berbew | b3ed4c1cc8abfb7ce4347010bef24980e46efc32db897ed0be2b1026d900fde2

Analysis

max time kernel
112s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3ed4c1cc8abfb7ce4347010bef24980e46efc32db897ed0be2b1026d900fde2.exe
Size

64KB
MD5

66034fe65368ff7ef228799e93a98567
SHA1

4044b23f48eeeff01f978407a3982ed69335c978
SHA256

b3ed4c1cc8abfb7ce4347010bef24980e46efc32db897ed0be2b1026d900fde2
SHA512

d2dd6df735621c11b7a7121ecaf7beacf70964e49e59f46e9ce921d889909104406e1c2277cf87eb0959a7ca5474128b0fd89b484b38a99a1f6f564f7e071fe4
SSDEEP

768:TRkhLa1wwSNPrUZsuz/1B61/ITUU38xCq44QJ9/1H54FYJKA2kms8Y/ts/9d2Nz6:T4a+H3/KU/xylWyJrPFW2iwTbWv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2300	Kpgfooop.exe
2628	Kfankifm.exe
3460	Kipkhdeq.exe
4204	Kmkfhc32.exe
3696	Kbhoqj32.exe
2120	Kibgmdcn.exe
232	Klqcioba.exe
3656	Lbjlfi32.exe
4356	Leihbeib.exe
1920	Llcpoo32.exe
1420	Lbmhlihl.exe
3384	Lekehdgp.exe
3944	Lpqiemge.exe
2572	Lenamdem.exe
1960	Llgjjnlj.exe
1840	Lbabgh32.exe
1128	Lepncd32.exe
1248	Lbdolh32.exe
1568	Lmiciaaj.exe
4772	Mdckfk32.exe
4832	Megdccmb.exe
1484	Mlampmdo.exe
1544	Mckemg32.exe
3180	Mgimcebb.exe
3468	Mlefklpj.exe
2148	Menjdbgj.exe
4472	Mlhbal32.exe
2084	Ngmgne32.exe
1116	Nljofl32.exe
2256	Ndaggimg.exe
4908	Njnpppkn.exe
4316	Ndcdmikd.exe
1164	Njqmepik.exe
700	Nloiakho.exe
1752	Nfgmjqop.exe
1604	Nlaegk32.exe
2160	Nggjdc32.exe
3456	Nnqbanmo.exe
4424	Ocnjidkf.exe
2340	Ojgbfocc.exe
2108	Ocpgod32.exe
3652	Olhlhjpd.exe
3688	Ocbddc32.exe
5060	Ojllan32.exe
712	Olkhmi32.exe
3216	Ocdqjceo.exe
1676	Ojoign32.exe
3812	Olmeci32.exe
1360	Oddmdf32.exe
3212	Ocgmpccl.exe
3912	Pmoahijl.exe
2896	Pdfjifjo.exe
628	Pfhfan32.exe
3104	Pfhfan32.exe
1620	Pmannhhj.exe
4456	Pdifoehl.exe
5088	Pggbkagp.exe
4988	Pfjcgn32.exe
2796	Pnakhkol.exe
1760	Pdkcde32.exe
1416	Pgioqq32.exe
3020	Pncgmkmj.exe
4312	Pdmpje32.exe
1296	Pjjhbl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Debdld32.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Lekehdgp.exe	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Mlampmdo.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Kmkfhc32.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qqfmde32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5456	5144	WerFault.exe	223

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3ed4c1cc8abfb7ce4347010bef24980e46efc32db897ed0be2b1026d900fde2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 2300	4296	b3ed4c1cc8abfb7ce4347010bef24980e46efc32db897ed0be2b1026d900fde2.exe	83
PID 4296 wrote to memory of 2300	4296	b3ed4c1cc8abfb7ce4347010bef24980e46efc32db897ed0be2b1026d900fde2.exe	83
PID 4296 wrote to memory of 2300	4296	b3ed4c1cc8abfb7ce4347010bef24980e46efc32db897ed0be2b1026d900fde2.exe	83
PID 2300 wrote to memory of 2628	2300	Kpgfooop.exe	84
PID 2300 wrote to memory of 2628	2300	Kpgfooop.exe	84
PID 2300 wrote to memory of 2628	2300	Kpgfooop.exe	84
PID 2628 wrote to memory of 3460	2628	Kfankifm.exe	85
PID 2628 wrote to memory of 3460	2628	Kfankifm.exe	85
PID 2628 wrote to memory of 3460	2628	Kfankifm.exe	85
PID 3460 wrote to memory of 4204	3460	Kipkhdeq.exe	86
PID 3460 wrote to memory of 4204	3460	Kipkhdeq.exe	86
PID 3460 wrote to memory of 4204	3460	Kipkhdeq.exe	86
PID 4204 wrote to memory of 3696	4204	Kmkfhc32.exe	87
PID 4204 wrote to memory of 3696	4204	Kmkfhc32.exe	87
PID 4204 wrote to memory of 3696	4204	Kmkfhc32.exe	87
PID 3696 wrote to memory of 2120	3696	Kbhoqj32.exe	88
PID 3696 wrote to memory of 2120	3696	Kbhoqj32.exe	88
PID 3696 wrote to memory of 2120	3696	Kbhoqj32.exe	88
PID 2120 wrote to memory of 232	2120	Kibgmdcn.exe	89
PID 2120 wrote to memory of 232	2120	Kibgmdcn.exe	89
PID 2120 wrote to memory of 232	2120	Kibgmdcn.exe	89
PID 232 wrote to memory of 3656	232	Klqcioba.exe	90
PID 232 wrote to memory of 3656	232	Klqcioba.exe	90
PID 232 wrote to memory of 3656	232	Klqcioba.exe	90
PID 3656 wrote to memory of 4356	3656	Lbjlfi32.exe	91
PID 3656 wrote to memory of 4356	3656	Lbjlfi32.exe	91
PID 3656 wrote to memory of 4356	3656	Lbjlfi32.exe	91
PID 4356 wrote to memory of 1920	4356	Leihbeib.exe	92
PID 4356 wrote to memory of 1920	4356	Leihbeib.exe	92
PID 4356 wrote to memory of 1920	4356	Leihbeib.exe	92
PID 1920 wrote to memory of 1420	1920	Llcpoo32.exe	93
PID 1920 wrote to memory of 1420	1920	Llcpoo32.exe	93
PID 1920 wrote to memory of 1420	1920	Llcpoo32.exe	93
PID 1420 wrote to memory of 3384	1420	Lbmhlihl.exe	94
PID 1420 wrote to memory of 3384	1420	Lbmhlihl.exe	94
PID 1420 wrote to memory of 3384	1420	Lbmhlihl.exe	94
PID 3384 wrote to memory of 3944	3384	Lekehdgp.exe	95
PID 3384 wrote to memory of 3944	3384	Lekehdgp.exe	95
PID 3384 wrote to memory of 3944	3384	Lekehdgp.exe	95
PID 3944 wrote to memory of 2572	3944	Lpqiemge.exe	96
PID 3944 wrote to memory of 2572	3944	Lpqiemge.exe	96
PID 3944 wrote to memory of 2572	3944	Lpqiemge.exe	96
PID 2572 wrote to memory of 1960	2572	Lenamdem.exe	97
PID 2572 wrote to memory of 1960	2572	Lenamdem.exe	97
PID 2572 wrote to memory of 1960	2572	Lenamdem.exe	97
PID 1960 wrote to memory of 1840	1960	Llgjjnlj.exe	98
PID 1960 wrote to memory of 1840	1960	Llgjjnlj.exe	98
PID 1960 wrote to memory of 1840	1960	Llgjjnlj.exe	98
PID 1840 wrote to memory of 1128	1840	Lbabgh32.exe	99
PID 1840 wrote to memory of 1128	1840	Lbabgh32.exe	99
PID 1840 wrote to memory of 1128	1840	Lbabgh32.exe	99
PID 1128 wrote to memory of 1248	1128	Lepncd32.exe	100
PID 1128 wrote to memory of 1248	1128	Lepncd32.exe	100
PID 1128 wrote to memory of 1248	1128	Lepncd32.exe	100
PID 1248 wrote to memory of 1568	1248	Lbdolh32.exe	101
PID 1248 wrote to memory of 1568	1248	Lbdolh32.exe	101
PID 1248 wrote to memory of 1568	1248	Lbdolh32.exe	101
PID 1568 wrote to memory of 4772	1568	Lmiciaaj.exe	102
PID 1568 wrote to memory of 4772	1568	Lmiciaaj.exe	102
PID 1568 wrote to memory of 4772	1568	Lmiciaaj.exe	102
PID 4772 wrote to memory of 4832	4772	Mdckfk32.exe	103
PID 4772 wrote to memory of 4832	4772	Mdckfk32.exe	103
PID 4772 wrote to memory of 4832	4772	Mdckfk32.exe	103
PID 4832 wrote to memory of 1484	4832	Megdccmb.exe	104

C:\Users\Admin\AppData\Local\Temp\b3ed4c1cc8abfb7ce4347010bef24980e46efc32db897ed0be2b1026d900fde2.exe
"C:\Users\Admin\AppData\Local\Temp\b3ed4c1cc8abfb7ce4347010bef24980e46efc32db897ed0be2b1026d900fde2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\Kpgfooop.exe
  C:\Windows\system32\Kpgfooop.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\Kfankifm.exe
    C:\Windows\system32\Kfankifm.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Kipkhdeq.exe
      C:\Windows\system32\Kipkhdeq.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4204
      - C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        27⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        30⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        33⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        40⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        63⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        68⤵
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        70⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        71⤵
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        72⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        73⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:808
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        81⤵
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        85⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        88⤵
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        89⤵
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        91⤵
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        93⤵
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        95⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        102⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        108⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        110⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        113⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        117⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        124⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        131⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        136⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        138⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        139⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        141⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 396
        143⤵
        Program crash
        
        PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5144 -ip 5144
1⤵
PID:5324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
64KB

MD5
ab5d04e388fa1b7fc2e18ca4a5fa0ce8

SHA1
c675413a057856437702489c8da50b636bf49a50

SHA256
a3414331873ca491b82c11ad98be543abad8e34bfef63d8288beddf6b2b92bed

SHA512
11d187a6dedf48a861a56d03621c987d3e6ef164dd62a6e15ebcc936c9dc73e9c1dc07a916472495b7e9c8448418651d74acbe265a4ae90f4e9180f4922e8ca3

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
64KB

MD5
be7bb38f84351b918489e615e3aa5580

SHA1
62c9ebc3620ff4165a35da0b48460c015b520a6f

SHA256
2c5a0be4859fff3191883c66fe0d0fd361922a0c5583d5f1f3169e8855c738bc

SHA512
342c4181372cac04b8114ffbba7cccc1cc643f0b149a934ddb311ad140357c9aa00a72871b1b4318b932b95928ca81136449166017707d2af2a1da5a460cae10

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
64KB

MD5
77e4f72a52436f633864f6bbea1cf85e

SHA1
34d493946abc691b0c78043d37185696af9853b6

SHA256
b405db875b9222cfa09c71a2dc28eef8945b9d4eb63417e4952a2c5e9cfacc6f

SHA512
04100304b63ef6e3de702ea35a1dc2a554cf3d6f0e974aa5d528b0c9531a33007c9dc66de9c99d2d3d0cbcf520b19237bc6f300bf19cf58158bd9c40699f9a84

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
64KB

MD5
f1b7caf44c19fd9c0975ae56e09e33d0

SHA1
514a1aa72fc5310bdcef398055a468992a57ee28

SHA256
f26f1ba69fa67c228b924fdf47935aa8034ffc4620fab192b581537e803c4170

SHA512
7a2fe84446d6ac0792bc7c21b831efbb3aa25d23935adeb118d60d2ced44667b9059fe0d6e756a92debc026add3c066dbfca98fd7d83c511c26fe12cb3189b45

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
64KB

MD5
cf30d3b078e60718ae5ee537491d0c0b

SHA1
083d12f2a9103de3af303fe188a7f32212f27bb0

SHA256
0135ee5d710065728e5637ecd7245a5423bcbf0883124728cac2524a457bbafc

SHA512
db67acfa672e1d7a3b9543bde01f37707efe8f73b7c197c29560e53c98726e0fc1a5d90bd4e10f2febe065232f458bd00212f70aebdab39531c4dd5454798236

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
64KB

MD5
73f67fdd11feb4509d02c78e1ba0b10b

SHA1
b0224667b49aee9d81d51336ac9e1f8546e93048

SHA256
974345e2996605a8d248bbeed239e8e81bae0ccdcafe302da8f2ceae57b0186e

SHA512
662846ac59ac2cecafbce0f679ba327781e6f06d26dfa717e88b42e664d891441bc9c621d1e8bba830112f734af4ed563adc308ddfacd11fa3d210ae08df4982

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
b118ce0bff9118251b18b3b4703c0a57

SHA1
6b030392a2701ba746ce7db3f7486b6ec1270c81

SHA256
e09577802976baed3b868869e23f54c5b742b4d2cd592109e5a6d0167a929986

SHA512
f821010e09aae22e09ecbf28f7228c86ecdc6bd72a37ad4971ad7b9738428052005a756470f486bda13d48d23910c6429b6a5570ddc4c1e2c004d1e8e872f2bd

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
64KB

MD5
42683477e7238ea95aa17317717ee36e

SHA1
2131dbab828140c00e54a1160e5b87624ef070cc

SHA256
1940ef31024c16ce84be2eb0806cbe423a2b7928f1b3cb874e9566a639224923

SHA512
ac7cce5ce4f50d1b987f1f42abc665e83abedc33f0595d3ae5ce53ac12a94ae4a6f476f0bdff4d4d6842beab79e9d48803a2ecbccc68c227de94cf189a1515c8

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
64KB

MD5
7bbbbe410af5051693d1af4f026e5fb4

SHA1
df49e00eb66b7178e9e6d93f7e60b718ed51c50b

SHA256
c6df92ca5b5e8d25ec2afa4d33614a173646420e7cc89c2c878a8d420edc073e

SHA512
da1c7fd7239978e207dd1bf5a3071f85d1497f50ed3b3e421251824446a9416197549b499c45a13e98ea56a968da6547ac0deb55271c92e965723e160ab83d7f

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
7422f24e39dc73dcd8c0c27981d3d9ed

SHA1
58f70f3edec6a68261f3b5a42af35e35a630a8c5

SHA256
670fa3f4aca714172a6dde45d45aef457c44aa212f91145412ba636427838dce

SHA512
416286a3e3b3146b31d4129de2a790abb3fd3ff9d6b366c9ca96258c5c632f88ccda46769d8a8948c9072cf7dba3a22e397ca93a6021dc466514aec0629fa579

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
4b2677cd7706d85041a22e80c181780d

SHA1
6a59f49ae00b36f18e7a3426379b31490e896b5b

SHA256
fec66c70596d37b12152b46b2066bd621c18b3ecc7ecbb148a151214c21c4425

SHA512
8f6134c6ef4503fde05f8d04a07b8636aebfdf35585055236f05c3d8ea1d5bae8ca87bb927f7775bb0abe9335f168e8dd2fe769d7c4ec2fe490d89dce83090b7

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
b4e3cb66c7169d71316b9b2ab3d57bda

SHA1
f0f8ff174ecd1a7e92adea1980673f523f8394b4

SHA256
1e3531bb2e308262e644c2c745c87269d4965de5041c5911707ce11c6efb542c

SHA512
ea79dd9c04b99e231383b31f5d8dc370890fb0562d898be34f6983e81bc79f332b03e2b012cfdea536e2ba9b307df69a36f014b4d937737940a4278c7a79d5fd

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
64KB

MD5
eea5f9a0c67d77bc543ee6ae33b6914c

SHA1
cf6921e950f818a8e5dafc7244ba8bcb7117cb79

SHA256
6c86f649e29fe3cec8ebfb8293b4d0d20aa18b0d02a2f5691c4ee2534bedc8d6

SHA512
01c7e53b1f583d9ec8e79d96aa8dcde2898da3519087eded2e6c32a477d3c300fce8be0f2340b28da57c5770b383ad3014cc5d5b887d712dfcf6b9b35bcea478

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
4a516a3ca2eb2b1f079dcfa679b39e22

SHA1
2c01101cc2f5b2e8895a0447fa0c6f4f626974b0

SHA256
709c35f212a329350ff58bc5bb46c1bfbfe44383554c4d262428b26a17298b92

SHA512
c32b3c22930ab11002d1e1375596bdcad4926429b4b02a17692681367fc6ce80c8bd186097d300ecc9cb9bdeb51853a09ed1bb822a788d95ba4dd2d5baaf56e3

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
64KB

MD5
1b16da43562c5816b41626e2ca8a1f57

SHA1
ce2dfec833125e85a72837ab496c4eff04a5a943

SHA256
49dedad6ef1d7adad218046464a2eca5394b93fc8192335f953259acbf77b9e5

SHA512
93e61494e434915d8eebf1521ba57fd9bc7d40bf77c8a7ee3ec9eb420b841a95265d74adbcfe7a754a0b111697e8c88d8c315db37ef72ffa7901ef8832808c16

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
64KB

MD5
b17eff14f5b2fe88115067851e754160

SHA1
acc145acec0472a85abe6f54f529bbcbf32044bb

SHA256
ff2f0468270df1b7ea30037b80b1417edf1a868604e05ab674c70ec75873de5c

SHA512
86d1851ce4992d7519745c704ac746722c03fa63d5dd9756f9092efa762589b65bcd4406c0f79cf14023775876f177a4beceb6a829bf0f4c615554f56af02f6d

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
64KB

MD5
0136692397b9590ba5ab380829e0df99

SHA1
1d105e6462a1052c89b38b20a61badf872b2dd2f

SHA256
6bf5685e99116fd006a1a1631cc2220ddf39c435f6427c02a2915893bd1cf678

SHA512
d2b29b2fdb7828bccdce94d9eebb9bdc4f83fa31974475c4aa8417d22bcba43c92520959f07b0bad44bc84556bcea70dbf2d3857643360e7fa5e92aeb3581c92

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
64KB

MD5
c3fd293505b1183ed7d81fc0b8cfff93

SHA1
936b639b366c37c93b2f9012db40ccc84a6a443c

SHA256
0bbed4b6f9f08689585bdebba0519f3e7633f466102e5ebdc7ee3572ad3b92a6

SHA512
beb0a1119cef7e43ffccd9a215b96710893dca744f4705dd062179ec3736fec7d263233d0d31fbd47cc7e02ab8e4b87370bdc2d018fbf7f78ac74244c5be38d5

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
64KB

MD5
923265b9fbb33333784bcb4710417d8f

SHA1
0311510fa7371960415564144c52c3f212e81adf

SHA256
c5410e53ea93ecc255baa2fe21bfea9f296d28378478632d69b187f2fb3bb3a2

SHA512
6a360c3be24a05020b46638466142a35fa1ce974bc0a7d1c3d504db1bbde04fff1edf9340cac50faca0a7990b13b57397790253c20916b7d36b6c2c75cf38502

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
64KB

MD5
b52dd7a6d4e0974efa0ba5ae71063533

SHA1
8f595b4a15bf815d13cc725eda7a79681c52a3ff

SHA256
c4e4fb85cbeed46463e5aa0e489d0a6cff74866707c23da17139c12c7fc55ef4

SHA512
80596273a52dda5f91f06eb2099d593f1ca6979322e554c9653660d9d0a4dd225a9a952d8d5782a068a1564a2751d4adf286254c3ebc39cbceebd40d425d250b

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
64KB

MD5
1b4d1c8b211be773cb6620d1b8274e09

SHA1
dc8fa3ceedb94f9a6cae63493d73d382b46e8cea

SHA256
a44d3d4b2898a51e9842efea314a79bdaf4b846642736e282e12103c627737d2

SHA512
cd4cad7696f8f6b3df5da97d100b7756e05523f603ac96e824e5d46a6e4f94593edef19e66cf7c540e3948ad753379b7d6a71b034ed17a73cbfe8091c6473f6e

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
64KB

MD5
4c60d6b478eed11aaaec09c75fca9684

SHA1
03d31bbf6c571cc947d11d794fda0084afd813d0

SHA256
212001027bd6f4fbca339d3d0dbeca9b677adec4898f058db6454a136d1a7a3c

SHA512
e3c11721186f3ac619227e0b140b4d6358db523fe64b3aec90fbdc28d4b75290152539b0432a27a3efff6a1e43559599852faaae75c443495abc9057e4017ad7

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
64KB

MD5
02f8e51d6de3206ac9eec52db56129b2

SHA1
636fc097639b505716694ee4edfb3d1b0330908a

SHA256
49f69f8843a0f63ca98c229cd4c7cd9b8534e22441546b868a23d1514f8289ff

SHA512
da478672acc7dbf24437239f7a3cfee6ecef2dc29a039f983c15b4e7a8012a4dbdc8c9a81626d2ee77b6e9bf8d801e967cf3a516c615fa078b9c7d84b85ae85c

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
64KB

MD5
c134afa91744495d823c28060ddcdcbe

SHA1
6abbc983f4d4e212b2754550de2d220e18112be5

SHA256
09d8deffe5b588f33889273ddfccfb3e12ec6022c6eb9dae99cf4e3642715ea4

SHA512
e54d2031682dea49b2f369e5e7d71a69b89c91ed2934a47169106ac92b7fe3a8845fe14d10ee00254ebf400251678c731cb5e992b27663dc9e8e4fb48ef22308

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
64KB

MD5
8b5a8042fab8fdd272e9e07c92f701b4

SHA1
80313c58faa2695378e1701e3b8569399b483c94

SHA256
e3fb0ac426639feb8eda1eec45db577dbfa03f65e4f0a1346f701c09851da5ae

SHA512
8284115e8ae1341e326929cc56692ed281e7e5d308b5624d2ad5e98fbb0bb824d63e6afea52d283238e31374e3389775e28bbcace1df89b48ea99be243cd2e4e

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
64KB

MD5
c69300ba5f773d252a01d109645f058c

SHA1
67559253691e9e606cd75d82865a737ff3edc618

SHA256
845c663f0efd80fae12033d77cbd14875b4ea440a3a13282fee508f6d887ef7f

SHA512
5278d4c30dd076453e6b9e32b94bb9d115fb1f987983d0b1ec32398ebb13b188501eff5d1d75e44292d181b01177c9bd6b2106ccd48de97b2797d0c838711923

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
64KB

MD5
79598a71637fa02c6c209b315a4f7f07

SHA1
d4ca1c10aa196f10b694975d7dc0df0cc668e602

SHA256
6680a2aa845cf9c9940422723d4555167424df6b401cde3fd3a01092cff8568e

SHA512
353ba99a935dd826d80fb8a68dad3af9212a3aa9c8ed43a6a1555791d5c5ab388f87baed259dc8df8eab9067456f63b700b0a7205bfc57a97a79d3249c96deb0

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
64KB

MD5
610cbbb95e37f4e1b58229f6389a749a

SHA1
1b60c4b73f7060301443edc7a1e610172e1420e6

SHA256
347899747ea7bbca8657ef8959779882a86cabbcfdbcd92c6288963cef7a3db6

SHA512
7b25da30d74610889ca176ffe93df7ba8b8f5252d38a35cba23c738a52a0b637cf682e933a4322f690ba30d08860b68a9abc8d4ea50826a34fd60904b00df0e3

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
64KB

MD5
a65a88f96ed1541b8cec04cec1784a3f

SHA1
28789e58aac5c25a0203694536e943642d042618

SHA256
9205996907cda0a83647075f2b145869c9c0201d0bc09a617bd414ec1bde54cd

SHA512
e80455e1cbe74863eb77151c2531560d050dd3f6b5171ed8d5a75f25bb457d98dcb612eb12daab20907ded64328bdc49608fb636d221ad694b2e7663f5fd4fce

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
64KB

MD5
eec7d40cfbde775d13a94997696f1d7b

SHA1
e6242794800e4a4fe73f3ffaaac7daaaf8d41bdd

SHA256
55d94d567a77d69f5917ada0f7062383d5a6389f8d52d7ba57f9c88a3c29a0ec

SHA512
29ea948caf343a58e69a06c1205ae4096b41da306a178ef76665af0edc7f3b5bd74a9059cdacbf58a5112899ee911ec6e7c8ee4dfb4ea5c798e6e76b51a43d8d

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
64KB

MD5
4ba858aa9a58e6b21c0d7865c4f2722b

SHA1
6eb129182e0dc838bff890b1132116369de8393a

SHA256
81c3d66f17a350cddae883ecab78e1381cccb502267581696a52689bc445428c

SHA512
ea92cf13c8f0bc0aecc3589e433327e8b625f11f78da5746f597a3c61aa355632bfbcf5b76354740a2b20fb08c6df61b16408842e03d9b24e73ccc542d0dbb2e

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
64KB

MD5
70eb0d553ad1d64eef8ca33a56154dca

SHA1
976655c661f1d5a4955fd1e86a4f8900b080ea44

SHA256
e889c50e99f0d798bb41986746d021a27d8c3c19b54c321c200366f99a985f6a

SHA512
b654915e5104e7bb8416c93ef3b2f5a54c4d67cb760bff481a9567cc0da4c732f4c8952acc274d7888187418b894e22fa1737c9b4dee8d25bc3102457be1eabc

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
64KB

MD5
0f082778cd7c5f3d1e708d5543a0d8c7

SHA1
a8a754b688cf08a8d2ec55042da8f71070e47876

SHA256
8cb7f0d221371c3a09cd84347490d73e3268428bf3d4c267d8a066541749b472

SHA512
a87201776ca06b35f464871e50dbdbf2bd2db0e97997fa17a26d331a9cb78bf1edd4838a250fa19c0ad7f89f9eec3e774b98f53f868de7b5f2a2d06fe8160646

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
64KB

MD5
8668f376bc116ab38b891b5efb2fe4ff

SHA1
72ad5b1f293b1f2346872c97f1704f387e450bb9

SHA256
9b81c504b064e5735826a3ad259611bf82eac7fbe15a9026f19ef72cbf77e63b

SHA512
988cda776c1e40930f29503ff46d0db72d16d6100cd22e349992d471b19a6bebe6c9a6db958c32b5d76d6e3c319a95998e484b07fcc41f996eb266baa34e2ab0

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
64KB

MD5
545f1254be21652f547b786f396ab10c

SHA1
71195d2e64b1c657590280f9f96001d57470376b

SHA256
d216a75a93acce0c34e14d3245e5ddbde1b0fcba1bf5e4f9a806270d21eddf92

SHA512
160d1c23aa5073369cad4ebd6f476cd2272a8c7c11ed70a58be03c0d1b3a7bbb57a892a77895454569218f0cfab32a0a28e7c298405e121d83f9f9b6e16f81c2

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
64KB

MD5
83fe51f950f0c14e3dca950e5690975f

SHA1
5ff8ff22acc5d00bd55ea43298f2fecb72676f38

SHA256
cce41f90756d13b828497230edc822873572574cd6fe91a357875c0d6a7d891c

SHA512
f7513681d680c611f15af2fed6fb0b0fe04933f9e8531225c0281f441607b98d687becffad6cb1c73344b9f4f9e5e3d4059c972a22b0bf80c65946a41a12eef4

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
64KB

MD5
583ee05c24fed535bab2fa9e8bb9a628

SHA1
dd566722c3b25d8be23c3c6e7c05e85610b8690c

SHA256
211aab9dd6c2bd734cbf1a33a489774f72bd8685ef0162a136b7910cbfc583e0

SHA512
f40097ff247f2919ee9dc2f66eaae595860787978adacb8403f89dfa7d0db992ecf11c8000d83b01fc041568ecaf88d91dd5ea999e0827fec52b179fd32721ee

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
64KB

MD5
4364a319397ff6aea9068117459559c4

SHA1
184ba17a3aa56cc84ef3d587fbefc279d9366f53

SHA256
afa9b973a7c4332b7f83e2b70165f8065f0bd452bdf1fc846db1892e40a8ac2e

SHA512
89e24731f3807dcbd3a304838e6d6d1501d7c4498380655b0c98874e07797f4fcead08019c30802769f50ae17e45df9b1ad325016822ba2cb066e617331a4c20

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
64KB

MD5
6cf489ad55b4b5aedb5306376342ef95

SHA1
39034982af0c41c3a9aa7dd5eb9f623e3dfb134b

SHA256
76599fbc208622df53d38399e047d5d401d6a2272990ea4c2f072e66b82057ae

SHA512
93f536c544bbb3322e2fa1a5bddf491ec55f4273921b0c8300d2bd11e8a67e92acd0d1d3f2c5a53547fcd0c236fe683e91900e442c836001d42c34f69b01d348

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
64KB

MD5
8d20d77dff218ab4382ce5aa7641d61c

SHA1
e5f972113f79755bfade4544e754e6abb5903b29

SHA256
2f2eb65cd985815f6be98face570f9b85d326fa9be3169586dace49ae93f465e

SHA512
225e902a53484eb9b28c705110e3c5872903b83b1c9b8d45de223c4ef81c22f3f52bd6804e3671d304a304d58c81f60481bd68a85725d33e672284f60da76b63

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
64KB

MD5
8651ec2544ad9377442e95f38455e2f2

SHA1
5acdc9fe847e94952717ead9cc158b74a73c15d8

SHA256
78b3e24fa97cdec8bc097061f08901dc3a12df09dc5bde5916eb9d02a44062e6

SHA512
a90cf995f68329cbec7aa79c376339b25af89b826aa4df05dd562897dc0e370ca07aa3ae503b593b30283151b265cf09a91279e548645374b55068cc6f0d68f0

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
64KB

MD5
f5debbdff443109fb8770f9026cd1db2

SHA1
484c057be5ae9452905ea297301518dcc66d843d

SHA256
c24148c5217afc8206524252bba5a986f37fa31fb5899f1d8a7a45515321ecf7

SHA512
2a3cadf0ebe404ae22d3fdec811a84a51b50f355e55b77c5cf7def154f319d3a3a75ef5b696e309236850ca205d90aef2f405b9f3e554b2fcf7c18421b97a0ec

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
64KB

MD5
2a51e42f6a6b4d806605674875e3bd49

SHA1
cf2d73f409bf6d7cd0ea0f20751709c325b3598b

SHA256
cfbc63c47634520a5e6c6855d769a034047f2296529c779c4a54cd861b68a6a3

SHA512
841ba180a211f07cf4ce6952dcb23b6bedda3ea34b50fbba60d4aa12e54068bd8dcb14e67c4381323b80adad930ad00a546d1793f87777396076131686573ffa

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
64KB

MD5
0ce1790e26c53ba262d129300aee6db1

SHA1
bdf6f4d7c46152742186acc8ad510309408033ee

SHA256
cff9f8e4712332f5e1cab1dfc667257f107d68c0a6e305ea0da3ce975509b764

SHA512
f4acb4d2e2632d2049eac234080db340d66fb05291b9c4d84ed1a2c19e1c3dfbc0cc90f33077305a5831c24db7978992739de116fc0c9967acf453c3b00fef57

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
64KB

MD5
5123f16bf10b31ac2a26f1c33deccbc1

SHA1
0c765adc9e2693ff533fb455c65965e7866b3811

SHA256
68672e4bc7d2cce992c4c40dfab75fc67f4ff370862aec5f1cf8f529e51714a8

SHA512
eccf469ef9edb1dd510dc0918bb0352407382b464a53e9399dd221e19ae0c0def154b94be4719bedc14064a4504c5e4f9837c99ccd07009b91c3935f0d28f54c

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
64KB

MD5
a20e5894e8ec8b4b23104ee6e103682d

SHA1
d84aa9d538d3eccabc9c1e9e60f616aa8d5315bd

SHA256
be9a620d4a4dc7159f0d2a07c017bea41b5c5388f39d09f3aac223f908ccb4c6

SHA512
983fdb9d4822585f271140ffa902d810bb909ed889a948fab75a470729c4140719d5ce93acc3a6fcfb1a76312820d4134e967791efed8e03680050cd66569713

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
64KB

MD5
fc42f9d77e97ebd39702eabab6a6daf8

SHA1
2cdf9eb2ba6a691bd40dfd36bc5b1a93c2397829

SHA256
e933d5c376d6f82459c61cfce25127d826fe8c4148d2545970c9d09fb9f70df5

SHA512
ddfe50d1ba3cb4d316b3e5ce33a0ab7d4ce2a7743eae0376fac8ca198c473c4841e4c1a98e0a0aa4d6e53e4d3683eedb42d5998df203d8dfc1bba943d7ed0e65

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
64KB

MD5
7cb6f3e084d447c4f490b349f00934ab

SHA1
02e18c17942ad5b7efba4639b9bf0798ffb5683a

SHA256
31003505a2318e5383ef64e263e63fe7d355155b58f5ea3e1db1e4fde898e5eb

SHA512
8cb9fc88680a618a96c5a1fddef667c5a03ceb4e6e7403481e74da18ad6558bdf27df8f7da7663fdb2730d6e58bbd24e6211afad6c12692a8e0efeb789fba6da

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
64KB

MD5
0c5321149dd8f2880fd93a8f05269df0

SHA1
7e5cbd5ca657dbdde6000debe2c65da0abddd3b2

SHA256
7f133eaa83b9b3acd2b113a20caccf36319f2c20b43de1898ab12b843c686469

SHA512
80892cc3b12fe5a03ea197ffee95f01aeccf691ae044da0a3455c673d7474b7868761ed40c058aa2c606dc87e9cff16f99c1bed17d79509aef1a804e83d77883

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
64KB

MD5
3972acbec8b372770bcb4d34ab63cfaa

SHA1
7debf83cf51eaa85ce1d19511bd5e39ef9a79a99

SHA256
3df95322ae235c83874183bdc9213029dc7e65c528863947c085bcdbdab290d1

SHA512
33c49e2c1cf84f7828c090b6561fd2494dce6a129050ed3d152afce420eee43d91853e68f2c2d7d322246a7fac5126d65a8af4679b8824395ca698e195c2ab4b

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
64KB

MD5
92bae8f1cacb9e5381a57c7b4f8703e5

SHA1
0630c040201f1fcc401ce64daeb85423ffcdd4eb

SHA256
b9797744646c07f0297fcb4db4573ac23e46c16f863f7ce35de77770ca26f2b0

SHA512
76464afabcfe41e87ae917cd7b9cf4669e782fc4c7ac0265b1eb79ca3b5b07b078869461a76fd74edb6f277271055c01aae1d07f6fceb24d276415dbe874c1c4

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
64KB

MD5
9221dde113fa502df7c9f3b695667f3d

SHA1
5917f0aaa7b5f6c9514b3d6be82cc53b3adb50b2

SHA256
4258282f03904162e3c72a9f8f01022a623367ff67d34c02b1da32e022483994

SHA512
8a9b741b70e6dd6fef76d5ea25d24923a5081568b9fc784bfb125d007279615502d0e20e60207ae4944575d1a9312d08dae0fde0cd907221f17f225db84f1925

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
64KB

MD5
52174583fcddfa556e9d24bdca6d4d1a

SHA1
f9d214913fe363b23247ac96529519f5b5a91c08

SHA256
38d955a4ebed71c8d9bb3045b113c6cbaf9d36da8e373370ca58a275e44bfdc6

SHA512
d4564004cc0b403a2c3b4d3b8038f44d604c24488d22796db3bec509f89a28c93bee2969ecdea2af7d15b11b55cbfb1184ed51209156674995df7ce72b0aca47

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
64KB

MD5
d3d3651defbec9a2f73c0ea05cb1f0c5

SHA1
c0ea98fa5bd82c45e50b45e62f04d6da5a972812

SHA256
1cf2d5ba4ee7a7e88ac615c6096cbda90ea8935483c433a3b6e6aef232197d74

SHA512
1fc8b1f39ff13e2a5f65c0c3ed8a40d97dbcbf8611df5d40d91b0ca3691b015c7f552860a416e36b4522f605d81c38231abd3b61e25b9654d095a91e96d28af6

Download Submit
memory/232-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/232-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/700-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/700-362-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/712-370-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1116-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1116-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1128-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1128-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1164-355-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1164-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1248-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1248-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1360-398-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1420-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1420-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1484-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1484-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1544-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1544-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1568-250-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1568-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1604-307-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1604-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1676-384-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-300-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1840-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1840-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1920-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1920-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2084-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2084-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2108-342-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2108-416-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2120-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2120-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2148-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2148-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2160-314-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2160-383-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2256-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2256-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2300-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2300-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2340-404-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2340-335-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2572-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2572-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2628-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2628-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2896-419-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3180-206-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3180-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3212-405-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3216-377-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3384-187-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3384-99-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3456-390-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3456-321-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3460-28-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3460-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3468-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3468-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3652-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3652-349-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3656-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3656-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3688-356-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3696-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3696-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3812-391-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3912-417-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3944-107-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3944-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4204-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4204-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4296-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4296-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4316-348-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4316-278-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4356-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4356-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4424-397-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4424-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4472-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4472-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4772-259-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4772-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4832-180-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4832-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4908-269-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4908-341-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5060-363-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads