berbew | 8e09bebecdfbd7a1c59764fc2a4f70a87ddbba9c4b417dc2f80730da8b607e3c

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e09bebecdfbd7a1c59764fc2a4f70a87ddbba9c4b417dc2f80730da8b607e3cN.exe
Size

276KB
MD5

f1d9debec1fa5f988851498260a2f040
SHA1

a9a4dbb469b7216a89e43cb2d0cceb6bb2f9ede8
SHA256

8e09bebecdfbd7a1c59764fc2a4f70a87ddbba9c4b417dc2f80730da8b607e3c
SHA512

cf930e5087ca226e60da691ec2c7ff864992df300545b601757615ded6f8b929fce8e657087c605078a37eb146cdbfa3d531505d056d7c2cee35d28f0cea79c1
SSDEEP

6144:9ssWMgqx4IaQadZMGXF5ahdt3rM8d7TtLa:nURXFWtJ9O

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
5112	Jcefno32.exe
3816	Jfcbjk32.exe
5088	Jmmjgejj.exe
5048	Jplfcpin.exe
3540	Jlbgha32.exe
3424	Jblpek32.exe
3404	Jlednamo.exe
3004	Kemhff32.exe
1904	Klgqcqkl.exe
3328	Kfmepi32.exe
2424	Klimip32.exe
1076	Kmijbcpl.exe
2508	Kipkhdeq.exe
4928	Kfckahdj.exe
3548	Lbjlfi32.exe
4968	Lmppcbjd.exe
800	Lbmhlihl.exe
4656	Lmbmibhb.exe
2460	Lboeaifi.exe
4960	Lmdina32.exe
1928	Lbabgh32.exe
4744	Lmgfda32.exe
4432	Lbdolh32.exe
2988	Lingibiq.exe
1520	Mdckfk32.exe
2844	Mgagbf32.exe
1820	Mlopkm32.exe
2568	Mchhggno.exe
2840	Mlampmdo.exe
1244	Mmpijp32.exe
4372	Melnob32.exe
4384	Mpablkhc.exe
2376	Menjdbgj.exe
4092	Mlhbal32.exe
3008	Ngmgne32.exe
1484	Nilcjp32.exe
4492	Npfkgjdn.exe
2472	Ngpccdlj.exe
4712	Njnpppkn.exe
3452	Neeqea32.exe
1048	Npjebj32.exe
1044	Ndfqbhia.exe
64	Njciko32.exe
3440	Npmagine.exe
2548	Nggjdc32.exe
1732	Nnqbanmo.exe
3732	Oponmilc.exe
3608	Ogifjcdp.exe
4424	Oncofm32.exe
5008	Odmgcgbi.exe
1896	Ofnckp32.exe
3332	Olhlhjpd.exe
5016	Ocbddc32.exe
2304	Ofqpqo32.exe
1884	Oqfdnhfk.exe
3904	Ogpmjb32.exe
3512	Onjegled.exe
3180	Oddmdf32.exe
2712	Ofeilobp.exe
4008	Pmoahijl.exe
3420	Pgefeajb.exe
1028	Pnonbk32.exe
4280	Pdifoehl.exe
4512	Pjeoglgc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Kfckahdj.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Klimip32.exe	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Jmmjgejj.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Dgdelcpg.dll	Jcefno32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Kemhff32.exe	Jlednamo.exe
File opened for modification	C:\Windows\SysWOW64\Kfckahdj.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Khchklef.dll	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ndfqbhia.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5188	6096	WerFault.exe	212

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klimip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 5112	4468	8e09bebecdfbd7a1c59764fc2a4f70a87ddbba9c4b417dc2f80730da8b607e3cN.exe	82
PID 4468 wrote to memory of 5112	4468	8e09bebecdfbd7a1c59764fc2a4f70a87ddbba9c4b417dc2f80730da8b607e3cN.exe	82
PID 4468 wrote to memory of 5112	4468	8e09bebecdfbd7a1c59764fc2a4f70a87ddbba9c4b417dc2f80730da8b607e3cN.exe	82
PID 5112 wrote to memory of 3816	5112	Jcefno32.exe	83
PID 5112 wrote to memory of 3816	5112	Jcefno32.exe	83
PID 5112 wrote to memory of 3816	5112	Jcefno32.exe	83
PID 3816 wrote to memory of 5088	3816	Jfcbjk32.exe	84
PID 3816 wrote to memory of 5088	3816	Jfcbjk32.exe	84
PID 3816 wrote to memory of 5088	3816	Jfcbjk32.exe	84
PID 5088 wrote to memory of 5048	5088	Jmmjgejj.exe	85
PID 5088 wrote to memory of 5048	5088	Jmmjgejj.exe	85
PID 5088 wrote to memory of 5048	5088	Jmmjgejj.exe	85
PID 5048 wrote to memory of 3540	5048	Jplfcpin.exe	86
PID 5048 wrote to memory of 3540	5048	Jplfcpin.exe	86
PID 5048 wrote to memory of 3540	5048	Jplfcpin.exe	86
PID 3540 wrote to memory of 3424	3540	Jlbgha32.exe	87
PID 3540 wrote to memory of 3424	3540	Jlbgha32.exe	87
PID 3540 wrote to memory of 3424	3540	Jlbgha32.exe	87
PID 3424 wrote to memory of 3404	3424	Jblpek32.exe	88
PID 3424 wrote to memory of 3404	3424	Jblpek32.exe	88
PID 3424 wrote to memory of 3404	3424	Jblpek32.exe	88
PID 3404 wrote to memory of 3004	3404	Jlednamo.exe	89
PID 3404 wrote to memory of 3004	3404	Jlednamo.exe	89
PID 3404 wrote to memory of 3004	3404	Jlednamo.exe	89
PID 3004 wrote to memory of 1904	3004	Kemhff32.exe	90
PID 3004 wrote to memory of 1904	3004	Kemhff32.exe	90
PID 3004 wrote to memory of 1904	3004	Kemhff32.exe	90
PID 1904 wrote to memory of 3328	1904	Klgqcqkl.exe	91
PID 1904 wrote to memory of 3328	1904	Klgqcqkl.exe	91
PID 1904 wrote to memory of 3328	1904	Klgqcqkl.exe	91
PID 3328 wrote to memory of 2424	3328	Kfmepi32.exe	92
PID 3328 wrote to memory of 2424	3328	Kfmepi32.exe	92
PID 3328 wrote to memory of 2424	3328	Kfmepi32.exe	92
PID 2424 wrote to memory of 1076	2424	Klimip32.exe	93
PID 2424 wrote to memory of 1076	2424	Klimip32.exe	93
PID 2424 wrote to memory of 1076	2424	Klimip32.exe	93
PID 1076 wrote to memory of 2508	1076	Kmijbcpl.exe	94
PID 1076 wrote to memory of 2508	1076	Kmijbcpl.exe	94
PID 1076 wrote to memory of 2508	1076	Kmijbcpl.exe	94
PID 2508 wrote to memory of 4928	2508	Kipkhdeq.exe	95
PID 2508 wrote to memory of 4928	2508	Kipkhdeq.exe	95
PID 2508 wrote to memory of 4928	2508	Kipkhdeq.exe	95
PID 4928 wrote to memory of 3548	4928	Kfckahdj.exe	96
PID 4928 wrote to memory of 3548	4928	Kfckahdj.exe	96
PID 4928 wrote to memory of 3548	4928	Kfckahdj.exe	96
PID 3548 wrote to memory of 4968	3548	Lbjlfi32.exe	97
PID 3548 wrote to memory of 4968	3548	Lbjlfi32.exe	97
PID 3548 wrote to memory of 4968	3548	Lbjlfi32.exe	97
PID 4968 wrote to memory of 800	4968	Lmppcbjd.exe	98
PID 4968 wrote to memory of 800	4968	Lmppcbjd.exe	98
PID 4968 wrote to memory of 800	4968	Lmppcbjd.exe	98
PID 800 wrote to memory of 4656	800	Lbmhlihl.exe	99
PID 800 wrote to memory of 4656	800	Lbmhlihl.exe	99
PID 800 wrote to memory of 4656	800	Lbmhlihl.exe	99
PID 4656 wrote to memory of 2460	4656	Lmbmibhb.exe	100
PID 4656 wrote to memory of 2460	4656	Lmbmibhb.exe	100
PID 4656 wrote to memory of 2460	4656	Lmbmibhb.exe	100
PID 2460 wrote to memory of 4960	2460	Lboeaifi.exe	101
PID 2460 wrote to memory of 4960	2460	Lboeaifi.exe	101
PID 2460 wrote to memory of 4960	2460	Lboeaifi.exe	101
PID 4960 wrote to memory of 1928	4960	Lmdina32.exe	102
PID 4960 wrote to memory of 1928	4960	Lmdina32.exe	102
PID 4960 wrote to memory of 1928	4960	Lmdina32.exe	102
PID 1928 wrote to memory of 4744	1928	Lbabgh32.exe	103

C:\Users\Admin\AppData\Local\Temp\8e09bebecdfbd7a1c59764fc2a4f70a87ddbba9c4b417dc2f80730da8b607e3cN.exe
"C:\Users\Admin\AppData\Local\Temp\8e09bebecdfbd7a1c59764fc2a4f70a87ddbba9c4b417dc2f80730da8b607e3cN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\Jcefno32.exe
  C:\Windows\system32\Jcefno32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\Jfcbjk32.exe
    C:\Windows\system32\Jfcbjk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\SysWOW64\Jmmjgejj.exe
      C:\Windows\system32\Jmmjgejj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
      - C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        26⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        37⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        39⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        40⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        50⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        57⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2328
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        73⤵
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        74⤵
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        86⤵
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        88⤵
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:908
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        94⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1892
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        99⤵
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        103⤵
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        112⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        122⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        124⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        132⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 424
        133⤵
        Program crash
        
        PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6096 -ip 6096
1⤵
PID:5152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
276KB

MD5
df11815e0e0598da345413498e63c7c7

SHA1
303ccb19621bcbee8a0b2bebb75756b4efe02edb

SHA256
7241ca6daec40d7521725b585a4a1476e1249371eb73f97dbfa33ac4b1dce7d4

SHA512
61e397d5e1427d3902defc6ada5cb01f7e49f6ff192119fc90368abac26d14228c8adbf2fcba6bfe447c8fa90ffb2c5c2d9a0ad649bcff0846cb488db58193d1

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
276KB

MD5
fbe3a11abeb21f17396d818c1f7980b1

SHA1
73e2fd96b1d639b3c19281c41a75f688bc301732

SHA256
a9b6fee439ce0be77dccaba7b72354cbbc6a2224cb1e56f9e345c1f32ecd1959

SHA512
6a1756c238df064bb3ea65d61192d7217b83bc3ddd7468ab36b2eb689db81079fe8e843d94e481fa34ac4f2c50d5936c9903f211ea514d7ffd60ee0589566ba9

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
276KB

MD5
3a90fd3a5411bd8d866407c4793ba256

SHA1
9f653669c9577cda8b2d605d4b06de00d2e286c1

SHA256
8f08b5bfc8c3ad1f8d1a8473fd7ccdd036c5bfafa31848779b5ecb5b4ba9581c

SHA512
ad9e065cfd4dd995474f55de80d637c5384704cf67036422fa6ff0f7bf62d96a8536af93ccfe64b8555230f1389004b90a0b2a2508fcd6e487de7c8156dc3bb4

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
276KB

MD5
d94b2ca43d47c143602fa028767c3a22

SHA1
be91b057e19807d11de5410d8d1f945517a9e161

SHA256
8806c78dbbb193a8d66d9b4574e8659ed127ac0f5e64c825ab71aaf1ee8d362d

SHA512
ff50aab712777e60591c5973a8d091c6a6d9629221a9263a068af74c2c914380cc262a97853085897b6f2d60d1e38d01c44dc9637c4636d46aa1f1a91cdc1bb7

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
276KB

MD5
e62330b31ab6ff8bcec23776f5effbea

SHA1
448554e2872be2c3fbc1526814eba32b34fca114

SHA256
d91d3aaa458c62199a59324ce0fab3a5f1cbc5c7d805f22b73b6e9afc68dc60f

SHA512
1101c915514d9c6f9bec9af458bb4c24e7568279f35c1d008f3473c0a04d7806d96c1040ef4ef9f1a3a5d2aaf64beb266b85c59cfeb32e8845021cfdec990a1d

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
276KB

MD5
f14045f2acd9688cce18c9a8527c3237

SHA1
531cd90728910111fc597c47fc7abc258e1a0c14

SHA256
fd4450a4be0cb6b69f44271cd2e813ee9fb7d231cd79a1d951ae24513b7ae363

SHA512
83612ca5d083939468231e00867ef377f9e79c2ad2b7704d8d358a207e18a60b8fe1535dae879a6cb3accca696b81dc47c6e9d97e77f5cf8021f943a098e686f

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
276KB

MD5
93ca9ca51fc70bd050f15ac16f520c82

SHA1
3c47782874fafd5cba1aa4063bc5eac47bd49781

SHA256
4b7ae5df0bb8e96bc7b41631bc393f9a7f2e0e50a80d0aaa92199190e5a6274e

SHA512
b538202e4960d12c8fdc86cbefd1df9e616a76a773a9bd463c6ea4cebd13190ef1dd590d7888c7f5d913dbafbb7bc0affd5eaaf9df7a473f21a71122caffba1c

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
276KB

MD5
83da3ec74def9f60bc8844cc3271f490

SHA1
35f67a8b4465624915dc5313c146e30a7a16eba5

SHA256
5e072ea7b6d8ddee640e8f3f4d26e08811501d7c9dc798c76c7179cbe81e225d

SHA512
b02d93c3bfc7e5073d3a95792c8a08d2cc17c4787a89afdcd3c168a8d2b3b3d7c6ee9c21578d33b4d103b9f015454d038ffa534e73beffa18391d2605edbc0df

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
276KB

MD5
10eee7dc2ea98fceae762b9e9dd33c81

SHA1
03e20fffd9d0a12eef1a1dee5049637034de04db

SHA256
982a01ea265ea4e2e084e2ce5d3514a674c5c902140f54f2dda6c38be0bd9759

SHA512
0e76eccf4d4da4599bad6b17330a411c57e4dc8dcc03d6b6be3105fda4dd64754913b9a9b56861e7d3b10a90f65d87c4457b91de477ba3d7422d1704cacd9f4e

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
276KB

MD5
9f044cf32edb8bae4b465ef931fdac02

SHA1
90dccbf44c95f8060ab67b9ebcb9e8946a2ec1b7

SHA256
13008c24c97625040e1b7fac02a453e1ded37e10088bdeba318adbe8f555d465

SHA512
9bbf41444fdb78a06892d16699509b2572d236a3ed04eeb26527a950be5ad05c18ff9bb1674c62eb7327ac6f95c7e16ac66480dab98f3bb35f98a48079ed5eac

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
276KB

MD5
b20b17659c4f63ea96261f84efaf2245

SHA1
5a26d203b77e860bb2e31a007df38e6fa90ebe14

SHA256
bc1cb97f0a3ff5f7b575c89886d3cb2dddcbf8cee012c6daceb3624bdf1b8d02

SHA512
e86f16353b379198a3e63838ed07906e155753d7983742b8208e6c3ce20469b8ddc61b29d8b04092076dfa7e420dd5cc85704098bfe75527c909cbc8af8e95f5

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
276KB

MD5
6e61db9bdb72b80794a3b585936fcbe3

SHA1
1fac6803dabe0dbb3bbbf1a4d38e47c24ee437f3

SHA256
5e5b541700cf0366e7c5bd8c425928f69dcb78dfeb78014e261d30af60585077

SHA512
1a15b7724b34408bc88625a6d4868be3dbeb09d80d3f52c4322b9529ff980adb2c88d8e7a1349cf6e0ae135afd3b7f39c23ac7d4c67a76f4c12b2791e98b6289

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
276KB

MD5
7635ac39cdb3d085a79ec2632ae33725

SHA1
c5b93fd98f4d4d5ab6f454306041e588605a05da

SHA256
a653a0d46daa3cfd49c3f2107f7f64e515e245845311ea63f056ea2a7dd2fee0

SHA512
c5e51a3a68feeb3128335051caefc040a6102767e6bb46784b2d5a1cc10951490bc4fe5016127fe9386d2ad2764766b1998a2f249deaf49aa212bd9757da25ee

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
276KB

MD5
9df57993618f7a627228fd8b80c50e4e

SHA1
6a77ac77336d48b58344f94cd68b07a44a0a4ebc

SHA256
2138ae5ce973763d7f192f7f7ebcd4bae1405d66a43331e2d4e2df411375f496

SHA512
57bd74dd9dbd0832ec7318f707e526271bed3cea0cb6439ee9616b483a8a4d7fc09742ccab3e5d5f86185d40e1ff5aa7ff53127b8775964e3db10166b376cd3a

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
276KB

MD5
1c02e85a01cd6c34602a49c2062779db

SHA1
a68eda7e197c408a70831443da6b5477010ebebb

SHA256
856b643b369eb1884ff0076ec94fc97dec2cdb614693e5a584754e29d70792a5

SHA512
22413ac8a18709a15034b00b65420c41bb61b07a43112ed45deceaf6e40d1645e78f292932a25d1114d18a6b9502a45318cf63e1ef219e57e9e0c41556c68604

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
276KB

MD5
b3a16fc5a77cf09e336f09874b3b9b81

SHA1
819f8500b6eb0cd43c2d2c467003816e2c1a7e75

SHA256
314f5d4c6f35be793126be0e7e8007956e6f10f9155b8dec54b62485d0f241df

SHA512
57e4d9d4d6e7e41ce771790ed7af56e7ca7e1b679d809389410fc55dffa866fac31618e3d1050da91745e62457b47a818ce3cc98152dc9440b7f495f76a427a9

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
276KB

MD5
1c54fbc02a14f1619adaf4f67804801c

SHA1
0ebec38f161d13b84627d02cad13005ceb656151

SHA256
391bd1d11e07d711745175d10a865e95b718d8d7467a24b4fcccd2228e3477ca

SHA512
1ce2a1e9cb593f184a888e5b69ee1b9b71e84e8121a6dd2c42572a4b8cea9079bde7b12dfd445be60f5754ab12c935591c61746ca7c6e5dceb1435148659f2e6

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
276KB

MD5
2fd48a5f5e19429d991ce80cb4b8b0c5

SHA1
0e01700c7a8391bbff7cd8d4542a99475b6b6af4

SHA256
2c17b84a26fdcb55ef1c50d4771c1d5fdb44730c54a6322c8db314190d7b5963

SHA512
b80cbf317cd489627809dd6c016ff3381c0a85882fd8d2e7b39d8bfdfd43ad0b6271a29d91eff4b9224114d449d06b36dd15db367b017ce0d728b0d6aeeb6ce4

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
276KB

MD5
7f9f4ce08420a995fd256156350f8cba

SHA1
a1fd5df6cdc867b665ca9e347690ea77ae6739f5

SHA256
8d33bcac22210d1c0e0e4fbc8948185152b971f3c35db65fbb75c0cbcd223e5a

SHA512
d3667ac0e68e784091df020ba8978204640ea7142146d3f36504eef8f948602cc7d4f21c473713d39fe5f24fcef015c2e9b91493bb40645c32393290ab0784d1

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
276KB

MD5
1e07d79a36b23782b6229f44d05d8f63

SHA1
3f7a2d061c1877ba009df98b82791389a175be28

SHA256
25e0adc8e9596962157c28db8332d277231fa894fbd221feacbb48abfd7bdf35

SHA512
b5cdac56461f708c52480e8f54cb95db32425e4c220a5ffeb24728f534c85091053cb435cb17a487050af358c6abc20e71696f4e2701a53be5c7a91c2087a803

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
276KB

MD5
29add147a52f01d454b4f6fc9dbfb5ce

SHA1
8401721dd07c95ba04739bf67e0ec7e34b53021c

SHA256
9f5e65fb82c6ccc4577e8960c6698670943b21093018c11179576b21eb54299d

SHA512
11bd1985331c869e6ecaa857e0be7005fc365efc58fedd2061722ad7e1585bf894266c72ef41b7b46a86ff218f9cab9ab47836d8903f1a76568fede649200877

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
276KB

MD5
a50e3c6b4411bc1036528c3430bb3d87

SHA1
b81854b0d3c818f8401057ab94eb995cbcdd91ad

SHA256
c82399a85c528ae77703d815f34cf52e353cf8756478d2e31403ec42592482a0

SHA512
a87723bb44dde2d729156d995ad1215570d917683274b6984c0f973b2d9f75a1230ca18dc07bcdb8febb9f0f7cd4aed3f17561ed838163d3419306fd6017c627

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
276KB

MD5
926096f837e6c1cf1ebc8e2f664423c6

SHA1
bb072db1e45431f9eed30948eced1532c60842b8

SHA256
d0a40e1935fc35d9ebaed9e715eaf0541a331560da52c8fa58b8228b556691d0

SHA512
71d20c796d7d2b4cf2e6f4496788f048224a155c0e1451c10b6bbc84f33922c67fb07f60f9fc426f944df21a48236dd7227f3ba442f9a707efee0118f370fb57

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
276KB

MD5
ca3ded4cc2e943d6a4b2ac0cbf123aaa

SHA1
2a506ede932a0311d8cac8d2d186e45cb78e5516

SHA256
6c9fe655a476218b8b433a1e8eda4c089f734f0b8dc75ab03674ff574ecb6ce5

SHA512
0f3b44d8d2ddb163ccaa05d969bb76302225c32eab458be3a3e5c845bfdcd708cef0ed62986e85f1476329c1915f5f30f2d2c0437b0da01a488f875fcc11f08f

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
276KB

MD5
2253d5eaa3cbd94773db51863cc70c8d

SHA1
d961ed8381b12927fe6ddd485fa7fe207d00b53e

SHA256
c03876fe8fb5abde027fce466594aba3ba7c7140ca4cd9b9a0e82604b3d25c51

SHA512
6b1f5f2645df4c76b80d6325ecc856df48c76e7b9484cd8280075d1c7c65558b7baceeaa88eb7a0f0e3d25705785ed4238c6963aecae33cf143dbd479203373d

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
276KB

MD5
362027797ad36536aacacc8af87d0e70

SHA1
68d4e184ede8ac7ed21b30d3083ac930916f2015

SHA256
7e4563bccacb8a6d17e58d4d72a1675563fc6241cae7ad78018a872340ff142f

SHA512
51b95e79e1f26d042cbe3ff5018fe5d029d182e331bf99d5dbca3f4c019b0f6004237c0b91f64458e74bffc0611dbae6dd9394aaeeee45a1ae7b0528f0001c50

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
276KB

MD5
539cfbc0dbb1d94cbb790622185030dc

SHA1
e79e09d1d05c26b1ada1ad0a442fea263656a394

SHA256
2567ad34cf7068ed99d0452633d9aeab9d1f9a786f1bc87dffdc1a7fc4a6491e

SHA512
54480f2aa940fa6f264500aedf61c5d09e0d41640ff37f86c502e043de97feef61c2c7d1d9053382155ad43f17844b2e2fef91238e417e52103318fa8e6c0a2a

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
276KB

MD5
a62a90782064aca559d11f4a7bd648e6

SHA1
8684aeaafe6ffd684aca4fb756b58f31b11216f2

SHA256
daf4537f8fb8a86e171a79249ba935927e7c82e584db83d73e8c9518d7ea0700

SHA512
c33bb9101be79f37451a19eae2ce8a67b2a5239a824909991af09cc4825f40b4aedbd119c705fec283f6513f236bb7d49cda3ca2d6cf4bfef94fd85f52bf6854

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
276KB

MD5
8b11a5fe2a1f9ebcc4585115810956ed

SHA1
0c7336ef2b0406ce1de766c5ab69de247ec9e080

SHA256
1e00b9649d405e5af66790ed12f6df57faa3daf2db41e0af4f0f8c0b76707dc9

SHA512
ee26c918f8c6690d8662bda78ea4ab07696d3b56c3d53c1bdc18750d12422b042a40e83d8c2aaa6c809db39ea9b5cdfa791c754b90adbd6fa806224227962ec3

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
276KB

MD5
f6aae22e9afec459d73f05547d043959

SHA1
518b30eae640ebd11ee15179ad049ce60592e29c

SHA256
55d62c82df51b56d7e81aeeb350b3588107e00623a02743fa345f204842ad998

SHA512
b3e727a056aed5b7e73a65078c1ee7b0a3b43f4003235559bd1906f945550d328160aff9a54f89091759c5b3d1d34611508fb23dc61bce2333b0c535c9bd4b1b

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
276KB

MD5
8003dbf6801a8a7453d8d69578ff5855

SHA1
137025d5879b2ef67f0196c26917b62865b52312

SHA256
f3b291a3029528048b10c6c15ddf4b7968d63e200d8b724db8bf7af7cda3d75a

SHA512
3d50f6bc78bde4a583be36063d9487c76cfecf623e6e2cdf7400a488c30f59dc52381bfc0ae768c606124b62e8081c82c1a6c88ecd3c44d46716245ae823b000

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
276KB

MD5
823fe14b11e32ea445d5fea771dc8c3b

SHA1
777c4f7d7be396443445322a3a4e1c7fe54211f9

SHA256
87f4d20fc282ca09f8149101826b2bfe739e527a23d252c09cf5b6da2c1c1c53

SHA512
e542df8b735f8970abf2bc0bdd2c5e58d2a5dfc3de43c286f07594a2f7214acc7ea77657c9cd462977587b9832137cca2b1263ad750af1ad4988538fe430d9f9

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
276KB

MD5
c081deff7f92e5119c932068eaf2aab0

SHA1
b3d2f291433bd1ad8c61810138eee821078472e1

SHA256
cb71786a62074dec41a09afcf31c5038ab91f78d8cf06cd6243a0222e6875d82

SHA512
81b1d14890244e060edfa6e0d857fbf1d695cf1e000b432e6f592cb12bcb6c5febd02e68bfb307e2b619861c2d429415b0bb3b9fa3077f6b39da64ef07f405d4

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
276KB

MD5
a4538b427bc69713f448c4268a7244ac

SHA1
431a7def53b936e8a7e317c5788b845a2274acd1

SHA256
1dd509b30a2f9353237134261c74c8e6b043f6668e2e818dc763bf78a65addbf

SHA512
af5bbae0851bac041efb56c935b5b9b89a175f8cd58ee86ac449c195f352684e50437d0039c8502ccd4e6306f1b77c64bd6c8cea50488ea0d4bfa3c9f932e22d

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
276KB

MD5
e17d71a4f24eb2a271b9032709e0c811

SHA1
6fc477e7924d92cc2b30d0539eb509ffe5f03e40

SHA256
4c075be5ee95965974fc11a1b7f5459115fee760018f92d19f0c447ce9eb3994

SHA512
f19323122737f479e3ade4f0cff8e1c3f6f9dd973a631fca47c5dbc1491111afdfed9aa260cc10255ad50f35f40629a8727eb3d8ecbec9434689cc5d6488e911

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
276KB

MD5
a4a507d5ed64ec1962d8f2b95ba5e13e

SHA1
3d8c947183c8cdbc8461e4026ad2aa19b79949ee

SHA256
a02be6e0442a5948110ddb556f64d427b7bf8bfe79020eef34f44d66757a1481

SHA512
fccb00a7701e691e6a0ad5780fd81c57a4feecdb14803a3357d27d9b5d10002bf43b0a9312976a3b91992e338fc41253972322bcdb2c5f74d5b272630baf2366

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
276KB

MD5
c0406a40c157395da1dbd3c83c8da16b

SHA1
46f1eefdf66e5e4bc8b4468d2bc1a8a446de4f2e

SHA256
cb9b6740d52d45da2cc8f80e3b9dfb8a8cb91a69e97a06c123aebd7f33e51765

SHA512
da83ea8bdf82b191edcad043fc10f20aec7062ad643682ddf27507e88717729f981a0a64d29404e82f43e2c7509b576a9e0f3b8d660c44db1a76d71bae6926fd

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
276KB

MD5
8fe335ef490ce246e7e1dbdf407c5e43

SHA1
cd09de2c3db09803fb4e6ffdd326375f9606ed7f

SHA256
661d4f9ae6cb454825e01353d9dd1b5f1cc5bb99684fa07b882a9928dcea25c1

SHA512
321bdbf927602c66cbf850ddf8006d01e004ff6edcd5e28b7bb2b3e73ed0152316a4d498a240ee465dc4ce512ec02a7d57a44bbca6b4a10dd04b7d2a38e01a9c

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
276KB

MD5
33f18f658c6a20c1c232d6cc60211094

SHA1
61f282cd475a5128746a507f189b14cb99810637

SHA256
c8ce7f23264a206e2a956ab48ff61ecd27d726a482b7ab48a6acf3d820f9cd3e

SHA512
05567a229b57e8eca789f296b993e54b57a425a288de404f9fa428bffd0839f50f39add16bc36cbdbd6fe76749cb982076e3eb0aa2b9848f71e298f7f1757ad9

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
276KB

MD5
2444014b9fc2dc021ec92d0548577629

SHA1
6df51f0f02ee58158af98fdbec051f5306c55d36

SHA256
42196d03d6a9b072f075b6032d8f80ad27f6c294f9ef2e10f0c332177dd492f0

SHA512
5a6cbe04be353a7f244e6a377d089d67efeec30beefe5787613ac1e211d8fa0b4a9549a0f6084c1e073d749d9d6c3441a649a1d7a280930fb5e06958f958bf97

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
276KB

MD5
25bb15cd73f40792413c4a43edd0fef8

SHA1
5dc7871482cc89a093fa83b08fea771cd22bfe66

SHA256
335b243c1626fc5d0b3d8cfe534bd4125efaea7c818be762fec4b39e31d19bb1

SHA512
507a9e597060ca9947052dda0f785545e8d8d845d2089dd89a9864db832ec344340cfe8a34a5eca8e912eccbe595324745e2b3d57ee97c8bb279c7467fae1e95

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
276KB

MD5
2924bfaf03ac2e7674d3e426069261ed

SHA1
228a673836f7debb77f8bec2f529216fa7540a5b

SHA256
06a6230d2daed541b44076086d368a3996e748c932e0f6e8ffa2a289954be80b

SHA512
b94614e2ea93d005760a91666b038b0a832f024215963d2a09497e07523be49c9c2a2964e915a53450511a5ff7b50291d46964688ab4514d4e2f9bf7c9e12577

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
276KB

MD5
e4529e6aec8124ff8f5a475461540050

SHA1
c54425a1b56b0532f9749e3abf32ae826345063d

SHA256
6d62c7da9a844300475fd5543cd6d91a34d8f0863facf2f944722eef0d7bb10a

SHA512
2b6cc8c0d95d79ba76e460badccdb8159b6346b8280e3237873d12b95915ca3eb788342fa725f9fd82215e3e0cfbaf2f3265f2f84f0ab0bc56fda05194509c1b

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
276KB

MD5
8f6e17879e79aa54e2f87182c7a57b07

SHA1
1fad23c573b4a583de9b054b194a66ed193571ff

SHA256
34b5ee46cc53db298a5bc35aa4d6e3946077ab5e87d2d848aea60e01138af6d0

SHA512
f521a61fcd4557ddba19334948370906190a3a0e0826056c4cf87459e08ddb5917e2916f76b2911d058358cfd33bfbdaa68dd3a1ff3f324e9f5fd8c2456336ed

Download Submit
C:\Windows\SysWOW64\Memcpg32.dll

Filesize
7KB

MD5
ffef8bd03740341ac00e7914130e89aa

SHA1
bdc99447f01fa3f51612fc2b6109f3cd1d1aebe1

SHA256
23aa3c1507a8af2839592b10f689ca53e4e3b8aef0f7b325d3ac2b4ee223f0fd

SHA512
5abb90b09a5fa8d7802e17ba2c8037a78adb1bd3441bb3b621b79d10d8d7f222349099557b92c02742d52c78b7ee00d402bbabe97ec7cbc3cdb76ddee03bbbc6

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
276KB

MD5
f85328c0fe98241a5e5979032d8adfbd

SHA1
adde3da75821b7aab8928d1e741e1479063eee44

SHA256
19ecec4a5528a86771f7e27b4062c71b797e7fa472510a3ed870c0819e7a83e9

SHA512
3cee28b798ed93dbaff183768587e864c01fb842cfda089a80c0ce7026c7577de62888e8c5331f956133c8893c45aadf43f7b63c8d6a373be0c7f327a4b9fd09

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
276KB

MD5
8f2d28ff79921517cad7fbcb14ae2259

SHA1
44c07724931c358d3079bbb900f242f4559629f3

SHA256
7de97d5b485aa8860fe1ea4c1a4551f1a4eddf9fcbf08e54a0570c84c0d6fd4c

SHA512
4a5d7048a92ec7bce9d15be10c39ae16d29549a2c944d267bf2ab632a0d2cc3d9e05818c10119e522b36b59907d37282df6301144142dc4ad30c2af240e6733d

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
276KB

MD5
ff12309132047b5196f3836e9473960f

SHA1
cbc18e208e4cbd550ce51708dffd554978533df0

SHA256
adc2d799f87547a872bd95991446ee083c48974d01cd1e0c3d45161acd73efe4

SHA512
8066dec591b169056adaaf5cb81d0e24d1917bf82b8171dcb4dfd35043c2177cb5c3872953e6bc9c68fb061a5930abc993c33a47f24832912670fb0e1cf8af02

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
276KB

MD5
d0d74ad3a28407e42d5176a57a33020b

SHA1
13c1b491ad08a1326fe3db82d27d0f91d9fe7f6a

SHA256
bf2370c32a87c76033c18eece6d86a4a55a226d15dcdfd88e22773f2d3030271

SHA512
325bd7a41352e30af4ceb076f9bbb98b7f34d7cd6ee375a41c1b7ac74f96cc35ef8d76e2f01ac2c7910777d4a0ccb43d1cc52352e78fc1645b5ca732d92cbef8

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
276KB

MD5
c23f50ab9bebc030968802bf94282e6e

SHA1
d22a3600973948fa5e261604e0774b27fae5e01c

SHA256
3c3e3b2f4f63e3e60497b2ff8293b6c085e2e335d9ef4ac6d5c3aa5b390d0161

SHA512
60c599dea18769e4d5ff06fcaca83418bf6914e17e0abaf857bc6c06c1c8511fd5ce5a534d0d11b0d049807647f597277c0c65417b98f3a0437c6a2ba128f4bc

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
276KB

MD5
f15bb1e17aaebf5aa6f54ff773c812b4

SHA1
3455881cc6f85e2ae17fa4d1688d0434d5f67da0

SHA256
3b6c720bb39a428c0faaa7514363e62793bd56c31d4251da6bbfe2abd96dce0d

SHA512
02db3beaf23f90b442cf2e1664d176a03c99138d9162861e1e7c8841a21cd5c7d6dc1a5a495bfc94702dcb4ca950dcd53bd4c74edea1d2b79cf673b212d1ff80

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
276KB

MD5
89ceb00f81ee02cad48a3386cd6326ff

SHA1
3d7bf22aef4f2a6124c5f2522479a3be335f9a66

SHA256
a17cb18b7bf24e24ba3de7c424a0fd5fb796d3e7cbc11ad980e08879bdb231aa

SHA512
4d9c214e8af84a6143a430583d3371d0635e4f2730887bd66dd12d2e79bedd7ba0f5d9e17e0925ef2c6927125bc5235c5037e0267031e58a2f4ccbffec84c89b

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
276KB

MD5
e4dee8d142c25e7bbba85921bbfecda8

SHA1
1911805dd4baf3a17462035277e8238878d69e18

SHA256
e1f58f7e939774a979d30de07c95ded54f34b23634f6bd074823dd71b76f730a

SHA512
3b116e219e2e0f83b28697241db5576e690d423d43c9e957bd421baa1c486208f5a64d6a57efde12a8ffbf6084e1eefcad794f46cb3a08768d9e6659fffa7783

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
276KB

MD5
e43098cdfddfd261f3b021485054cca0

SHA1
fde5146a2f949db6a606503b05741dfa5597db0e

SHA256
b4bbbc2695b7fb65b82c600a4b4e051523c07a1ea5995b53deb43402f5177b5c

SHA512
128d72c0b340213e97a74f7c3116e46382de493a172b8c457e00f301c5e1116dce21ab2bce16f46d3bff0969857558d7b60a935febd24dd3e126a61f53ca80b9

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
276KB

MD5
add50b10372289704a182b76d2b06ab4

SHA1
d2a8147dff283299723b9535a5f46b04ccf2d8ad

SHA256
cc1ff5bf6bac1c53341695f98879d1cc55b3d5bc3edc25f3aab1784edfdcef26

SHA512
f1f5d8a0a3a7f6d320f83ffba0f1040a8d3e9746bcdea77889578b6908aaf894408c54e1da6d513829751a15a6a5392d2fda57650ed4336b78a2025b3ad85be9

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
276KB

MD5
2266f6982fc5b3b92da557bf23c0493e

SHA1
ada7bf69d021afc405af4ad0f9e6cec9f95d0b38

SHA256
7eecd5f127dc855d59d319fb4586e894a5c85aa8f787bdc5ab1577491dddafa1

SHA512
c080c83adeeeab42aa17d92e1e1d8e2582e3204ecc5add8e4d55d40ec36f1014d116677b00497be8ec11d4f745a41e6bc020790cba97aa20c51ac57c871e14ad

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
276KB

MD5
1f8f2711207a5aafa79be2b573e0a69e

SHA1
ed071d1a90164a60784d4965d7afbe92480afe73

SHA256
2f90f1a60831a7d7133ab341bf1684da9268ae900b9f7ccf55724308405e5556

SHA512
20bcdfe7289b247d5c9f8e91ed6d2669cfbca44e51a950c0cd32e4adeecc8089bc3e2d9512a95fb3eca5e562b82f8ce23da1243bb3e1a575ff7b93279292d7f1

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
276KB

MD5
1c26e4db5f8704413ead3ffce4b67c41

SHA1
4272b7d11f3c5c5c81a8a374a40cf6d6b9b57206

SHA256
0c2273be1e0ad962c14ebc4570431d7eda34232f00e2e00ae99b2ec3532f9bad

SHA512
a3d7d0ea0f59db93ae61512c7ff6c0717f2b390ad490595d929c3480a1c69c698916ae1a4718f5c7a998e7c987055fc62f65953a889cff2ded696bef34864b56

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
276KB

MD5
7449486266df9b768635d64dd5234828

SHA1
cdf35f6f7ff510c72d274abd8bd3bcf0ca260e7d

SHA256
c2d4fe0f278917ebc1cbcc08cc560b1e60d18a5c4d3b72a6bef58699e8287522

SHA512
04fd5b3de8a05b5707de5be697113a46d4b19990d7860c5eefd6dffa08cca6f8f31e14e253e997bd963c5597cb7fdf87c60dc0d185c3b4b4b1e2b20ef01deebc

Download Submit
memory/64-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/800-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/988-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1884-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-1010-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-986-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-595-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-1011-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5340-936-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads