berbew | 53ebb15b6985d7002486b1e13f7364384b11bbca0d86c6975755bf25a40da25c

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53ebb15b6985d7002486b1e13f7364384b11bbca0d86c6975755bf25a40da25cN.exe
Size

128KB
MD5

cb182bd0ff481f59a7bf52e81e301a40
SHA1

d779370b7f792fce1413fe4c304698a669933245
SHA256

53ebb15b6985d7002486b1e13f7364384b11bbca0d86c6975755bf25a40da25c
SHA512

f14ad35dba8e8c988c3aa15c5d8e38d9eb66fa64b95d45929cb36cc5007c3a2d2ec7ddeb7ce33bfa081da0443c28628fe235dc29fe83bf4c282f61a95053a895
SSDEEP

3072:3zS0h7Wi8ZShpDXIdeb9pui6yYPaI7DehizrVtNq:3uViV/Rhpui6yYPaIGcs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2412	Klgqcqkl.exe
444	Kfmepi32.exe
3212	Kmfmmcbo.exe
4120	Kdqejn32.exe
1856	Kbceejpf.exe
4400	Kmijbcpl.exe
3412	Kdcbom32.exe
936	Kfankifm.exe
5012	Kmkfhc32.exe
964	Kdeoemeg.exe
4436	Kefkme32.exe
2588	Klqcioba.exe
5004	Lbjlfi32.exe
448	Leihbeib.exe
3624	Llcpoo32.exe
4072	Ldjhpl32.exe
4468	Lmbmibhb.exe
2336	Llgjjnlj.exe
5068	Lbabgh32.exe
2356	Lpebpm32.exe
1952	Lingibiq.exe
4496	Mdckfk32.exe
660	Medgncoe.exe
1340	Mpjlklok.exe
1532	Mgddhf32.exe
2564	Mibpda32.exe
1868	Mdhdajea.exe
1916	Meiaib32.exe
3960	Miemjaci.exe
3644	Mlcifmbl.exe
2920	Mpoefk32.exe
1924	Mdjagjco.exe
2268	Mgimcebb.exe
4084	Melnob32.exe
4520	Migjoaaf.exe
3952	Mpablkhc.exe
4336	Mdmnlj32.exe
4808	Mcpnhfhf.exe
2512	Menjdbgj.exe
1344	Mlhbal32.exe
4300	Npcoakfp.exe
2896	Nilcjp32.exe
3076	Ndaggimg.exe
2844	Nebdoa32.exe
668	Nphhmj32.exe
2964	Ngbpidjh.exe
2084	Npjebj32.exe
2816	Nnneknob.exe
3756	Njefqo32.exe
3256	Odkjng32.exe
2528	Oncofm32.exe
1832	Odmgcgbi.exe
5020	Ofnckp32.exe
4540	Ojjolnaq.exe
4292	Odocigqg.exe
1004	Ognpebpj.exe
2540	Ojllan32.exe
1044	Oqfdnhfk.exe
1528	Ogpmjb32.exe
4392	Ojoign32.exe
4480	Oqhacgdh.exe
1616	Ogbipa32.exe
4384	Pnlaml32.exe
3436	Pmoahijl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Kdcbom32.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nilcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Kdqejn32.exe	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Mnkhmbin.dll	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Allebf32.dll	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mdckfk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5552	5312	WerFault.exe	228

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53ebb15b6985d7002486b1e13f7364384b11bbca0d86c6975755bf25a40da25cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikdngcl.dll"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmlocln.dll"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 2412	4832	53ebb15b6985d7002486b1e13f7364384b11bbca0d86c6975755bf25a40da25cN.exe	82
PID 4832 wrote to memory of 2412	4832	53ebb15b6985d7002486b1e13f7364384b11bbca0d86c6975755bf25a40da25cN.exe	82
PID 4832 wrote to memory of 2412	4832	53ebb15b6985d7002486b1e13f7364384b11bbca0d86c6975755bf25a40da25cN.exe	82
PID 2412 wrote to memory of 444	2412	Klgqcqkl.exe	83
PID 2412 wrote to memory of 444	2412	Klgqcqkl.exe	83
PID 2412 wrote to memory of 444	2412	Klgqcqkl.exe	83
PID 444 wrote to memory of 3212	444	Kfmepi32.exe	84
PID 444 wrote to memory of 3212	444	Kfmepi32.exe	84
PID 444 wrote to memory of 3212	444	Kfmepi32.exe	84
PID 3212 wrote to memory of 4120	3212	Kmfmmcbo.exe	85
PID 3212 wrote to memory of 4120	3212	Kmfmmcbo.exe	85
PID 3212 wrote to memory of 4120	3212	Kmfmmcbo.exe	85
PID 4120 wrote to memory of 1856	4120	Kdqejn32.exe	86
PID 4120 wrote to memory of 1856	4120	Kdqejn32.exe	86
PID 4120 wrote to memory of 1856	4120	Kdqejn32.exe	86
PID 1856 wrote to memory of 4400	1856	Kbceejpf.exe	87
PID 1856 wrote to memory of 4400	1856	Kbceejpf.exe	87
PID 1856 wrote to memory of 4400	1856	Kbceejpf.exe	87
PID 4400 wrote to memory of 3412	4400	Kmijbcpl.exe	88
PID 4400 wrote to memory of 3412	4400	Kmijbcpl.exe	88
PID 4400 wrote to memory of 3412	4400	Kmijbcpl.exe	88
PID 3412 wrote to memory of 936	3412	Kdcbom32.exe	89
PID 3412 wrote to memory of 936	3412	Kdcbom32.exe	89
PID 3412 wrote to memory of 936	3412	Kdcbom32.exe	89
PID 936 wrote to memory of 5012	936	Kfankifm.exe	90
PID 936 wrote to memory of 5012	936	Kfankifm.exe	90
PID 936 wrote to memory of 5012	936	Kfankifm.exe	90
PID 5012 wrote to memory of 964	5012	Kmkfhc32.exe	91
PID 5012 wrote to memory of 964	5012	Kmkfhc32.exe	91
PID 5012 wrote to memory of 964	5012	Kmkfhc32.exe	91
PID 964 wrote to memory of 4436	964	Kdeoemeg.exe	92
PID 964 wrote to memory of 4436	964	Kdeoemeg.exe	92
PID 964 wrote to memory of 4436	964	Kdeoemeg.exe	92
PID 4436 wrote to memory of 2588	4436	Kefkme32.exe	93
PID 4436 wrote to memory of 2588	4436	Kefkme32.exe	93
PID 4436 wrote to memory of 2588	4436	Kefkme32.exe	93
PID 2588 wrote to memory of 5004	2588	Klqcioba.exe	94
PID 2588 wrote to memory of 5004	2588	Klqcioba.exe	94
PID 2588 wrote to memory of 5004	2588	Klqcioba.exe	94
PID 5004 wrote to memory of 448	5004	Lbjlfi32.exe	95
PID 5004 wrote to memory of 448	5004	Lbjlfi32.exe	95
PID 5004 wrote to memory of 448	5004	Lbjlfi32.exe	95
PID 448 wrote to memory of 3624	448	Leihbeib.exe	96
PID 448 wrote to memory of 3624	448	Leihbeib.exe	96
PID 448 wrote to memory of 3624	448	Leihbeib.exe	96
PID 3624 wrote to memory of 4072	3624	Llcpoo32.exe	97
PID 3624 wrote to memory of 4072	3624	Llcpoo32.exe	97
PID 3624 wrote to memory of 4072	3624	Llcpoo32.exe	97
PID 4072 wrote to memory of 4468	4072	Ldjhpl32.exe	98
PID 4072 wrote to memory of 4468	4072	Ldjhpl32.exe	98
PID 4072 wrote to memory of 4468	4072	Ldjhpl32.exe	98
PID 4468 wrote to memory of 2336	4468	Lmbmibhb.exe	99
PID 4468 wrote to memory of 2336	4468	Lmbmibhb.exe	99
PID 4468 wrote to memory of 2336	4468	Lmbmibhb.exe	99
PID 2336 wrote to memory of 5068	2336	Llgjjnlj.exe	100
PID 2336 wrote to memory of 5068	2336	Llgjjnlj.exe	100
PID 2336 wrote to memory of 5068	2336	Llgjjnlj.exe	100
PID 5068 wrote to memory of 2356	5068	Lbabgh32.exe	101
PID 5068 wrote to memory of 2356	5068	Lbabgh32.exe	101
PID 5068 wrote to memory of 2356	5068	Lbabgh32.exe	101
PID 2356 wrote to memory of 1952	2356	Lpebpm32.exe	102
PID 2356 wrote to memory of 1952	2356	Lpebpm32.exe	102
PID 2356 wrote to memory of 1952	2356	Lpebpm32.exe	102
PID 1952 wrote to memory of 4496	1952	Lingibiq.exe	103

C:\Users\Admin\AppData\Local\Temp\53ebb15b6985d7002486b1e13f7364384b11bbca0d86c6975755bf25a40da25cN.exe
"C:\Users\Admin\AppData\Local\Temp\53ebb15b6985d7002486b1e13f7364384b11bbca0d86c6975755bf25a40da25cN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\Klgqcqkl.exe
  C:\Windows\system32\Klgqcqkl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\Kfmepi32.exe
    C:\Windows\system32\Kfmepi32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Windows\SysWOW64\Kmfmmcbo.exe
      C:\Windows\system32\Kmfmmcbo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
      - C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        33⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        45⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        53⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        62⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:536
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3836
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4972
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        73⤵
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4020
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1196
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        83⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2812
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        89⤵
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        90⤵
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1480
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        97⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        100⤵
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2028
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        104⤵
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        105⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        106⤵
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        110⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        112⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        121⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        122⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        123⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        126⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        127⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        128⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        131⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        132⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        133⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        134⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        137⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        147⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 408
        149⤵
        Program crash
        
        PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5312 -ip 5312
1⤵
PID:5472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
128KB

MD5
ddbe5fab2a12762d712b25326cbfd043

SHA1
7b999a97f9c2c8945d29a3311e8e51d2abb0358f

SHA256
2c37b97e6621a1c1a73fd84c2a0a883df502871341ac6dc889d52b2c765dde01

SHA512
436e0038fbf678e61af13b95f9921635d849a4657964035751548cd9f47de94d9d82a00eb8272aaf80f643d4ac1d52022d63ee4858ab4cf304c1063687c2a2f6

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
128KB

MD5
32777a769864681b611945a61aa69d17

SHA1
f5865cad7c4e0d40f6792de2b4b9dd33910992e5

SHA256
898c8b21005abfac3bcd8beee98a974a8ca62eef2150f408604e7e9e17028c42

SHA512
a3ec4bd0a9dfdcb499fcd68adfe8eb4da020bbc2cabb9d15872c6bcfcd75fc630929fca98ec862e1a37efcc7fe7bbe96b3aabb3ee1e11493a13a9c752e983e87

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
128KB

MD5
b827a45d5aa3f887a2b5c3d9c10b8ffb

SHA1
c22122b3b2e2af0d3bb24855b7cd20fb21af3c06

SHA256
122c4632fa09f0e813e724f792cf2aa78144320b0c0816f98dde7d2cfd85552b

SHA512
75cf7a740cd05a8f47f77eff25a5649b1bccac24773c2edf6816a241a68720d54769e0f498baecd865492ebd46980cd00503008c3c95b055907487792485b9df

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
128KB

MD5
bd91e97bb56fd96924fbdf984a0d54c8

SHA1
eab6309fffd8e4ecaf8ea128c043eb5f372823d8

SHA256
047fa517ecb87e6c4b66df546de4d16514ccb6fcfd7fca5776dbccb9b833e313

SHA512
5aacfff1033f84f71754168f77443e1f08d38359d98dd6be36077888489013740f1bdcc253fa05544eb3e4c0c888c571d427411b63a66d868bfa20df6d75150b

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
128KB

MD5
87bc92a53652fd35494c8002314da14a

SHA1
63adc0cd3c847876bc92bf93a7a3152f01af91ef

SHA256
714c76d84e85cbc2276ab584b1b2c0b4880c9f6c51b5950401fbdbd40a0a378e

SHA512
dbfda0282a43561ffcda1f5dafec765ab2530d16378891ba7edfb4fdbfc5e9da83aaa5492fdd76965054c2ec7fe1c119b4b9e45ea27ed1cf79e5c24d0bf9e4c7

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
128KB

MD5
8804572c7498de7b9f725614e2a25dd5

SHA1
2db93779f2d4d15beb37c9e547574e8d37e91048

SHA256
49b919f6771d4e1e12482652eadf33d126a2065822128aa5081dc2da52fdb8df

SHA512
fec3aec91b6eda7edb2ea001e5dc363b3d584a74fd9ce594db3b1975690eea2e8bbadb86b9111af94411f716d2ad5afb173c75ef50f73797d463a154e3130459

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
128KB

MD5
cb605e7bc8b829ea9f45387f35829ede

SHA1
0d7724c06678726c8df1096ea4f53b627128eaa1

SHA256
0cb7e3043929c1b3161c28401d33a783a859287f5d2f4f0f5c4b7d3eddcba1c7

SHA512
c7dbb01d40abbdb4306b1444b88d142c7cb41aeff9ea24e2197d89240dbb3e917d19a058448075f8d03dc8d6f9c257b7260d30ba71dd22cbbb8ddc20999fb2a4

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
128KB

MD5
971087e59394bda0f3ca44c90913d3de

SHA1
203d0236837a1ece2109be0e6f169c98937e8be3

SHA256
3b102fff9d918a5a0bc81cd51058bdab3e5c9855af93c3bc45cc3d5de44c4ba8

SHA512
3a8c8d26fec4958a16c91955a24b80cc0e8d949db22bb8025d97e29b79faf84648f41f917886ae4e06e0aa67acca3ad1e65e991bdcda993cce8fbf0fd66ed784

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
128KB

MD5
ba8c51f8216a671840b8047a32e49103

SHA1
8d95565f1fc2140413395f23b07c07718c997b1a

SHA256
6b5791beaa0b2178a679ab69457bcae88fa5859d510b3d4036729020fe318e90

SHA512
6b42220a4e9299827651205ced25eab0a315c3e976e3a4079cbac307e5c006838c197dfc1a0951889ef128876d6a75f04ebe85c51cbf9a712178760151e6a08a

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
128KB

MD5
b928ed11427ee18ec8f0fe39f029ce94

SHA1
d898577e18532a1b702c9a9a7c9306b0acf8d86e

SHA256
b35a291bda4ab1c2336d9499218a866f66271802413f14a2feed4f474337ed3e

SHA512
9215b583e6735914dd334366e7a51fb392f3b1b69a9a2a67eeb376b7035d3f8c4a5ec1e7fd63e8fe26150c58ad818c7d74d39513d1461c33b80610f7856ec221

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
128KB

MD5
d28dbe52aa84fac6267b4263e9926209

SHA1
a81807996ba083fe4c546c1ef1911b55edcf4d72

SHA256
8f8251718af9f435647df132698e7184c0eecd7f218ab21ef52762201cab7715

SHA512
62f047f2711be5120da32cb2642973fc569aa6a4582d49bc29ae8c94ac0b7c2961801f3262da93dc4d4eff39a2671eed25853704cfe0f24c533023380e4cf07a

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
128KB

MD5
37f887385d5e2f68fe17ee5c7609c394

SHA1
49669e4a949d11b4ac26b8455c3e4f1c958d21b4

SHA256
69b419c4cfda40054b3b48ac47fbd6c2cc7039fb3017dbbcbf33c3b4726d3d1f

SHA512
c65de8c0ef31a8716d58c43ea409d5535c3afb2486d5be3934b1c3d9a5d855d3995decc48de587b3e15cbbea95a462f2249a55446ccdd0b1348be17edc44b17a

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
df282cf3142d1bb33c5020d6e5e590cf

SHA1
5cc9efe30d17805b578ea22089189672b8677b8d

SHA256
39d1c9c8867ce2442d3ce6ba97aa5a53b829767c95ef02169cae5b4f933f50fa

SHA512
2cdeebe03a1da7c97a6d7d2ba934e2f64d3aec6d5f22545e7c53209a551b6531601ebc790fe73a1ba4a882c61ec344dedf02dcf4f22dc0aa0ba8d421b91a8383

Download Submit
C:\Windows\SysWOW64\Dhbbhk32.dll

Filesize
7KB

MD5
fc98a02c3f51213b94a61633e4f34cce

SHA1
7ac2f55751e34cc365c6a020638ac2813ccb4128

SHA256
8e6b698661b6705a1d0398ad70fe4c738925c3916a58fd365fdcbe48f2f43c20

SHA512
4ab8641b750f15572b0ff01a00c188be1157819e6d95cc0e394feaf2b6ee5d667acb732205d75949c8d29d546dfcc1913b19b26dc0222bc2c381288754d8bd74

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
128KB

MD5
b48e74a98fbcc10c042330bec514bbaa

SHA1
a626dee4a39548ce3a7d68cffdd8b78cb55468e9

SHA256
d15eb6ffba8b9d181ae676bb35d88b2b79599bca6bbebcef732b8611e9fa3349

SHA512
647e94732c7390c3bd24a54083d063d58ee5b45d87c4cc7157994b4ec9236eca449c934b10627b8869b9b849320ba56c9a49977bc2455f75bb00d43c9e2e4fa7

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
128KB

MD5
a1b8893b9abe647fd8362f61b3e67620

SHA1
706e7088600b3aa0ad10fc7b6b7bc602cdb346e3

SHA256
e403c8a58e9e956f9f4fe547ae93daa47835e90915bfb5810e36b8cc75b4e32d

SHA512
0c38315bb10c78d1558cd16c258d2e9a66bdb9ab4bb7a596c840f426f2c41c2d66ca6bd28815baa42686a570b3ba3ee33bc0b3214c03b4177c54b06881935b75

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
128KB

MD5
0e39d409ec8a13960f45adcd708dae7b

SHA1
df0d87707c62799ff9aeee98d28faea51ec8d4cb

SHA256
24307e836a8a9cbe31ab66ac932f18f429fd236b2b32b5b714ef4098c890434c

SHA512
bcd95ffe902bd1edf1e5ced4d870550dcf87f532942773b4f7408e237705563707df57f372b2c2fa16237f0eab6913bc5925198e8501344c5161868cd622791f

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
128KB

MD5
5f2964e751c45c17775565ada1cb50fa

SHA1
670aa56e21a2a13b5550fd50aa95e57c0ef91014

SHA256
78999e7299dd0d3598109ff4de6cfe4491cb14df86c6719fcd02a4ab9bff3e03

SHA512
b4979c1505fd697a37999d5532fd5288c5ea670876eb1e5eb3a090b440169bb3b5c4be0b0ba50cd5b69c76684923e0313d286c03755efd2579f188541004d48a

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
128KB

MD5
52fee2d471f39086da3881617a152c4d

SHA1
4f967bbc01cb1fe0a88b58e2aa7c2f7bde2609d1

SHA256
f0546e5be501d13f2acdbfbeadb97e664a32c0de28257601493b80a70d1c3491

SHA512
dba2f653a8815976cedc55021ac5ac67df28c647dadbdf845f60d84ea04e7d5b5d8604d48e622c96e1360ee2c3853da7aae0ab6f5cfa9bc03220330247861c8d

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
128KB

MD5
a5824eb9acfa4d543e2d0c6a72dbb3e5

SHA1
b6fb0ca99cf27fe5c4c0a4dc87c504c67c6c72b1

SHA256
fc998c9f3942557a95aa38fc5fcf1bfb6c3f270910fa54e79121116c991ed17d

SHA512
f31c974219078dc4be4dbe03a0dc55e164ba816b2d42044e6867ce27d6be1cc50ed1d97ee98b641f130f2feaafea471ee89054dffb84345bb255d42b80c4e7c7

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
128KB

MD5
0be66104488929edd46f5e0bad0fc471

SHA1
7439f2ec82a270fcff3f607576266b545f40a07d

SHA256
a9f38f387ee4730d6c3deafe52c965dbe6c628d10799ef104bb7cd1090c2ab18

SHA512
9f2b09a90e608a2cdf1bd221d5a8d630311b594759fbbea5959f353a9d2bf20754a976518434ffeaff9fef8375dc690564ad0681f8b69001a7089eb6e3d0ddf3

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
128KB

MD5
732d06f3f87156f5e685fb8712abf5cf

SHA1
b0079c65d2773e2e64c474be1fa0013fb110d5ca

SHA256
c81406727dc5e516c03b8ccae31bc6a35e25ba39e03b785a16e509e0835656b3

SHA512
c7ca0b4765676a16ec952b58a3493344fe7f895fb1e9099b856f9dc4910a00a3bb316114e0456cf6de19e56bab0c12a96b49946b26323ce8a4d156affad542f9

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
128KB

MD5
e45506ad8ab3c1c7d8d876af12bc5e65

SHA1
19bbe709b218e97b2e93bd8d553eae23944cbd8f

SHA256
d22416954994f3f75f82004657f0a8209df5ddfac8560674c82c23ca9a209a87

SHA512
37a4216f064f0faf56fdee4cedc0883172f2d0fe40f5508f7958c9f10dd6e4ce463a5033ddbb2d4e87efe65990d2e7893efe25a902cdf44b56cec8c55e77febd

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
128KB

MD5
65b814feedfe97a8bf9cad744de8d565

SHA1
e668fa3573d3f9d4c82dda41b2e501778d35b751

SHA256
bc0d509ae6cc44d54a7d846c71cf2e4e0ab7bd88e7cf53c60f838a10b8c62495

SHA512
a649a33cd66a715876009a951e08dd2563cf0e490e20312bdc2f9aeeeb0e059d0000d2af5323edc04b09baae8ade902aaddf2f8ba4657ecf5638dc842a0a77b0

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
128KB

MD5
2b46144f5ce3d857159833cea3ef2a84

SHA1
312da3fdf8f38a3606c9c9360cb890272e7dc4a0

SHA256
4ffe1c5fe43aa1847fea501082b8189c9f36597fac523034a2f0e53ac8a21c7c

SHA512
4bd6ae6c0a928043e5376366b695a094bdb8db17a602c504394decd82a8cbd82302d3ed3a8015087ced93a4a5b29182a7e31a1ca50917abd0ff1060399174f84

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
128KB

MD5
a4212531f6a4f54baef9b519e52091aa

SHA1
a453fb87253dd3506f6c05b6367b9f35faf9b658

SHA256
21c53f1652db99db39bbde9f0b31c272c9962c0b90e0863e498319f30b17afbb

SHA512
490b4b2d82422261832f86a4d387a26320e5d08d8df68cd2e8227605f52957ff04479526bfefaae5573350710dffeea984e28931da2514d9798f2cbff6f8cfc1

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
128KB

MD5
012a0d9928214f09efa727c6635e8aa0

SHA1
e3919745d6008d31be91a1fee81ab9630826dde0

SHA256
b7bc12b12d2407e4606d6cd953e3f4d848320b524c6d5f594a8cb1b1d1737869

SHA512
e2a8687421e61ab7efc9671b885bfa5de2953fa7ea93a6620fcce0c476d650b5a69c816171cf14259836d10bdded01cb3d39cdd7c79440029de4c349516faf50

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
128KB

MD5
12100bf30fa464f87bfe8754b92e5da6

SHA1
28eeef9a65c034ba447deb8b9ef970253a0f74e8

SHA256
34f9467c9a161dc4703dc12fcae25c57ff220829a3776e9811ee75c3161452a7

SHA512
ac2c19f6519e52a6404742e15cc2c535fe59a5d81afde0d8f06517f4b4852ce35f1f8ae5b8281d8f6bcd10789b4a643822eb0ccc7865be90c41f93f10b76dc65

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
128KB

MD5
6b59d1dffda3f71c6be8a5fcf79ead7d

SHA1
a46df38d46df621768db96769699db2d3ae17b4b

SHA256
41e1ad164a28d660a46150e89f594dae83feaa14d95b756188cc8b1f53b39ad1

SHA512
27c320589f9e2fd21962a2ea49f3173bdc8de5bd6a2faa11128939ab41588734b8b77fea512df6f7c370f2d4827c7e7896116a0d772c62433360bc2e2b119bc1

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
128KB

MD5
56912980996da8d2e96d114ea216d39e

SHA1
4137c38abf09a1e231e056d0f29048a0b8a518ce

SHA256
d9d4b30fd5ada4ed5b9679d6fae036a4253065daa2eaeb4839ea80e989d12384

SHA512
de2dd59781bf2e28bfe80dfed73d238e118188130aa6f72c0ba7160f78a73a44dee57f69cba9226fc5f8b999bb5d183ee258126680e810a2ed9d22f84224499b

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
128KB

MD5
de4d364a4248ce91a03c8b7ae0532886

SHA1
d0bc7ae6543fdd1c101748100d4471af9174ceaa

SHA256
6341f03ec82c89a0cd34ddcbcf2d8a5a4756a6cf57be8e52690b736a8ffa7cb0

SHA512
479e756e48a08dac9d180d622f8c2580849c40d9ec4bfbf25593ace674c9a3f7cdcfab48d786de65b894da1ed5d80c359d237ef5e07ebcff9888bf5aa9be1246

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
128KB

MD5
99a6daac408b58f473890a47fd35126e

SHA1
b6939cee93507c7bc04b3bd825436584d9c873c7

SHA256
57f7d9bf475bad9fb6ee725d589a24d8105cde608deabc899cc780bd0a61c925

SHA512
539efc9f88f2bd1da72b7f87a4af3cce21f45e127d5863d13bf7263250dfb54fff5cd4b84865f12176c8f2f51d867359b3bfaa6378e8d8754fee946330451888

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
128KB

MD5
3dac36f8243859eec42ef32dc55e0003

SHA1
19b826fca5f49b35f1fc830e6474fc3cc353c255

SHA256
6015dbb436edde0ea2a0623711b050f55298118b116b280fcd81f56e5225adad

SHA512
c69c1e2ed4e9af2c329bdc592676b6ab311ed4b61029702448cf32e04343b7effd2c3ea991c1f5973393218d2c037cef1b8f9f2c616077ad0f3990968d49bb1e

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
128KB

MD5
1f4750836576804146c64f470ead7a7e

SHA1
b93740bc2a6665b26eec3ed687010f504db87072

SHA256
9283b59bbc6342e9730ff5a4ef84116fd9eaf8c444d300ade509d4fef625d7f2

SHA512
4371061d9f56def23e0a93847dac7c648b4f6762df5ac0449bf85386b03544ad135b79a329cc53ade1b2a1084b57ba9d63c77f3c67cba65d898200219d2494d5

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
128KB

MD5
e896825a032f5a853e6aa701c20dd932

SHA1
c561366530b3849b7c4ead8802ed2f33deff536e

SHA256
5389eeb7a361ed7e1a2d7ab9ddf68c00274c2488ea846014596e79b1e9ee72c0

SHA512
220e0f6faca187e1e7d347363b3d1b8f6785c3f7195193341b9742c76d8b95fe44d103be7bf558a57987ed6f988a0ada31864cd1d6cae63214a979ea897f93da

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
128KB

MD5
499cc5c1e9433067e1c47b6c7bcbba66

SHA1
d6e8b569f0cbbc4b126697333c6cf134978585ed

SHA256
ef75c2093d1ee7ff11a1eab37c12c9518bead081fea9e02fe05afb36920636be

SHA512
82fe8106828cf136544d59ffdff8e6e29d6153d7db1de0f03c85f30539fc4ea095795634808f17cdeb760512e249cb8ab0f17e6dd96f066c6e6bc9bfe4803c16

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
128KB

MD5
7bc2478609988dee1dd58543b23e3b2b

SHA1
0221a1e00808b54cc9cfa1d59853e5d29a2d7ccb

SHA256
8cbb9741cf9048557b764a7a64273c8ae37478fe403ff44baf14be44594dbc51

SHA512
e2d05968772303125b2b8ae24509e754ca76d8b70ee497659b7c54dec0caee7c852c8734cb077404b29c4c038c5b3ea1ef019776428a5cd60471568b45dde25c

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
128KB

MD5
e43d2da4b5163784bbc516b27c286bf2

SHA1
82179c81b4c2851ac81c52c75425bd8f49450af0

SHA256
8733c18619c9ca2a95d4dc4b073aa6392dcd5035196fc48233f5b545085ab55a

SHA512
c394ad91ad6391969bb932ec042fee72ac67a5253ad545feda2f0130fd9e6106004018eb93ba914c93dd889579bc3c16df7ddd5a8bd51895b8e18007448de5a3

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
128KB

MD5
af3b14724c68c67f28b46568a61a5336

SHA1
9fdc1ff05dadb64e293ded0afc243939cc61fa86

SHA256
3824ff1d9fa8609985e5c2d6e6952636401c5824ddadd721fcd8153522971782

SHA512
a62e0aa8338ad6a57f6ea5fa59e465db5210647888f21807b8f452b79d60d0812bd1428cb43f56a891995f4935a36b7b98ce196b98a2a05d4a10a8efc68f7adb

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
128KB

MD5
c77fbcb15dcdc852d46ff1533e7bd047

SHA1
dd350911fc3d2c9a72f2143ba36da218645b1ec3

SHA256
6481421fc8db1319989c00f7caea1df53cb7b13829a0ec6a30644a52df14b59f

SHA512
f5e29c1a28ed1a7c927345c0703e58b9b267985cb05bdda969b537309ca6fa3e30e2c06d7f5ac31f3d3c3f99bf4fe8204663b7322488ae93e648f69e0149e1d4

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
128KB

MD5
a52841ab1889bd1c2088c9b35422caab

SHA1
820b5c30eadb0c17ee6a96d0b4172fd50dd2f5a7

SHA256
4dc304ccd5d79f22c5781bc38cc4f5dcb2062f703eab607d456e6b91d1950cfd

SHA512
3525bf0793c1c4d6a28c3c138c3c3dc5562e51f190f6d07ea6075987fb532cc76fe7e9614ff21774d9bfe8074b08eae1730f14b62347bb52936c6195e86e83e8

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
128KB

MD5
d3f950fc99c375c5e8f339c826790cd1

SHA1
6ac93772ee40a6440d3fe63fbbf98745ef009fd5

SHA256
fb4e80f1ffb801a6b8075fb3151c647305abbdeea2c1fbfba191a646e11b7b86

SHA512
debcaade7926e06daa18cecac021d5fd8056a654e7ee3266de673254a6e487e2ecc506b063728cd6c8c5624f3298ac008ecd351866a42a186876fc880ad8cdc6

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
128KB

MD5
f5c8fcf9b199dbc4e965ec2cced51128

SHA1
7f9f8add42a3bd94f5f27c57d565a7e640c3372b

SHA256
460983bd8712c2ce1323bb8ce2d45085a8c39cd1d64367ae56c374e3aa1af7c3

SHA512
823df3236d9e7a1d7b4b978b97a295dd405138e6da9382aba812b52c9f5a93aaf33c309eac5ddbb1720c03a367a479196b310a245212c5fbaacb57e76cd3abef

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
128KB

MD5
4a68c014a3d4044b02b12fe919e0ad42

SHA1
9667746fdf3aa1235f59db18c327c9f483ace63b

SHA256
7ca6a75c6c835cbec99d933c8a898215b7538ea2bf46118e5ab67ff27e6b11e5

SHA512
9fd1f722248933fda310ce956adbd89304b0739a3f7fdccac83f409da8775698caf2d2323adcd97c64f5769a98d1bf4b8b2a31d2f948ff769c6b5ed647dea91e

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
128KB

MD5
153c0b8821f8892172d1879434a66f6a

SHA1
81ca4569a5daa7497d6cc8ad66bf92461b0eb192

SHA256
57d1b909709e7521d3c40cecd8e4395493d141864b9f702d022f80d74a49b11b

SHA512
cc85d1ac3c051703ef0b69c2f94a30126e7c15e4047a02859923d46d52246316c8cb8bbb9bd42b4c771a1a5e71311b74495fe77f38efe4512829c73bdb260f17

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
128KB

MD5
99b1849cff76778de42800ecfb4a09ba

SHA1
2e3af36177a4bdf3619ddf9bbf7aa3a1b92dcbe9

SHA256
21277cd7f165c74ad09a24bf6710e5d30cbc562f4c71f0ecb93a10624d0551f5

SHA512
8f6ee24cfc2349100d9d3b37ef113486efa4337045bf905f5c650e75c0c26f1f99a5a0330eba1253c4a9d3f21c72955bc133ba245b805efe5546a45edbf82cde

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
128KB

MD5
c8be630179bbefcd60cefc68cb56a264

SHA1
c1cd5af21f6dda2500a7dfba032397a03b0abad1

SHA256
77f1fdf2b4635a9221f0aadbdba1879b0b0cdfd01a4c1fd299f6e123f9abd2cc

SHA512
54c0aefdc0d9c5235e1cc9f4b9850a780fdcdf7ef58861d2762ee7f977844d817211632c2608966c8d8982dcf709c64cf23da8ce25c01bc8170f3bbbfc21038d

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
128KB

MD5
6cdb549a0ee556bdff3bf15c85b70555

SHA1
a7f3c83c98e126df6d6827d7696fc51afaa20a15

SHA256
c7cb6ffe6f9d8b00d9f5f8e877c32997823d69606247c5b9b327e092cf40e08d

SHA512
1829a5e87c9ea78f943bce87dc4a6a90da66fd5ef41000b1dc39c4f8d01da9f1124fa0229f73cbc69cf82a424e2c014ba60778cd6bf3d3f8acc9b44a04e13003

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
128KB

MD5
a19698ca9422fe1757723eb9f8989620

SHA1
d73aba7e43f62e328e8aabd741dd8f3c1646ace1

SHA256
b159b73f94838ef09db9f2b19f93c2e3eb6f244167e8b0c65c56f28b05dec984

SHA512
c60700ca8198a9cd218bcb9b5b852194fbdb880845d60d34d569c415c5673d9a097e32421cd81209f5b94eecc14382755a41d9bdf561ec2d2df94bc1aed7ca63

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
128KB

MD5
fbe8edc8da9055c365ec05eb5669d6d3

SHA1
d612d9123b44a58e7bc2f1ebdb093211f121e055

SHA256
507a5daccb5b53b82293c8a9dc74fe99e8b93d2697971d524bfa5b61197305be

SHA512
4c8b40355d7fdbe664d7ec13b7921b87d428d60ef089d3be7c2c008fac351153779463236f1ca0a993c92578bdc331aea96e01abdc6b41ff51797475e12d9659

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
128KB

MD5
89ac708e84b7c94121d48571fd91cce2

SHA1
770658f0c30db10e0626a3fd9723c36471395284

SHA256
ad34953319646da2b47423f89cc853dee3d4782e767d82ec144856354127ebfe

SHA512
443c723f2d46d2591c9ad79fbba7391c8c0425d82ca01262e8e5da06b0e991329307ceda8ebac4455a270a377147427ed158430682f0bf6231e7e4d5e6b7f856

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
128KB

MD5
653b0f22ec02c810ea6408b6a7b56c14

SHA1
7f2b9de4d8b237659e1ef781652aa223fdf42cf7

SHA256
119cd60c4190fe01989f1d8c84695ffb08c2010d091e0e26b114ca9fe74f689c

SHA512
c45f9d1485acee35d44a7a67356c27b334af1f5c499afd50bd181894c476d71cce4d7e5db2615adf0d3aaf433b0c1a35383037a244e180c2012686516fb0fd0c

Download Submit
memory/220-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-1071-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5336-1031-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5580-1060-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5976-1043-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads