SHA1
9e930947ca32f7e23f91711a41da23d4a1d3265b

SHA256
481c805a0daec01b8b97c067b9a00657bbc5038c451c61c1df77cb6310543bcc

SHA512
2655db768542e07ec628a4d95a6af447d269daafb205761b0575ada0e21758bb4bbc50fab58abe81077a3871073dafb0aec18fb70b45d8a6644384f4d9815dd8

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
89KB

MD5
ca481e33c92623251d5178ed2056a5f4

SHA1
75a06a5dbcd1a4bee30eb8bdcb4c274d9ddef525

SHA256
4b7adfeaa724df4a2659c7996b7e3ed3a96d1e08a9294785030cf454aba7e59c

SHA512
a4f4712a1466b3493c762ce43326485f3c03668c34acf1ec142503abd1f1038dcca6b99658b4d1631a12045acdcbf7e80c726b689ceec544506fd6f1af30eaa3

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
89KB

MD5
ccfb807b120411c8ac16114a824fa5c7

SHA1
061b730e6f219ecdbdc32d359483f489f73c28a1

SHA256
8e5d77770724d0a2f3b5117ea12a1f2b9698bf6965ca9a0edae60b9358d0d772

SHA512
33e248ecd741f0546f7aeff887ef18e5a99d17a3950baa6ead465871c408f7f3a4ca6b956f5364524bee5c46d6e3d99d8f38e9a69dc80e196edb09888943133e

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
89KB

MD5
83e359f21331e6565b91d05b29e5eda3

SHA1
236462f1979e1134d97a9865e96a190182d3c8de

SHA256
8955bc87fb22c0e325f3a2686f5950f7e1a4b21c0ddb514c4b6857e2b980e739

SHA512
ca0917e7add08e3460e31a13b3ddf1acceb6629e4f658a276ea06298fb657b15f6dfae2acfc840699c6b8bbf45249e5dc725bb7948fa7f856f3101ad9b46f7bd

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
89KB

MD5
6b1e982bfbdf8bf2628f328ebe8cee76

SHA1
92693a129eaa27308ec7e9af42867d2948d90ac2

SHA256
6ee5a5dbc9bcbd7ad3b068f5959669ed0df6f22d8dd53a8d9f5a628665e9e94e

SHA512
a537752572662fa089735ed1a92ff5bcb25243729c089c64ea330768b0fa8c086c080c798dbe302f2c101d82b5b6cafce15acf54059b3993e4d295ff4792166f

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
89KB

MD5
0b65420b42963b25deb5644e836073b4

SHA1
9f90216cd95be42d55818020e5f4912c6b5b6184

SHA256
36ab974e3e406c2d04d22d4941454b618365146f7f74507de43f5268c44205f1

SHA512
e6bbb6808477554cde5c7fcd05368e2be3022910b3145185f9ac58e544143a713e6dd66a202d2e8dad96e5fa08bb62cb5faa132a244b5582f5c9ba37bfa26769

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
89KB

MD5
ad135f6b553acd585bac7e14b8bec055

SHA1
650f8107993fafbac05056ddc88a54de277efdd8

SHA256
46b524b1eb03d0f8755ba0b3f4baddc14c392ad5680be2f5618d807e31cd6d27

SHA512
39f72397160b0ffb9b0527720bb8aabc55b5ffb92711fe71d2aae30b6861aec26b762c59c56be2a205a65767ac3f31e8b9b870bcd2737e3e93ca7facb82bf0bd

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
89KB

MD5
391fc9e7274ec9c0173bec34a4d7d9dc

SHA1
124833723676fe11f9c0966ce2f0bf86264e9eff

SHA256
9e4a04b9c70122e2f5cb3551bbf0fd63af47773708b1c9f801dda3dd29c737e3

SHA512
3c56a76788a5d36b144f37fa2c1d0350f7dc44587bef1354c8818ddd54ef114bba300645236c82ed0547ce72207db4afd5984ca37008ddcce8da0dc27e15ca2f

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
89KB

MD5
1019af8197de8e8556052adc383f1c1d

SHA1
e9afa3276bd428752e20f4e6b4556b49fb521fde

SHA256
cbc552054e790815f50952e132194a60e0c1469e53e754c69ac07370ea00ddd9

SHA512
13765010fcb21b800aaacc3c7c7ab5144ae46cc217bcf0906398f5a745566a93bff93d3ff45838369602a9939acc4753b19d0c6d2bce2d385594550d69616f1c

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
89KB

MD5
297901c6f3fe5e947aead30ed342612b

SHA1
eb23ea9b03279aa28efdac4ae2aadffe7988f61e

SHA256
c25bb6b3db9f67830f9c995d35f0c245004f75a558fc84d06a5a74e82c2ce384

SHA512
7ac700361cbc48cac02fe454446a0699f0fdc5ebb8c08690c9102ffe8e95ade37a32ce01a7a6fc3de7d4f36357941a144756b7b7a6ca7a6f7aa834d73edeb72b

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
89KB

MD5
e4618eff0cf4b0f351428e852a6358a9

SHA1
0ebe3b9fbce67349b46023af94a652f050b25afc

SHA256
7f8175f0744ed244b129ca212ed032ded48648fc7eb55600c1f4347f4174686b

SHA512
bdee80c4d141765ac93103d87aa52b69e5da22653e18aa220fa1d18391b5498d0ffef9de6cebabbacfde777d7ff2d0680207a7484e1b2dcada40a80d78c2e135

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
89KB

MD5
7098b02f3b00fde00f120ce804e3b5e0

SHA1
e4c210f4048c0bb9cd41d4b587c4525de13d1665

SHA256
4886473d028b08b9812894b2bf4ee08aee924864e970b202565f73ffce8d3e5b

SHA512
1ecad3a6fd17c8068c6c4b28255c87cddccf6aef9bc815061e3e49f1a353cdab2a324658de77c090f36e0e442e2e12ffea9066090eabadd33d137070391886ed

Download Submit
C:\Windows\SysWOW64\Qamhhedg.dll

Filesize
7KB

MD5
0e8613010f5504d778710be0e4d6acc8

SHA1
0a119eea674aca38cb7334d73b47a0c5503f2fa5

SHA256
c181bf9ae62dceebd345808dc30ea471db4b109af4c779d74405a04a439c0814

SHA512
115ccf0969950366a9707f168434f871bdbc6d1dae4255d365b3dc69e9011ecd376313edb4f95e44a5f7cfcdb3d4b2c75846114b5757f3bef3f127ff74be06cf

Download Submit
memory/228-391-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/368-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/368-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/444-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/444-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/632-390-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/632-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/712-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/712-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/944-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/944-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1240-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1240-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1340-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1340-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1344-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1344-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1420-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1420-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1464-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1464-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1592-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1592-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1908-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1908-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1956-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1956-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2248-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2248-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2336-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2336-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2352-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2352-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2388-398-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3328-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3416-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3416-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3724-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3768-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3768-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3888-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3888-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3940-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3940-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4012-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4012-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4076-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4076-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4104-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads