berbew | 152ab2e9a09dc76543b174cad908c0d3e95c07115787361f938c75882dbfdf8a

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

152ab2e9a09dc76543b174cad908c0d3e95c07115787361f938c75882dbfdf8a.exe
Size

96KB
MD5

fd187f5e53323f4c2f0fecc2d1c89752
SHA1

a9761f984153852db706ac2cafac33c23b42fc73
SHA256

152ab2e9a09dc76543b174cad908c0d3e95c07115787361f938c75882dbfdf8a
SHA512

daa84e600daa79f8cf18a49cb12bba2581ad23eb2f5f5fb39861b48cf988f290a2697a2d2510bc484300cdf2c6abc04b2b47b0535208f621b8722783cec8d39a
SSDEEP

1536:FcHw/NhOowXJk2LYo0IXmPlBnLPbABCquhx/IZf2Le7RZObZUUWaegPYA2:3//wXZLYo0kmPlBnbIZkeClUUWae1

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolaogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lclfjehh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojimjjal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjjohe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidlmcdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajeemfil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdjjaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loeceeli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Didnkogg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lclfjehh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmcgpcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nocpfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmcad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pckdin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjjfag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbefm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcgdhch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojljpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfknodh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfknodh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdqpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obdbolog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpedajgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccfmcedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplmhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkohn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piagafda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpidfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpgqgjel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbjbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lolaogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbibcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omemqfbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcihco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblmcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbibcnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmggeohk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljiklonb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnhnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbbnpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnjek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capgpnbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mllaci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcnaonnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpjmmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kimlqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekbfpgk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplfog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfkkmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmhbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpikonoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfapmfkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bipliajo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikokq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcgdhch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihdkgll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oilmfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbnjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ablafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aikbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbachf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bipliajo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khifln32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2296	Jalaid32.exe
1600	Jlbefm32.exe
1060	Kblmcg32.exe
868	Khifln32.exe
4032	Kppnmk32.exe
4064	Kbnjig32.exe
912	Kemfeb32.exe
908	Kpbjbk32.exe
3320	Kcqgnfbe.exe
3996	Kikokq32.exe
2344	Kpdghkao.exe
1504	Kafcpc32.exe
2876	Kimlqp32.exe
2488	Kojdig32.exe
3176	Khbibm32.exe
4796	Lolaogdd.exe
4580	Lefika32.exe
2756	Llpahkcm.exe
1880	Lplmhj32.exe
4968	Lehfqqjn.exe
4472	Lclfjehh.exe
2668	Lekbfpgk.exe
3760	Llekcj32.exe
2396	Ljiklonb.exe
2236	Loeceeli.exe
400	Lhnhnk32.exe
5016	Mfbigo32.exe
1144	Mllaci32.exe
4040	Mojmpe32.exe
2976	Mbhilp32.exe
396	Mpjijhof.exe
4908	Mffbbomn.exe
220	Mlqjoiek.exe
5056	Mplfog32.exe
2680	Mbmcgpcb.exe
4624	Mhgkdj32.exe
5040	Mlcgdhch.exe
4992	Mbppmoap.exe
3512	Mfkkmn32.exe
3056	Nocpfc32.exe
2852	Nbblbo32.exe
4348	Nhldoifj.exe
2564	Nmgpoh32.exe
3776	Nbdiho32.exe
2008	Njkail32.exe
408	Nqeiefei.exe
1896	Nohiacld.exe
1456	Nfbanm32.exe
4704	Nmljjgkm.exe
4852	Nokfgbja.exe
4368	Nbibcnie.exe
2148	Nmofpgik.exe
1232	Nbkohn32.exe
2688	Njbgik32.exe
1932	Niegehno.exe
844	Oqlofeoa.exe
4440	Ofiholmi.exe
1368	Oihdkgll.exe
2664	Ooalga32.exe
5060	Obphcm32.exe
2960	Oijqpg32.exe
872	Omemqfbc.exe
4480	Obbeimaj.exe
1312	Ojimjjal.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lhnhnk32.exe	Loeceeli.exe
File created	C:\Windows\SysWOW64\Alocgfpg.dll	Mbhilp32.exe
File opened for modification	C:\Windows\SysWOW64\Ammlhbnh.exe	Ajoplgod.exe
File opened for modification	C:\Windows\SysWOW64\Bfocgfmn.exe	Apekklea.exe
File created	C:\Windows\SysWOW64\Mfickphb.dll	Bakmen32.exe
File created	C:\Windows\SysWOW64\Bpggpl32.exe	Bmikdq32.exe
File created	C:\Windows\SysWOW64\Qkjbpk32.dll	Cgolnd32.exe
File created	C:\Windows\SysWOW64\Pifple32.exe	Pfgdpj32.exe
File created	C:\Windows\SysWOW64\Djmbpkja.dll	Apndjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ajeemfil.exe	Afjjlg32.exe
File created	C:\Windows\SysWOW64\Lgekgpjm.dll	Bmbnjo32.exe
File created	C:\Windows\SysWOW64\Qjlcfgag.exe	Qmhbmc32.exe
File created	C:\Windows\SysWOW64\Ammlhbnh.exe	Ajoplgod.exe
File opened for modification	C:\Windows\SysWOW64\Dpofhiod.exe	Didnkogg.exe
File created	C:\Windows\SysWOW64\Fjpiapan.dll	Nfbanm32.exe
File created	C:\Windows\SysWOW64\Bdjlbfin.dll	Kikokq32.exe
File created	C:\Windows\SysWOW64\Ieokpbhe.dll	Nbkohn32.exe
File created	C:\Windows\SysWOW64\Ppbeno32.exe	Pihmae32.exe
File opened for modification	C:\Windows\SysWOW64\Ckoajb32.exe	Cgdeicjf.exe
File created	C:\Windows\SysWOW64\Kppnmk32.exe	Khifln32.exe
File opened for modification	C:\Windows\SysWOW64\Obphcm32.exe	Ooalga32.exe
File created	C:\Windows\SysWOW64\Lolaogdd.exe	Khbibm32.exe
File created	C:\Windows\SysWOW64\Fmpaaacg.dll	Llpahkcm.exe
File opened for modification	C:\Windows\SysWOW64\Afepahei.exe	Acgdelfe.exe
File opened for modification	C:\Windows\SysWOW64\Lclfjehh.exe	Lehfqqjn.exe
File created	C:\Windows\SysWOW64\Nhldoifj.exe	Nbblbo32.exe
File created	C:\Windows\SysWOW64\Cgbaak32.dll	Ojimjjal.exe
File created	C:\Windows\SysWOW64\Piccfe32.exe	Pfegjjck.exe
File created	C:\Windows\SysWOW64\Hmidnd32.dll	Cpjmmi32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjijhof.exe	Mbhilp32.exe
File created	C:\Windows\SysWOW64\Bjjohe32.exe	Bfocgfmn.exe
File created	C:\Windows\SysWOW64\Mhgkdj32.exe	Mbmcgpcb.exe
File created	C:\Windows\SysWOW64\Nmgpoh32.exe	Nhldoifj.exe
File created	C:\Windows\SysWOW64\Khchhjnf.dll	Nmofpgik.exe
File created	C:\Windows\SysWOW64\Pkcajdkd.dll	Kpbjbk32.exe
File created	C:\Windows\SysWOW64\Cmggeohk.exe	Cikkeppa.exe
File created	C:\Windows\SysWOW64\Jlbefm32.exe	Jalaid32.exe
File opened for modification	C:\Windows\SysWOW64\Kpdghkao.exe	Kikokq32.exe
File opened for modification	C:\Windows\SysWOW64\Khbibm32.exe	Kojdig32.exe
File created	C:\Windows\SysWOW64\Mllaci32.exe	Mfbigo32.exe
File created	C:\Windows\SysWOW64\Nbkohn32.exe	Nmofpgik.exe
File opened for modification	C:\Windows\SysWOW64\Qcdgom32.exe	Qpikonoo.exe
File opened for modification	C:\Windows\SysWOW64\Bipliajo.exe	Bfapmfkk.exe
File opened for modification	C:\Windows\SysWOW64\Pfegjjck.exe	Pcfknodh.exe
File created	C:\Windows\SysWOW64\Kikokq32.exe	Kcqgnfbe.exe
File created	C:\Windows\SysWOW64\Fiklig32.dll	Nqeiefei.exe
File created	C:\Windows\SysWOW64\Obaigm32.dll	Oihdkgll.exe
File created	C:\Windows\SysWOW64\Fbepla32.dll	Pifple32.exe
File opened for modification	C:\Windows\SysWOW64\Apndjm32.exe	Aidlmcdl.exe
File opened for modification	C:\Windows\SysWOW64\Kbnjig32.exe	Kppnmk32.exe
File opened for modification	C:\Windows\SysWOW64\Kemfeb32.exe	Kbnjig32.exe
File created	C:\Windows\SysWOW64\Necgdk32.dll	Mlcgdhch.exe
File created	C:\Windows\SysWOW64\Piagafda.exe	Ofbjdken.exe
File created	C:\Windows\SysWOW64\Ckhkic32.exe	Cbachf32.exe
File created	C:\Windows\SysWOW64\Bgeffkol.dll	Mplfog32.exe
File created	C:\Windows\SysWOW64\Nmofpgik.exe	Nbibcnie.exe
File opened for modification	C:\Windows\SysWOW64\Pbbnpj32.exe	Pmfegc32.exe
File created	C:\Windows\SysWOW64\Jkmplmef.dll	Afepahei.exe
File created	C:\Windows\SysWOW64\Lldllaon.dll	Bkcbnd32.exe
File opened for modification	C:\Windows\SysWOW64\Cdqpbi32.exe	Cpedajgo.exe
File created	C:\Windows\SysWOW64\Mmgqogpe.dll	Kppnmk32.exe
File created	C:\Windows\SysWOW64\Ngijllno.dll	Lekbfpgk.exe
File created	C:\Windows\SysWOW64\Oopadn32.dll	Obdbolog.exe
File created	C:\Windows\SysWOW64\Dghodc32.exe	Dpofhiod.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5140	6032	WerFault.exe	237

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbibcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckdin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjjfag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjohcdab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdjjaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdncliaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cikkeppa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifple32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcnaonnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgjbcebq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgolnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemfeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplmhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niegehno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obphcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpggpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpofhiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amaeca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bideda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcbnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgdelfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfocgfmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khifln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpahkcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piagafda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcihco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpikonoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpgqgjel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikokq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfbigo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obdbolog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipliajo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Didnkogg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nohiacld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmedbeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	152ab2e9a09dc76543b174cad908c0d3e95c07115787361f938c75882dbfdf8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opibhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dghodc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jalaid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnjig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbhilp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqlofeoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obbeimaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pamhmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjjohe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciioopad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kojdig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfbanm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhbbegj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcqgnfbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllaci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhgkdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmgpoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakmen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loeceeli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbjdken.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgdpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aapnip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpidfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Capgpnbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooalga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffbbomn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlcgdhch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmiandi.dll"	Pmfegc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qiocbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdjjaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mffbbomn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmpaaacg.dll"	Llpahkcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmofpgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Appapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Capgpnbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edflan32.dll"	Cmidknfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajoplgod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idelqf32.dll"	Lefika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcgabk32.dll"	Lplmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeicpna.dll"	Lehfqqjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbmcgpcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giijoi32.dll"	Pcfknodh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfgdpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcqgnfbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kikokq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmggeohk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldfolkf.dll"	Kojdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lehfqqjn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofbjdken.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmcad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aidlmcdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmikdq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aigkcl32.dll"	Cdncliaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqpbc32.dll"	Mojmpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nocpfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfegjjck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppbeno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcnaonnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cooepb32.dll"	Pckdin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jalaid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcqgnfbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpgqgjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nikpidbp.dll"	Bbhqbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mojmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbppmoap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpedajgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcigff32.dll"	Bmikdq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbhjmlfg.dll"	Kblmcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kppnmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjmdlap.dll"	Mbmcgpcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfbanm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjllkfe.dll"	Omemqfbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdpddmnb.dll"	Qiocbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llpahkcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oilmfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acgdelfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baiqpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekbfpgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiklig32.dll"	Nqeiefei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obphcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmomhoc.dll"	Piagafda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lldllaon.dll"	Bkcbnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cikkeppa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nibimbeo.dll"	Lclfjehh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obphcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojimjjal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkkqf32.dll"	Pfegjjck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgefj32.dll"	Kemfeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfbigo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkiibe32.dll"	Cmggeohk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2296	2440	152ab2e9a09dc76543b174cad908c0d3e95c07115787361f938c75882dbfdf8a.exe	82
PID 2440 wrote to memory of 2296	2440	152ab2e9a09dc76543b174cad908c0d3e95c07115787361f938c75882dbfdf8a.exe	82
PID 2440 wrote to memory of 2296	2440	152ab2e9a09dc76543b174cad908c0d3e95c07115787361f938c75882dbfdf8a.exe	82
PID 2296 wrote to memory of 1600	2296	Jalaid32.exe	83
PID 2296 wrote to memory of 1600	2296	Jalaid32.exe	83
PID 2296 wrote to memory of 1600	2296	Jalaid32.exe	83
PID 1600 wrote to memory of 1060	1600	Jlbefm32.exe	84
PID 1600 wrote to memory of 1060	1600	Jlbefm32.exe	84
PID 1600 wrote to memory of 1060	1600	Jlbefm32.exe	84
PID 1060 wrote to memory of 868	1060	Kblmcg32.exe	85
PID 1060 wrote to memory of 868	1060	Kblmcg32.exe	85
PID 1060 wrote to memory of 868	1060	Kblmcg32.exe	85
PID 868 wrote to memory of 4032	868	Khifln32.exe	86
PID 868 wrote to memory of 4032	868	Khifln32.exe	86
PID 868 wrote to memory of 4032	868	Khifln32.exe	86
PID 4032 wrote to memory of 4064	4032	Kppnmk32.exe	87
PID 4032 wrote to memory of 4064	4032	Kppnmk32.exe	87
PID 4032 wrote to memory of 4064	4032	Kppnmk32.exe	87
PID 4064 wrote to memory of 912	4064	Kbnjig32.exe	88
PID 4064 wrote to memory of 912	4064	Kbnjig32.exe	88
PID 4064 wrote to memory of 912	4064	Kbnjig32.exe	88
PID 912 wrote to memory of 908	912	Kemfeb32.exe	89
PID 912 wrote to memory of 908	912	Kemfeb32.exe	89
PID 912 wrote to memory of 908	912	Kemfeb32.exe	89
PID 908 wrote to memory of 3320	908	Kpbjbk32.exe	90
PID 908 wrote to memory of 3320	908	Kpbjbk32.exe	90
PID 908 wrote to memory of 3320	908	Kpbjbk32.exe	90
PID 3320 wrote to memory of 3996	3320	Kcqgnfbe.exe	91
PID 3320 wrote to memory of 3996	3320	Kcqgnfbe.exe	91
PID 3320 wrote to memory of 3996	3320	Kcqgnfbe.exe	91
PID 3996 wrote to memory of 2344	3996	Kikokq32.exe	92
PID 3996 wrote to memory of 2344	3996	Kikokq32.exe	92
PID 3996 wrote to memory of 2344	3996	Kikokq32.exe	92
PID 2344 wrote to memory of 1504	2344	Kpdghkao.exe	93
PID 2344 wrote to memory of 1504	2344	Kpdghkao.exe	93
PID 2344 wrote to memory of 1504	2344	Kpdghkao.exe	93
PID 1504 wrote to memory of 2876	1504	Kafcpc32.exe	94
PID 1504 wrote to memory of 2876	1504	Kafcpc32.exe	94
PID 1504 wrote to memory of 2876	1504	Kafcpc32.exe	94
PID 2876 wrote to memory of 2488	2876	Kimlqp32.exe	95
PID 2876 wrote to memory of 2488	2876	Kimlqp32.exe	95
PID 2876 wrote to memory of 2488	2876	Kimlqp32.exe	95
PID 2488 wrote to memory of 3176	2488	Kojdig32.exe	96
PID 2488 wrote to memory of 3176	2488	Kojdig32.exe	96
PID 2488 wrote to memory of 3176	2488	Kojdig32.exe	96
PID 3176 wrote to memory of 4796	3176	Khbibm32.exe	97
PID 3176 wrote to memory of 4796	3176	Khbibm32.exe	97
PID 3176 wrote to memory of 4796	3176	Khbibm32.exe	97
PID 4796 wrote to memory of 4580	4796	Lolaogdd.exe	98
PID 4796 wrote to memory of 4580	4796	Lolaogdd.exe	98
PID 4796 wrote to memory of 4580	4796	Lolaogdd.exe	98
PID 4580 wrote to memory of 2756	4580	Lefika32.exe	99
PID 4580 wrote to memory of 2756	4580	Lefika32.exe	99
PID 4580 wrote to memory of 2756	4580	Lefika32.exe	99
PID 2756 wrote to memory of 1880	2756	Llpahkcm.exe	100
PID 2756 wrote to memory of 1880	2756	Llpahkcm.exe	100
PID 2756 wrote to memory of 1880	2756	Llpahkcm.exe	100
PID 1880 wrote to memory of 4968	1880	Lplmhj32.exe	101
PID 1880 wrote to memory of 4968	1880	Lplmhj32.exe	101
PID 1880 wrote to memory of 4968	1880	Lplmhj32.exe	101
PID 4968 wrote to memory of 4472	4968	Lehfqqjn.exe	102
PID 4968 wrote to memory of 4472	4968	Lehfqqjn.exe	102
PID 4968 wrote to memory of 4472	4968	Lehfqqjn.exe	102
PID 4472 wrote to memory of 2668	4472	Lclfjehh.exe	103

C:\Users\Admin\AppData\Local\Temp\152ab2e9a09dc76543b174cad908c0d3e95c07115787361f938c75882dbfdf8a.exe
"C:\Users\Admin\AppData\Local\Temp\152ab2e9a09dc76543b174cad908c0d3e95c07115787361f938c75882dbfdf8a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\Jalaid32.exe
  C:\Windows\system32\Jalaid32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\Jlbefm32.exe
    C:\Windows\system32\Jlbefm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\Kblmcg32.exe
      C:\Windows\system32\Kblmcg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\SysWOW64\Khifln32.exe
        
        C:\Windows\system32\Khifln32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\SysWOW64\Kppnmk32.exe
        
        C:\Windows\system32\Kppnmk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Kbnjig32.exe
        
        C:\Windows\system32\Kbnjig32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Kemfeb32.exe
        
        C:\Windows\system32\Kemfeb32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Kpbjbk32.exe
        
        C:\Windows\system32\Kpbjbk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Kcqgnfbe.exe
        
        C:\Windows\system32\Kcqgnfbe.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Kikokq32.exe
        
        C:\Windows\system32\Kikokq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Kpdghkao.exe
        
        C:\Windows\system32\Kpdghkao.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Kafcpc32.exe
        
        C:\Windows\system32\Kafcpc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Kimlqp32.exe
        
        C:\Windows\system32\Kimlqp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Kojdig32.exe
        
        C:\Windows\system32\Kojdig32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Khbibm32.exe
        
        C:\Windows\system32\Khbibm32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Lolaogdd.exe
        
        C:\Windows\system32\Lolaogdd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Lefika32.exe
        
        C:\Windows\system32\Lefika32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Llpahkcm.exe
        
        C:\Windows\system32\Llpahkcm.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Lplmhj32.exe
        
        C:\Windows\system32\Lplmhj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Lehfqqjn.exe
        
        C:\Windows\system32\Lehfqqjn.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Lclfjehh.exe
        
        C:\Windows\system32\Lclfjehh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Lekbfpgk.exe
        
        C:\Windows\system32\Lekbfpgk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Llekcj32.exe
        
        C:\Windows\system32\Llekcj32.exe
        24⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\Ljiklonb.exe
        
        C:\Windows\system32\Ljiklonb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Loeceeli.exe
        
        C:\Windows\system32\Loeceeli.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Lhnhnk32.exe
        
        C:\Windows\system32\Lhnhnk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Mfbigo32.exe
        
        C:\Windows\system32\Mfbigo32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Mllaci32.exe
        
        C:\Windows\system32\Mllaci32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\Mojmpe32.exe
        
        C:\Windows\system32\Mojmpe32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Mbhilp32.exe
        
        C:\Windows\system32\Mbhilp32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Mpjijhof.exe
        
        C:\Windows\system32\Mpjijhof.exe
        32⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Mffbbomn.exe
        
        C:\Windows\system32\Mffbbomn.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Mlqjoiek.exe
        
        C:\Windows\system32\Mlqjoiek.exe
        34⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Mplfog32.exe
        
        C:\Windows\system32\Mplfog32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Mbmcgpcb.exe
        
        C:\Windows\system32\Mbmcgpcb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Mhgkdj32.exe
        
        C:\Windows\system32\Mhgkdj32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Mlcgdhch.exe
        
        C:\Windows\system32\Mlcgdhch.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Mbppmoap.exe
        
        C:\Windows\system32\Mbppmoap.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Mfkkmn32.exe
        
        C:\Windows\system32\Mfkkmn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Nocpfc32.exe
        
        C:\Windows\system32\Nocpfc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Nbblbo32.exe
        
        C:\Windows\system32\Nbblbo32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Nhldoifj.exe
        
        C:\Windows\system32\Nhldoifj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Nmgpoh32.exe
        
        C:\Windows\system32\Nmgpoh32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Nbdiho32.exe
        
        C:\Windows\system32\Nbdiho32.exe
        45⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Njkail32.exe
        
        C:\Windows\system32\Njkail32.exe
        46⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Nqeiefei.exe
        
        C:\Windows\system32\Nqeiefei.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Nohiacld.exe
        
        C:\Windows\system32\Nohiacld.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\Nfbanm32.exe
        
        C:\Windows\system32\Nfbanm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Nmljjgkm.exe
        
        C:\Windows\system32\Nmljjgkm.exe
        50⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Nokfgbja.exe
        
        C:\Windows\system32\Nokfgbja.exe
        51⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Nbibcnie.exe
        
        C:\Windows\system32\Nbibcnie.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Nmofpgik.exe
        
        C:\Windows\system32\Nmofpgik.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Nbkohn32.exe
        
        C:\Windows\system32\Nbkohn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Njbgik32.exe
        
        C:\Windows\system32\Njbgik32.exe
        55⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Niegehno.exe
        
        C:\Windows\system32\Niegehno.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Oqlofeoa.exe
        
        C:\Windows\system32\Oqlofeoa.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Ofiholmi.exe
        
        C:\Windows\system32\Ofiholmi.exe
        58⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Oihdkgll.exe
        
        C:\Windows\system32\Oihdkgll.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Ooalga32.exe
        
        C:\Windows\system32\Ooalga32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Obphcm32.exe
        
        C:\Windows\system32\Obphcm32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Oijqpg32.exe
        
        C:\Windows\system32\Oijqpg32.exe
        62⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Omemqfbc.exe
        
        C:\Windows\system32\Omemqfbc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Obbeimaj.exe
        
        C:\Windows\system32\Obbeimaj.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Ojimjjal.exe
        
        C:\Windows\system32\Ojimjjal.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Oilmfg32.exe
        
        C:\Windows\system32\Oilmfg32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Opfebqpd.exe
        
        C:\Windows\system32\Opfebqpd.exe
        67⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Obdbolog.exe
        
        C:\Windows\system32\Obdbolog.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\Ojljpi32.exe
        
        C:\Windows\system32\Ojljpi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2444
        
        C:\Windows\SysWOW64\Opibhq32.exe
        
        C:\Windows\system32\Opibhq32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Ofbjdken.exe
        
        C:\Windows\system32\Ofbjdken.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Piagafda.exe
        
        C:\Windows\system32\Piagafda.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Pmmcad32.exe
        
        C:\Windows\system32\Pmmcad32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Pcfknodh.exe
        
        C:\Windows\system32\Pcfknodh.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Pfegjjck.exe
        
        C:\Windows\system32\Pfegjjck.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Piccfe32.exe
        
        C:\Windows\system32\Piccfe32.exe
        76⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Pcihco32.exe
        
        C:\Windows\system32\Pcihco32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\Pfgdpj32.exe
        
        C:\Windows\system32\Pfgdpj32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Pifple32.exe
        
        C:\Windows\system32\Pifple32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Pamhmb32.exe
        
        C:\Windows\system32\Pamhmb32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\Pckdin32.exe
        
        C:\Windows\system32\Pckdin32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Pihmae32.exe
        
        C:\Windows\system32\Pihmae32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Ppbeno32.exe
        
        C:\Windows\system32\Ppbeno32.exe
        83⤵
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Pcnaonnp.exe
        
        C:\Windows\system32\Pcnaonnp.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Pmfegc32.exe
        
        C:\Windows\system32\Pmfegc32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Pbbnpj32.exe
        
        C:\Windows\system32\Pbbnpj32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1812
        
        C:\Windows\SysWOW64\Qjjfag32.exe
        
        C:\Windows\system32\Qjjfag32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\Qmhbmc32.exe
        
        C:\Windows\system32\Qmhbmc32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Qjlcfgag.exe
        
        C:\Windows\system32\Qjlcfgag.exe
        89⤵
        
        PID:336
        
        C:\Windows\SysWOW64\Qiocbd32.exe
        
        C:\Windows\system32\Qiocbd32.exe
        90⤵
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Qpikonoo.exe
        
        C:\Windows\system32\Qpikonoo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Qcdgom32.exe
        
        C:\Windows\system32\Qcdgom32.exe
        92⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Ajoplgod.exe
        
        C:\Windows\system32\Ajoplgod.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Ammlhbnh.exe
        
        C:\Windows\system32\Ammlhbnh.exe
        94⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\Acgdelfe.exe
        
        C:\Windows\system32\Acgdelfe.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Afepahei.exe
        
        C:\Windows\system32\Afepahei.exe
        96⤵
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Aidlmcdl.exe
        
        C:\Windows\system32\Aidlmcdl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Apndjm32.exe
        
        C:\Windows\system32\Apndjm32.exe
        98⤵
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Ablafi32.exe
        
        C:\Windows\system32\Ablafi32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3316
        
        C:\Windows\SysWOW64\Afhmggcf.exe
        
        C:\Windows\system32\Afhmggcf.exe
        100⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Amaeca32.exe
        
        C:\Windows\system32\Amaeca32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Appapm32.exe
        
        C:\Windows\system32\Appapm32.exe
        102⤵
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Afjjlg32.exe
        
        C:\Windows\system32\Afjjlg32.exe
        103⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Afjjlg32.exe
        
        C:\Windows\system32\Afjjlg32.exe
        104⤵
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Ajeemfil.exe
        
        C:\Windows\system32\Ajeemfil.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:624
        
        C:\Windows\SysWOW64\Aapnip32.exe
        
        C:\Windows\system32\Aapnip32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Adnjek32.exe
        
        C:\Windows\system32\Adnjek32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1440
        
        C:\Windows\SysWOW64\Ajhbbegj.exe
        
        C:\Windows\system32\Ajhbbegj.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\Aikbnb32.exe
        
        C:\Windows\system32\Aikbnb32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3856
        
        C:\Windows\SysWOW64\Apekklea.exe
        
        C:\Windows\system32\Apekklea.exe
        110⤵
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Bfocgfmn.exe
        
        C:\Windows\system32\Bfocgfmn.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Bjjohe32.exe
        
        C:\Windows\system32\Bjjohe32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\Bmikdq32.exe
        
        C:\Windows\system32\Bmikdq32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Bpggpl32.exe
        
        C:\Windows\system32\Bpggpl32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Bfapmfkk.exe
        
        C:\Windows\system32\Bfapmfkk.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Bipliajo.exe
        
        C:\Windows\system32\Bipliajo.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\Bpidfl32.exe
        
        C:\Windows\system32\Bpidfl32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Bbhqbg32.exe
        
        C:\Windows\system32\Bbhqbg32.exe
        118⤵
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Bjohcdab.exe
        
        C:\Windows\system32\Bjohcdab.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Baiqpo32.exe
        
        C:\Windows\system32\Baiqpo32.exe
        120⤵
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Bplakkoi.exe
        
        C:\Windows\system32\Bplakkoi.exe
        121⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Bbjmggnm.exe
        
        C:\Windows\system32\Bbjmggnm.exe
        122⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Bideda32.exe
        
        C:\Windows\system32\Bideda32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Bakmen32.exe
        
        C:\Windows\system32\Bakmen32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Bdjjaj32.exe
        
        C:\Windows\system32\Bdjjaj32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Bkcbnd32.exe
        
        C:\Windows\system32\Bkcbnd32.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Bmbnjo32.exe
        
        C:\Windows\system32\Bmbnjo32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Bpqjfk32.exe
        
        C:\Windows\system32\Bpqjfk32.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Bdlfgicm.exe
        
        C:\Windows\system32\Bdlfgicm.exe
        129⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Cgjbcebq.exe
        
        C:\Windows\system32\Cgjbcebq.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Ciioopad.exe
        
        C:\Windows\system32\Ciioopad.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Capgpnbf.exe
        
        C:\Windows\system32\Capgpnbf.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Cdncliaj.exe
        
        C:\Windows\system32\Cdncliaj.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Cbachf32.exe
        
        C:\Windows\system32\Cbachf32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Ckhkic32.exe
        
        C:\Windows\system32\Ckhkic32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Cikkeppa.exe
        
        C:\Windows\system32\Cikkeppa.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Cmggeohk.exe
        
        C:\Windows\system32\Cmggeohk.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Cpedajgo.exe
        
        C:\Windows\system32\Cpedajgo.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Cdqpbi32.exe
        
        C:\Windows\system32\Cdqpbi32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Cgolnd32.exe
        
        C:\Windows\system32\Cgolnd32.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Ckkhocgd.exe
        
        C:\Windows\system32\Ckkhocgd.exe
        141⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Cmidknfh.exe
        
        C:\Windows\system32\Cmidknfh.exe
        142⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Cpgqgjel.exe
        
        C:\Windows\system32\Cpgqgjel.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Ccfmcedp.exe
        
        C:\Windows\system32\Ccfmcedp.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Ckmedbeb.exe
        
        C:\Windows\system32\Ckmedbeb.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Cpjmmi32.exe
        
        C:\Windows\system32\Cpjmmi32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Cgdeicjf.exe
        
        C:\Windows\system32\Cgdeicjf.exe
        147⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Ckoajb32.exe
        
        C:\Windows\system32\Ckoajb32.exe
        148⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Cpljbi32.exe
        
        C:\Windows\system32\Cpljbi32.exe
        149⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Didnkogg.exe
        
        C:\Windows\system32\Didnkogg.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Dpofhiod.exe
        
        C:\Windows\system32\Dpofhiod.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Dghodc32.exe
        
        C:\Windows\system32\Dghodc32.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Dnbgamnm.exe
        
        C:\Windows\system32\Dnbgamnm.exe
        153⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 232
        154⤵
        Program crash
        
        PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6032 -ip 6032
1⤵
PID:6120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afepahei.exe

Filesize
96KB

MD5
f85b6ca30fb539dfa0a8235d6ce9722b

SHA1
f63008cda3edb63220521a8acc3a2f00c71bc41a

SHA256
d095fd3a769d43ade0f693af46e90bc7531555216002a2605e2548e0e9ea4f74

SHA512
7e8c62f3d8c7b54d1ba6cfedada8e425b1189ed7a6a38ea1c305ebad09bf4d47736b7e16044c4bfbbd6d4e5420eec6e1f2345c14d7edb6e4173768a70cfeed1b

Download Submit
C:\Windows\SysWOW64\Aidlmcdl.exe

Filesize
96KB

MD5
154be040945cb61fbbd5fb156849624c

SHA1
d418094de7e84f3189c9a7a6fe4dabf4c3a50807

SHA256
c6c4e51b700ff1ac349a5e49ec95489424def6b7d516268168d158680410a0e4

SHA512
27fc846f649a73190c2d2aa9dc092d33732eb47335bb63ebc0115ee7bdc4f7887c4b94446e48b552d1d93a48f0d1e6d363bb76eecd2b28a2ecdf18d684131f57

Download Submit
C:\Windows\SysWOW64\Ajhbbegj.exe

Filesize
96KB

MD5
678e50f940c94924a68e6b05cc115359

SHA1
eef49f562c3fceed9d5c657fc2f2f18d59d49552

SHA256
a1825c87e3aca771f588acf708a72f6102d8f9a242a6b2a0cd9d1fac661633ce

SHA512
81eeafc2c460902ab9aabfd7c4d4cd07bdfdf2937e35140253d26bb0d83af9fd705470e9e93b9c91ed72c7e54a1407d00c263ff13458e0093e441c69921a9fb3

Download Submit
C:\Windows\SysWOW64\Apekklea.exe

Filesize
96KB

MD5
d611c762b51abb0b043cb5c59fa43c88

SHA1
6fcb7fa924c03cdfd3a24969152d0a6149c7c7e7

SHA256
701ccddbef2eda810a13a6b5bbed5655bd925ab950e1d7dddfd0d50e26672839

SHA512
e082586dde134cbaf7d96368f41696e949924b3b97671fb930da63b54505d8dfaca60e32cb81504647b310c1c02a7ea182d7edd27eaed4bec967740b684376b0

Download Submit
C:\Windows\SysWOW64\Appapm32.exe

Filesize
96KB

MD5
c897e3e824c642ec3c55a29dea756113

SHA1
d28876f87d04a42a471735f55db25027f718e976

SHA256
5bef6032c9ae069e87eca20000c07d6c3812d905d3f1b735b3744db0f3ccfaeb

SHA512
aa99c971b0eb9bc0b35721b8c70f3a030d20e8bb0ffcef4f22b8ba41a8c0c0e5ba73471984d9366b26ad346311c67aa7fbaf9ada98b015f56742004e306b45ac

Download Submit
C:\Windows\SysWOW64\Bfapmfkk.exe

Filesize
96KB

MD5
65ef28798c311f6ff94c4944185d5e46

SHA1
6a0b6bec5f79a97b35fe4d719f45e2f24811bcf3

SHA256
3dfe2b6e4277424ec8b32bd1cdaa630691b6df11a31f30140bc6f01029126166

SHA512
bdaa1253f1ba8ae5a5b187b418ae01bd2f91bce5829eb621b43334e3aecfb66f62841e4e9f44c29941c1f099b83391d830e914bc57921839c14a13045522f007

Download Submit
C:\Windows\SysWOW64\Bideda32.exe

Filesize
96KB

MD5
7fe58fc187578e44bc2e5ad543151ada

SHA1
b075aae5c5eb9aced15e814225875068f97ccbb4

SHA256
0b2cd9664748db8c05fa61c4c76729bc61a0af32ff8e4583ca92b63829b32799

SHA512
535c789bcf37ce4c64522b6eb4bfaf4025412cf061809e662f084540326b56d15c81e859cc0b539610cbd7e8c9c64679dbd2ec28a75d9a14644dfad8457cf5fc

Download Submit
C:\Windows\SysWOW64\Bjohcdab.exe

Filesize
96KB

MD5
3209398d551100ad63f4afb215ff10cb

SHA1
c153195b55533293bb6f3f5a3e8971cf9a85ebc9

SHA256
68b198317d85fab7723c576e4451707731a5a57bb26a929c62face72758d7464

SHA512
1947ab5fa409584f12c042314b23a672bea5da944fd79a6b09845c59260131acad57c7c10851df0a33bdcdc59f20da5abca170aee1c819997dd137473477de59

Download Submit
C:\Windows\SysWOW64\Didnkogg.exe

Filesize
96KB

MD5
8d67419e99a7892a56af47ada36ea0a5

SHA1
5452c94e4e20dd16523a415cf9a5b1dd75caac0b

SHA256
e81fa6b3eb8436218115eccaccc42e79539a6d091596f53fde3a578b4ab00ff6

SHA512
072f29f4eae474c7f228dbe09e2b8d6336846326f6f75cde87b342d9fcfddf84e31981685d6a19268470a43c58e8f01e2697248861c8965c40cd983d83930c16

Download Submit
C:\Windows\SysWOW64\Jalaid32.exe

Filesize
96KB

MD5
6185ba1e60e2f01bda185481d6a0ca9d

SHA1
98f98b6e06d4fc0397b0f382cbe4ce181f6d1d3a

SHA256
8f23a0ae90a0514fddd507334c7925a6e13f22d0f78193316bbe0d03fedd882a

SHA512
63fb55595702ccb88fa7cd66032d2db93a1f5604d63d2ecd77c17e6a599c300e66e432e754ec1200478f7c74c96cb3f1c918b901f17dd998e791a5099989715f

Download Submit
C:\Windows\SysWOW64\Jlbefm32.exe

Filesize
96KB

MD5
1c57a6fd5444c1310cea053fc2d84293

SHA1
fe859991b0abe6cacd4b266627c9533432f75897

SHA256
fe058b6116a6d96274982442fad14b3b96ca06679ec4dd4ec2fe5657ea8d99e0

SHA512
e43bb06c40046d7784e41f5ca622428964fa8ba59c56645e0a1a3b25643b481dc6eb0e8158e4242d6c0191c14a0e81a3b3114e153dcd5415a3f3f858a754d5d0

Download Submit
C:\Windows\SysWOW64\Kafcpc32.exe

Filesize
96KB

MD5
16fe51a6d4c21c2fc0a310406a10e94c

SHA1
f62779755e4971519b0a124aa77f135bb0c1ae36

SHA256
281dc9e294530629453c421f1dc284fa3f1ff568a5cd050829d98a283885d51c

SHA512
534d924011f4b46ee5db05291bb79af1c3d8ff5e00903fe2f1d37f79881398b845b8904025ea04c8b870f321cd1affbc4cb80685aebbd045fc16128a963cc558

Download Submit
C:\Windows\SysWOW64\Kblmcg32.exe

Filesize
96KB

MD5
a8b09db80312837474aa8b3ea7da0302

SHA1
f8b090c7d286d61f98201ba1907fe0fc8de2a4a0

SHA256
fe3b2ed434aaff2b402cb991a9930afe86b2db2aa5bd60ddc5639ef46cf41839

SHA512
103d268b5c4d7f7787f2de6ce964a2d02ba12a5e1488c1d8fce858b2ab09afa2f014d3cdbe2427df1658c53af68aec49121982ee0d86080a2ecfdcb5547ab8b1

Download Submit
C:\Windows\SysWOW64\Kbnjig32.exe

Filesize
96KB

MD5
42d5ba9ab590aaab3fcf51dd4723b11f

SHA1
10659550c9997ef02603c77c7d04012aa1d90347

SHA256
d965f0e073d5bf1df13e3d3d55591ac698bbc83bde3645e6f852eb42e376db51

SHA512
b4cc4f5f630c598239ed428d14df760a7141ea1797a13e878e0acba8b9074157e04e440b2a03a7d8caf8fab42ccccb552d9f35223f123fcecdad77b2b33239c4

Download Submit
C:\Windows\SysWOW64\Kcqgnfbe.exe

Filesize
96KB

MD5
61d330a584858ce72ef248c8d5bd9c00

SHA1
1d4caf25d20492ef2d4b787507874a7f1cc1a58c

SHA256
72780659ab9590cb1ff5a7d93be1936b2703794ed10bb67d2f950fe2481973d5

SHA512
dfc4f723988e433c24dfdf2eb4b15b7f4db27627020acda14141caee5d7f702a45ab352cfb831f6c922d1a4fa8107950c31d1d2fb9a10fb59f1cda8e3d470a70

Download Submit
C:\Windows\SysWOW64\Kemfeb32.exe

Filesize
96KB

MD5
e372004eae10a82dd40e7a410c08dfda

SHA1
f65536ac36d59833c525710927dc602f97ab1930

SHA256
d75d232cff615b450c6974971c88a9f7e5cf03bca453ff67ca200bed5b7ab416

SHA512
5073e4193b4fbc9aab492ec27b0bbb635d345f95c342a5cfbe80d6b5640913e1a4d453bbe514b07c619b1e598cb1988594fb6ede2db363505b6d3126cb649459

Download Submit
C:\Windows\SysWOW64\Khbibm32.exe

Filesize
96KB

MD5
e16868fb996c2b96124f64f91e9b22a6

SHA1
5e253da3c490134fadffd6b879b24db5b9790880

SHA256
e7a4851b2e2f4962e0670240f1e21b27dcc96270a4b198786af38d89dea02231

SHA512
b6e146f3dbdc441d1ab34e58de3c20a4a5c206df16f79930edf9e4032ad02414478fe95c7dcf873bee023181396754ba2583198ccc7b4c1da4f7d1ea1e70766a

Download Submit
C:\Windows\SysWOW64\Khifln32.exe

Filesize
96KB

MD5
c059810dbf503a3be44fd20b94e943ce

SHA1
aa796a7b179a2a2ea208f5f25b5e57cb1100e5fa

SHA256
a72925a44baa3f1858df71b0b5218e6c62cfdaadc1decb7ad2ada2339917a778

SHA512
947649524b4821fac14f0cf27c3fa816bb62f4e35a48b7c11ca5bc2154ed55d714436f02f085fa8d48514004b29f933852cd862b43d2cbc8c3d661e1ee0e6865

Download Submit
C:\Windows\SysWOW64\Kikokq32.exe

Filesize
96KB

MD5
9796f5a33e9c2a37af4491c8cb87907e

SHA1
66a98da0652aa031501e8ee9cabaeef7e8124cb1

SHA256
683976f51d94b4788e692e0f3e7414653131cd81408a8c8b2acf53e07cbd1006

SHA512
e38b827a68931c97abb3e793c07f6a5d0a92270a1acf85b9d23d0e9543397695fc18768b7347a5f7975f504d2334ed54bb5dcc9de8f3463f4ab866756b1cdf75

Download Submit
C:\Windows\SysWOW64\Kimlqp32.exe

Filesize
96KB

MD5
16918aa31b559343dfb4611df9f17d45

SHA1
b64e6ef3f8e1e6b8035a5edb54694a8e95dbfeee

SHA256
5d92175367545151bf49315ff4a63a988fff1f2729142e6dd767761bf8645d16

SHA512
7d029edc8cea1c59b3b22d041fec365ca8fdb41ac3d5190b26ca456fb5aa5e5ff50549e203553ad44141b11d55b639fc3f550e8a764672a3774bf1be60e6a7dc

Download Submit
C:\Windows\SysWOW64\Kojdig32.exe

Filesize
96KB

MD5
1dc46e2faaee644acae77f743c8c2d27

SHA1
99c603aea99b6e16a1670bf7cb71cdf101960c22

SHA256
38f2c67dbbcce849cb2e8825ade90dae0c2fa5194eb8fb2b69a75d783fd98ff6

SHA512
058632cf733566169598c5aec391e88b0e24b94adf770c15bec87b60a8cc32bca993b4fb17825912f6582fffeee53f514c204503080750b61adfec4785788957

Download Submit
C:\Windows\SysWOW64\Kpbjbk32.exe

Filesize
96KB

MD5
6af714727f839bc29df8323ac92a0d1b

SHA1
032520919ae21344d2eaf28143416a3329baa2a2

SHA256
af7631b5711214afa7e12d2eee69d92d21d6d262fa92d90dfbb2b36c02dfd4d9

SHA512
0aeec035b86f0e3040cc86c12b41d92b65cb7527b19ac02e22bd27ea6ab48c564fd8a6855dd2f08e8468ec26a0a6866398e45511c3a446456506743e31aa0e09

Download Submit
C:\Windows\SysWOW64\Kpdghkao.exe

Filesize
96KB

MD5
e5938dad7a90554793ff14dd872da588

SHA1
75fae475c33b390cc1f679f56993247491e69528

SHA256
d34dfcabcff4bb9d5f7d24f38bae097d1796ebda480c64440f6c831b6bc2f3d8

SHA512
baafc11ea2ed214960c0aaf28393806277f2f1f38067b8135ae4af2da27bfd4011b923b1a20228b50dd7db96e6fb031836790f2fa175e2c7754c053df04ad192

Download Submit
C:\Windows\SysWOW64\Kppnmk32.exe

Filesize
96KB

MD5
1db828606a1efc73508d1dea374edfa6

SHA1
357288b222a8fa527d899a0011d4854921af8443

SHA256
07daec2e719b62eb72707d649d2bfba8ee811b018a7e1a4ac3e61b61c0859fac

SHA512
52da47908685598eff0d7fdb08e776e3749e04d957165314d689f1dd017323757cfa074ff6c270d7b13de805a57e5c48df59e9119ab125cd4df2c47d74106ff6

Download Submit
C:\Windows\SysWOW64\Lclfjehh.exe

Filesize
96KB

MD5
50dc8eaed888bdacd110efa5e54df13f

SHA1
221a65e8aed8e1077d5305f87e65d4cdde405384

SHA256
8df376c924244b8102784763c5fb6064704409478ad9429dbd9629647ded1a9d

SHA512
e5a2b73ef96ba0af1a109ea1838cd960239ed451eaa7ae69891410f1bb50a8cff2163e21c95f6a9ab98d4b7e7a36b324ebeaee08de5a010bb2ae15b995cfa181

Download Submit
C:\Windows\SysWOW64\Lefika32.exe

Filesize
96KB

MD5
88529b6968b820773c21d2955a35ca73

SHA1
2e16746dbd71fac4b3df61b22472f947f8905c0d

SHA256
77acba22d5f535d6beeccd2788595460b84b650808618438e0eae8956ad99d28

SHA512
329d7ab9b95f67d7f663a84942213ccfb3bc48a11407d9190bea7a91698cae6167d3d45feaccf8dd4d188e9fe4f0144c4f8dbc229dd72ee7808ad3f001ace538

Download Submit
C:\Windows\SysWOW64\Lehfqqjn.exe

Filesize
96KB

MD5
e7282b61ad3bb6b510384218ade905de

SHA1
e0d070bbd16c73f1eac99ed9a9ac314ec2a0b0ba

SHA256
5959ba315820b9dc035cbbd95ca8830c517194ec444f383bd486c0adae7dc7d8

SHA512
3e032e55aef25fea956b516ba23003ba008fbed6b3331b6bf4677b407ceab775698f9b710962c5df2968a3c6a1ec92a6926d45ef3977812bf8563bc131c67aa8

Download Submit
C:\Windows\SysWOW64\Lekbfpgk.exe

Filesize
96KB

MD5
1ecd6cd3f069ceefd675f188fc918989

SHA1
5f8dce77baa584c566c1d74f876d4809a7fc7c9c

SHA256
e7c60b62010f5749f6fb57aaf59a47f2bb980039c2ba8fa9346e8e4a5c348cef

SHA512
05024985e0f109038e3df610a9025870fbf8e5da5688782e043b9c43325d33368ebe81274c1db71298ea8a845f2b4bbe30aecf796991a9c2974eb6e86c0a2253

Download Submit
C:\Windows\SysWOW64\Lhnhnk32.exe

Filesize
96KB

MD5
c0a6d364857bd90ba833a235fc3fadd0

SHA1
ebc95e2605addfff2d0dc3a40713ee1e4333f712

SHA256
bacd5ce0c557b24d93b5ff73e688f1026e887953fe2a918a0ebe80886f945926

SHA512
56a6990ad0fd7cf4f7ad04ea7de9cabb7dd136e783ba87d685767bdc68513615f103b27b02a028aa798bfcf777ac14b305c2c845b7763599c42adc51f639f133

Download Submit
C:\Windows\SysWOW64\Ljiklonb.exe

Filesize
96KB

MD5
57d82b9f5b7e8a87fac31df9f373f90f

SHA1
538066f93dad8563d6be98cfa753a9763ba1a802

SHA256
f8b867bc45a957e4cd04254aed60f6cbc640e0491538425dbff2e826d146cd2b

SHA512
e54a849e4f037025f8b9a33933e60c2dab9acc8ab4155bc4f1a0de10e5b83559cdcc3e548213ab07d86a1ffa6e5c3cc3f2d4cff5d9446f5676a29f9c7e95f535

Download Submit
C:\Windows\SysWOW64\Llekcj32.exe

Filesize
96KB

MD5
9481fd5b8f5368b2ba9399f6b86d8e85

SHA1
56a0ef7833a7330bb1ea237162c2749bc30eb487

SHA256
fb34ebd0bd75c5593c32692e1b32133d2a50f4a9df5a1ed7107d29cffd2037d6

SHA512
eb72c469c19bb278296bb6829fcab60d1c8b3e255eec194d0ceddcb31b460521865a94b7154f9b9ad3ab4237012a5532ed5d7eff8dbf6a1a9a9b11048dcb8875

Download Submit
C:\Windows\SysWOW64\Llpahkcm.exe

Filesize
96KB

MD5
101e4c1f43b6e5457d71113bf7155c57

SHA1
3bfb50814a7796a018b7feca5a08a6392364e485

SHA256
f1042fca976de2026d7430d54a70e5b36f8cdab0b695a335facbc4c42997fe0c

SHA512
0cc8a3e24e50a8814f99f8f0b197f2c58351308c91d8e3482d856b3f4fc4432445df354ac79351ea26249c5f80a6dc4aafaecb331cb38238df2b96722759d0b6

Download Submit
C:\Windows\SysWOW64\Loeceeli.exe

Filesize
96KB

MD5
23d54d68941cfe7ab257b677927f4c24

SHA1
09573ccf6db7acb32efbe9badc5e4880804f5d43

SHA256
838299cc2908ebff0a7b3398da270260d6211eea20428a60f1ac9ec0fca46dbb

SHA512
56bc4711784fba01fb7c0fe8f1327c1557aeadc4ef5558c8eab596ea347052bd3aa6c01218ba79c8b8142665a3aba625af62faf4643d22bb65e6f203e00aa8e1

Download Submit
C:\Windows\SysWOW64\Lolaogdd.exe

Filesize
96KB

MD5
561844da40ae530c9a1d686e93759e4c

SHA1
351459c94385cba9dc40b4346908c2b8560ca395

SHA256
b53aff2f1810f999aad7e923685db9a77515a5ccfdb9394d0f4932849ab45855

SHA512
973a006324218b0789441fec81aaddd7c7c514e714b33b886927936d4c9fd6194b2a10025d4b1357fcc39f48450e510165c756e7baaa27ac45e37bf2bf124ea0

Download Submit
C:\Windows\SysWOW64\Lplmhj32.exe

Filesize
96KB

MD5
5108e1a7fc428a1e72f86c9189309f31

SHA1
373cb7d51b8ebcf32b4230eadf74bdf291677ad5

SHA256
454c526e7efc6d638c6401d4ae7c4c30f7cea381202ef493924aef8c3193e979

SHA512
a3bd55c134abeec6d3a147239c434f0c8d03a3070ed7bf6c2e80ea170b8a675889b3880f8da12b7361304e01e621d6737d2bf8b4d729e0c9f22b9a5deb397fa1

Download Submit
C:\Windows\SysWOW64\Mbhilp32.exe

Filesize
96KB

MD5
5658f4c5520e4728c936a237d0564234

SHA1
36122df7d229f9154c2d83858242029c0ef5f578

SHA256
49ec07a62ea00d1e4afb7eeaf2f1fc64e840a59d16616d61212f849bb2319b76

SHA512
75ddddf4c7fbcccae825a3c72f55e82f354f07d84aef2eb5074fee705958edbae745516d3adfc0982087890988c9ef6699ada1d32f43f0319afa969dce591af8

Download Submit
C:\Windows\SysWOW64\Mbmcgpcb.exe

Filesize
96KB

MD5
6495f2974578043670da490e9c18992e

SHA1
b7e09847ab0068a077fa690bef501759cbc5b6af

SHA256
e23d477e01b336311967e6586dad86eb947db79b0dfdc267ed9df583cb41bec8

SHA512
3ffd0f88efa1d43ce193060ce77c7e0b3f4718811ce1ee66fe39dcce285368a0e838ed22abc5b1a5ea2083fd15a359420d57517de5a3940c391847d182bf0bd7

Download Submit
C:\Windows\SysWOW64\Mfbigo32.exe

Filesize
96KB

MD5
b7d5467e98c58cab71a9a768c41732e8

SHA1
9c477d158d44f91f7d603cf0729981ab40372ddd

SHA256
69a73bc46a02840af7092f957da2690ce482b2ff238382d8038806ac8378617d

SHA512
c02d730cc3f6cae9b49c4763ad5e615414e5485e6ff903df6d5a2c3dffc2cfd3bb73ed4dc59f4c2064bb2ab7c93dea8cbf14387cda58e5a3aac3e2d188c7e0f8

Download Submit
C:\Windows\SysWOW64\Mffbbomn.exe

Filesize
96KB

MD5
51efbc3f264a24c6610736418c02603c

SHA1
5f5c09e84313e03472c50a360cfdc459d5e354e3

SHA256
0fec9483d344e57aa5dbc43ed8c8155cf8e478cf34e8dc6703f45655c890792f

SHA512
04dea8222079cc5e7ea4529b10bdf22ffe889c694e3261b6d9a0f082e3f6ea36f913744e4493b25f56d38f284f39c5b5cd4291803f0f7e712e045bb83abcc4b4

Download Submit
C:\Windows\SysWOW64\Mfkkmn32.exe

Filesize
96KB

MD5
47cb574406a6d37ec22cf114f4e7bd69

SHA1
c636e39aeda78a09e9a41b1129a8003fbcc195e7

SHA256
f908dca94061d51dc3bb4e71795718c0fc5532964c69be2a1cd0f15cbc3300a7

SHA512
26866b660e02f7d2a93f161fea188fc0aad9767d5d831f5e514568df49ff2ef41e5a92e6715ea351614f347ef0040fe623d3a7b5bcef47c92ae25f1bfce505b1

Download Submit
C:\Windows\SysWOW64\Mllaci32.exe

Filesize
96KB

MD5
61e7d5fa07fe91666926b8f44c64e0f7

SHA1
ee5124bb5c005dbbeed20e5f4a30bbcaf94f6052

SHA256
2090c4dcb5924d38c3d0759066ef312c023fb4b82c13223a27faf3cb3d78ecae

SHA512
0ad2972ee7517eecd8c0d628b82c205c109933c6a6b4e050b4ec754ec9d57c9997e31ecadfa87dde52d8887618d1efcb10f5a5235bd9bb2d50706369ffd23f17

Download Submit
C:\Windows\SysWOW64\Mojmpe32.exe

Filesize
96KB

MD5
e4060102ee974391b253962b9ea234f3

SHA1
e8ba832e953f5c35775726bffb197abfe7115362

SHA256
127a2d48c681896d9dc6b690144e555eea58d95e1fb6f74a24b6e926bcb7eb54

SHA512
b22b5ba88664e717000c4896c2b7f19b57d5e03c55342272d7c5fa65c3faecddf73e47173a33746f86f57132ae389c273c3eb253dbb2e18c8499680072300f51

Download Submit
C:\Windows\SysWOW64\Mpjijhof.exe

Filesize
96KB

MD5
a6f88c46e40a5f1cadb7a52335bb0141

SHA1
a1294c0a01bbf67a9e25a3110043698c127001ee

SHA256
5be61929ad97a5b9b7a6d8c57efa7b021b7bfb61bf9066eb3e93a8b67602fece

SHA512
da7933d08f0862524af1972de5f98402801749f4e53a553130e3a04d2b100e3070502b8a6cb6934932de7ed1d6dbc21c0565523efb1a9e580758329f28fa6182

Download Submit
C:\Windows\SysWOW64\Nbblbo32.exe

Filesize
96KB

MD5
ff28b36706b7e5fcaaeaee14dac9dc51

SHA1
6593d59f68238cd8fc4fc6ff2da0adc600cf07c3

SHA256
6deced7f98200395f7b933f8653995ab739e1ef6210d5c3e326bb5f7d4413208

SHA512
61982b8693d4407642084271f0cd7489d8b496fa571aadda7d1aefad1ae39053b8321e746bb03cbdf00097dd206d86a1ee2244f8bcaf00f6d72317e5168486b1

Download Submit
C:\Windows\SysWOW64\Nmljjgkm.exe

Filesize
96KB

MD5
c91827371de4e921206b2d8d7ffc5d2c

SHA1
05677e93259b075b71701f23cdf54af6ef985f66

SHA256
d87223d5667ddd49a0c42eb62724327e9bb0a395ee788e907734c749d4c94204

SHA512
25831163dd520233ec7f84cf11f00ed2f3d564c2abeeb0c4c73134f4e14586e7390dc5552a6a60886ad2633edc355debc390b5c5c4f3476aed5b58b0b468c1f5

Download Submit
C:\Windows\SysWOW64\Nmofpgik.exe

Filesize
96KB

MD5
743d9e0f8a4bdba86c0d7d7227c87265

SHA1
0bc836de77466855125909586f9c816d74d290fb

SHA256
8ac06d3be9bba51188e696ba8587f7348e96ddbe40a9e4aecb64a1fbde672382

SHA512
a845579b36ffc676fca0bd2ecf4329cb84c56035e78653b6f55cb96639b53f2aaa1e04b3d05c6325965d53639466ec8286333dd9e0ae0d296a01a3d00d147b99

Download Submit
C:\Windows\SysWOW64\Nqeiefei.exe

Filesize
96KB

MD5
fc75bd1d8da6bb4adf697183d0b6f44e

SHA1
6e07b7d195d42b47c89875d80a09046a155c0f81

SHA256
ab29f16f30cd6ef90854b886fd5282d6d4748bff1ee453c3df0294ba43463f7f

SHA512
ea6c4aa3c21c596e43bbee2ff5c42f84e6a098a4e953c80967037f4f713739030636d7e8682765be961012ef0c25dedb49babb822c36b89af8816095a9949bc2

Download Submit
C:\Windows\SysWOW64\Ojljpi32.exe

Filesize
96KB

MD5
a7a26181d6ebaa3ed05ebdc7e69e17cf

SHA1
7b9685ab9c0dea43aaacb4cd0e2f730a24d64c8d

SHA256
ab65167e580ecbe0ec07340e10049dcfc1a9ec08ed1e0d299022db19ef27cc66

SHA512
49d3cd7616011ed0631ef936766aa15f3565c01ee2d61a3a2386163ad1aaba83138a84cd53cd037de09ce4e57c79f798edc4591c074b5bedf84b83a5ee8578f0

Download Submit
C:\Windows\SysWOW64\Ooalga32.exe

Filesize
96KB

MD5
8e3659aceb118b187f9460bcbeed8cf1

SHA1
eee0e2f3808b56c2b7521c53b2c889518aeff75a

SHA256
8004611c7be50258d68f1e2ac762a3ed2cc33235b3b8e3d0648cbac745cc4bff

SHA512
bc9294b4a6c5cdd7257ba76c585bdbc15e9f0ec6b83c3ba763e7b1c50777dbe8075dd4e91144ca9e08f8802521e599026d9fddf011e264ed5fac1f020f6a2749

Download Submit
C:\Windows\SysWOW64\Pfegjjck.exe

Filesize
96KB

MD5
016cb41e9646d4efa9a480ce0a7c7ca3

SHA1
b41313a76ac563468dc497306fddf1aa6b531fa1

SHA256
1843ce5910f3c8bd2e50ad53b962f5c489e3c7529e4c94cc0b4fc37eb06f6289

SHA512
285424ab639fc0b3b850481d1636c202efd84996bb04ea8e3d145bac604a8cae6ea3101911ce42ca90c2335eb5a4dd3a861252f55cfb5c1d3475ca12eb7eb0c2

Download Submit
C:\Windows\SysWOW64\Pihmae32.exe

Filesize
96KB

MD5
8d51d3f319bd666b0a3b9d05303396ff

SHA1
dab0d43178122174c3c0531ce6c8dc7eaae488a1

SHA256
dcbd7462a68b6003eba53e93fbb856f6cc2b14ca90c734edfd297edb5f2da424

SHA512
0f394b35a30e4f0b84a725a2f7cb5e97fd9f03c78f03e46a358dc53d48beb61ce343f05f7e58328bd6a6754d774f8020223d59f62c6cbd82ab4f7931d6c9545c

Download Submit
C:\Windows\SysWOW64\Pmfegc32.exe

Filesize
96KB

MD5
f8f78af5d4a8c87bf12f696f5d6eaa15

SHA1
0e685a80d778bc0d3b5650c560b251e89c64f6a8

SHA256
c14169f44c83042e4db2c8831359a0f7487d517e9ac2959587983bc7365eeeb4

SHA512
6f23e1d85c1e2b48cfed0f2ea418c7af60db0ea9315f7188a9f5878b22259dd5a116a3e3d4ef8126e6b7699f5e32a914ce615e7cb8db46178f8af0b429d3b6d9

Download Submit
C:\Windows\SysWOW64\Pmmcad32.exe

Filesize
96KB

MD5
9cf9148496b98711564b6ad017efb086

SHA1
16880f52ebcb4ceb26c1dd3f99ddd4c2aa8aa4fd

SHA256
459cdd2045138c0d5eaa60410e84dfa98cec268a1964ecabd4c65dd5dc88d9ca

SHA512
c68a4a62326fc7f9acab9f5df19213ee353d6b6470bd27a49ccc9ccb7076d19706a28e69762cf416ef5c0bdb5bf0afd36938c1d65b3fd90b45ab4a981192eba3

Download Submit
memory/220-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-1151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2440-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-1142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-1097-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-1059-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads