berbew | c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4.exe
Size

108KB
MD5

982a0a3aa4b6c46bd46207cd55600b15
SHA1

3fefa0a66978a16201fbcf8f66a564c57da160cb
SHA256

c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4
SHA512

c0020cfabb31008a1ac745d3ddec534241f876452190640679523a5f570c34f95a0bf64140e5aaa8382c1b13c4246006f92280e735d0d3bc880cedc83d2d1ee4
SSDEEP

3072:zOSnxL2RyaH4aCR47WEkPe+dCDEIFcFmKcUsvKwF:zOSXa4e+oDEsUs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3108	Kiidgeki.exe
2684	Kpbmco32.exe
2864	Kbaipkbi.exe
2200	Kmfmmcbo.exe
2096	Kpeiioac.exe
1256	Kfoafi32.exe
4048	Kmijbcpl.exe
3788	Kdcbom32.exe
4848	Kedoge32.exe
4504	Klngdpdd.exe
4728	Kfckahdj.exe
3776	Kibgmdcn.exe
640	Kplpjn32.exe
3184	Lffhfh32.exe
4916	Liddbc32.exe
3680	Llcpoo32.exe
4160	Lbmhlihl.exe
3504	Ligqhc32.exe
4532	Ldleel32.exe
1048	Lenamdem.exe
4732	Llgjjnlj.exe
468	Lpcfkm32.exe
2512	Lgmngglp.exe
2248	Lmgfda32.exe
3584	Lpebpm32.exe
552	Lbdolh32.exe
4292	Lingibiq.exe
4448	Lllcen32.exe
2952	Npcoakfp.exe
1512	Ngmgne32.exe
3608	Nilcjp32.exe
1112	Nljofl32.exe
4820	Ngpccdlj.exe
4436	Nnjlpo32.exe
3700	Nphhmj32.exe
2872	Ngbpidjh.exe
3312	Njqmepik.exe
1944	Nloiakho.exe
3508	Ncianepl.exe
2280	Nfgmjqop.exe
2104	Nlaegk32.exe
5076	Ndhmhh32.exe
548	Nggjdc32.exe
5048	Njefqo32.exe
2216	Olcbmj32.exe
4748	Oponmilc.exe
2100	Oflgep32.exe
3408	Ojgbfocc.exe
3000	Opakbi32.exe
3804	Ogkcpbam.exe
2400	Oneklm32.exe
2728	Olhlhjpd.exe
4536	Ofqpqo32.exe
408	Onhhamgg.exe
1916	Odapnf32.exe
4444	Ofcmfodb.exe
1204	Olmeci32.exe
3892	Oddmdf32.exe
4796	Ofeilobp.exe
2344	Pnlaml32.exe
3040	Pdfjifjo.exe
1744	Pdifoehl.exe
2084	Pggbkagp.exe
4652	Pjeoglgc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Qoecnk32.dll	Kiidgeki.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Lenamdem.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Nljofl32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Aceghl32.dll	Kmfmmcbo.exe
File opened for modification	C:\Windows\SysWOW64\Lenamdem.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Kbaipkbi.exe	Kpbmco32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6760	6656	WerFault.exe	234

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Ligqhc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 3108	2516	c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4.exe	84
PID 2516 wrote to memory of 3108	2516	c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4.exe	84
PID 2516 wrote to memory of 3108	2516	c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4.exe	84
PID 3108 wrote to memory of 2684	3108	Kiidgeki.exe	85
PID 3108 wrote to memory of 2684	3108	Kiidgeki.exe	85
PID 3108 wrote to memory of 2684	3108	Kiidgeki.exe	85
PID 2684 wrote to memory of 2864	2684	Kpbmco32.exe	86
PID 2684 wrote to memory of 2864	2684	Kpbmco32.exe	86
PID 2684 wrote to memory of 2864	2684	Kpbmco32.exe	86
PID 2864 wrote to memory of 2200	2864	Kbaipkbi.exe	87
PID 2864 wrote to memory of 2200	2864	Kbaipkbi.exe	87
PID 2864 wrote to memory of 2200	2864	Kbaipkbi.exe	87
PID 2200 wrote to memory of 2096	2200	Kmfmmcbo.exe	88
PID 2200 wrote to memory of 2096	2200	Kmfmmcbo.exe	88
PID 2200 wrote to memory of 2096	2200	Kmfmmcbo.exe	88
PID 2096 wrote to memory of 1256	2096	Kpeiioac.exe	89
PID 2096 wrote to memory of 1256	2096	Kpeiioac.exe	89
PID 2096 wrote to memory of 1256	2096	Kpeiioac.exe	89
PID 1256 wrote to memory of 4048	1256	Kfoafi32.exe	90
PID 1256 wrote to memory of 4048	1256	Kfoafi32.exe	90
PID 1256 wrote to memory of 4048	1256	Kfoafi32.exe	90
PID 4048 wrote to memory of 3788	4048	Kmijbcpl.exe	91
PID 4048 wrote to memory of 3788	4048	Kmijbcpl.exe	91
PID 4048 wrote to memory of 3788	4048	Kmijbcpl.exe	91
PID 3788 wrote to memory of 4848	3788	Kdcbom32.exe	93
PID 3788 wrote to memory of 4848	3788	Kdcbom32.exe	93
PID 3788 wrote to memory of 4848	3788	Kdcbom32.exe	93
PID 4848 wrote to memory of 4504	4848	Kedoge32.exe	94
PID 4848 wrote to memory of 4504	4848	Kedoge32.exe	94
PID 4848 wrote to memory of 4504	4848	Kedoge32.exe	94
PID 4504 wrote to memory of 4728	4504	Klngdpdd.exe	95
PID 4504 wrote to memory of 4728	4504	Klngdpdd.exe	95
PID 4504 wrote to memory of 4728	4504	Klngdpdd.exe	95
PID 4728 wrote to memory of 3776	4728	Kfckahdj.exe	96
PID 4728 wrote to memory of 3776	4728	Kfckahdj.exe	96
PID 4728 wrote to memory of 3776	4728	Kfckahdj.exe	96
PID 3776 wrote to memory of 640	3776	Kibgmdcn.exe	98
PID 3776 wrote to memory of 640	3776	Kibgmdcn.exe	98
PID 3776 wrote to memory of 640	3776	Kibgmdcn.exe	98
PID 640 wrote to memory of 3184	640	Kplpjn32.exe	99
PID 640 wrote to memory of 3184	640	Kplpjn32.exe	99
PID 640 wrote to memory of 3184	640	Kplpjn32.exe	99
PID 3184 wrote to memory of 4916	3184	Lffhfh32.exe	100
PID 3184 wrote to memory of 4916	3184	Lffhfh32.exe	100
PID 3184 wrote to memory of 4916	3184	Lffhfh32.exe	100
PID 4916 wrote to memory of 3680	4916	Liddbc32.exe	101
PID 4916 wrote to memory of 3680	4916	Liddbc32.exe	101
PID 4916 wrote to memory of 3680	4916	Liddbc32.exe	101
PID 3680 wrote to memory of 4160	3680	Llcpoo32.exe	102
PID 3680 wrote to memory of 4160	3680	Llcpoo32.exe	102
PID 3680 wrote to memory of 4160	3680	Llcpoo32.exe	102
PID 4160 wrote to memory of 3504	4160	Lbmhlihl.exe	103
PID 4160 wrote to memory of 3504	4160	Lbmhlihl.exe	103
PID 4160 wrote to memory of 3504	4160	Lbmhlihl.exe	103
PID 3504 wrote to memory of 4532	3504	Ligqhc32.exe	105
PID 3504 wrote to memory of 4532	3504	Ligqhc32.exe	105
PID 3504 wrote to memory of 4532	3504	Ligqhc32.exe	105
PID 4532 wrote to memory of 1048	4532	Ldleel32.exe	106
PID 4532 wrote to memory of 1048	4532	Ldleel32.exe	106
PID 4532 wrote to memory of 1048	4532	Ldleel32.exe	106
PID 1048 wrote to memory of 4732	1048	Lenamdem.exe	107
PID 1048 wrote to memory of 4732	1048	Lenamdem.exe	107
PID 1048 wrote to memory of 4732	1048	Lenamdem.exe	107
PID 4732 wrote to memory of 468	4732	Llgjjnlj.exe	108

C:\Users\Admin\AppData\Local\Temp\c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4.exe
"C:\Users\Admin\AppData\Local\Temp\c1eb7dc87a912a9cf527fde7dc5f871f0fcf948e90d90d2a0b7882a2b66fc6c4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\Kiidgeki.exe
  C:\Windows\system32\Kiidgeki.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\Kpbmco32.exe
    C:\Windows\system32\Kpbmco32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\Kbaipkbi.exe
      C:\Windows\system32\Kbaipkbi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        23⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        30⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        38⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        61⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        66⤵
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        69⤵
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        71⤵
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3988
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        74⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        75⤵
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        76⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        77⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        103⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        105⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        106⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        107⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        109⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        110⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        116⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        117⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        121⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        130⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        132⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        135⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6392
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6444
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6524
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        143⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        144⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        145⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 408
        146⤵
        Program crash
        
        PID:6760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6656 -ip 6656
1⤵
PID:6736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aceghl32.dll

Filesize
7KB

MD5
a8fbc538ef338192a434336b1d2b7363

SHA1
a88c298ffb823ef01ec8ccdbb92fe5adda6e80df

SHA256
38f6c5b5eb288a858f8e6ed5362901fe4008d36a44b2f9994b35c45c7269e94c

SHA512
8f284b6254ae71c91fe2e9345fe7dc1130572085a50a52c8a4325370d8c7a3102f9f7064bab7c4d868629f5980250ae83f9a19fa600b3dd487bdf5db59a3efc5

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
108KB

MD5
c48a0f4f96f11950c4e069d20b25bd57

SHA1
6e00e43211491a994740fd8c0079d17a91c90c9c

SHA256
9daed4aaabccd94198cea94628a9ba91175caf99025378a566888b8514b777be

SHA512
09c6e61bd7455d89acdb9252936c2489ab7eab698e82318f6d5f0d0a627f719fb88a24c3f05123ed9bde9c6b972a346527266f8bd913140619e63bcc6d8b92a0

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
108KB

MD5
a1f1830da2e44e02b7eac5161ddb467b

SHA1
7a91a20401e65b889e2c4e5153aa2d9f68979868

SHA256
c72e6da115d1a41f993c8bf4af74464a8b22a8c881df8b3255091ad4a1501792

SHA512
31ff42df39c384c5df52e7a17e6980f852cbe532c767e1791020131c46cb6d068821c4c08a723050e2b3c8e7846562213bae59732e9d3fe17805f5bf320513f5

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
108KB

MD5
040c5840dc79ad5448b7bd86b72af936

SHA1
3ee983f2452b1e31e8609911c5b5e217131eb69c

SHA256
80930839d5597db6bea090e24f15956ef9fd282b74b0847edede4d4be98f975d

SHA512
560373453e4a9239ff66ff824bd6067e285d1423fcf032f3bf030d01bc4e89cb885049200b26ab262deb048c01e7f2cc56857d9b6602c40207e603f49c04344a

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
108KB

MD5
6478a7e22ed09b5762460a3b75bb5700

SHA1
2917cf63f3e83078db2a16d4304021fd2488b537

SHA256
ce4b099378b98afa69c8a6847d3b631c5e44b739aca3254bbd324f0b33f8926f

SHA512
7c8bd6246843177d3cb9d2737b342a89aeddb54491493fb1100d8b7960b0c94afa5f7a51a4c3c43612ade9e4e782686a52c5cde97a59928fda4efc9f6d82c15a

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
108KB

MD5
046965c4f69c589794dc55e6079e8cc4

SHA1
96320e5cb98403a1b59e843230267f5a3832c5ca

SHA256
72cbb5b0dbff8321566212b0b42be0660f03dd908fc21d604e737e290f532383

SHA512
25d5930b8324baf0619c02529f1d8fad3f592e925f6a42fd261a51fa28d683ad87910d2d76df4882d2f360773cf9e839d5ea3d850298c01534102346ebbc85e0

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
108KB

MD5
cdaa8340c0703fbee130645eb9c6b3c6

SHA1
e84a04065ab96b4f386596aab4ef7cdea0474a39

SHA256
7f421ba00e96f465f41bc1596ddd60eb24bd9eae7ca0f06e7cb829c5b7458e71

SHA512
08a820caee8eaa3871f4e6bc7aecff4c76b9bfd912663db621c815521ef6e1f106e9e92d70c6b42126516b1d0ba97a7f555a01e03fa1e77a2e5198f39b81e28b

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
108KB

MD5
88caf42f30cacd6dc000d307d5ea1ed2

SHA1
94c4ec8b254bd8deb32e9dfd8eb47439357271b7

SHA256
c2410ee301c084722ac683647a5c7542b4b36b55b2f89145416d3b0b141ab453

SHA512
f59426307ee5571f51a248d1d2dc0806976b73d6b6c781468e1369070395ac3e146ab9ec1749e0bbf7ed39ee0e767b14b96031f4856f95b686038ef891036d39

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
108KB

MD5
b18d608004b82c1deebbbb37dc14bae3

SHA1
b8abe0163ef07e7b86aa66e563fd1675b2bb6c22

SHA256
ebf38162f8cd8fc705b9fc1731bfcdce8a49ee4c47160251bfd54570bfe27725

SHA512
d01627d29f3703016a0f82f285d2858814beaa089f6b60b8522a517a3040b95fa7295c5fef732c5345c1ce1c3fba817232ecb4415f3e4b993fa84ec0fc918f55

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
108KB

MD5
2e3ab7fcbe8568551a61f48b8105b105

SHA1
b3cc842329ad9a5cccb7429908529fef8410cb0f

SHA256
4d1699303a609ef3a109a3e7e49731f6574f1bfa73d931b826bfe7bfa441c413

SHA512
6ed0f4b391a85ab5b8b651b5d80163a6c3007868a93e84f48a8405916f384a0593987ed9e2daf352faa70cc37f6c3dca416010408a17d90aabf71caac2423e29

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
108KB

MD5
3683621eed280c6be8feb5546fa12498

SHA1
7eae881dbcb7f141612425c3716184f641109a86

SHA256
8f410023d6339481117d57ffaa06a4dd64470cc8ada50b999637c92bea0299ee

SHA512
381abb3740f08906c0088395973a9c196fa1f432e91a56391f43650b36d07c636c376e8c8f3aa604ef8dd77cfff7f3a2e0b7e96b83a19cd4b0f064d214a134a7

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
108KB

MD5
dd85103c67d77cf7ec2aad75f7548a90

SHA1
7043517aaa02ecb11c097fb2b45dacb72c376577

SHA256
9df4dd0793368406b3bd910a883d31f5d50bdfe8665867805893e3b4c9f7543e

SHA512
b7d151620a0c79741ae7c62e426d40cbb6ed8a6e477d8c3979b6921e6f2d09809110609ca8b5ff5d17688ee7d1775e9ba756a2b6687be5f2f679900c82ade69d

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
108KB

MD5
918086efc21c0226607e6451d5a22809

SHA1
459bd93a3cda4e78e74ffd4345a5069b846e65b8

SHA256
169212447cadb3ddf8265d0d4878205812979f495f1038e375f84ab123add519

SHA512
ef3d4e19b339222b3f50d5f9e598126634528c4a8242c0bb018212bb0fb69ded72a285f927cfc273efbc15ee2c0beb7480859dc85b02b234f072bff444a2ef80

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
108KB

MD5
076aa5ca98198dca5a7d3809b7460ad8

SHA1
ebf03a7a3429188be784992dc707df526d6a4495

SHA256
2deb9b6386e6f1587253867ed0fd31be31a2bd55b632f90b1936cfab2115f1f7

SHA512
ca43d9eddbc27c6883180e78c50a38645e98bd1da6d11bc7be6d39b292abd20e92e9b51b325910351a49cc31a404cd88d665961c6529f61a34c906ee1aa59f8b

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
108KB

MD5
556537879b92d9a860f259b4a828454d

SHA1
926315bc54e9938ca686b6aa9b7e57b1a4f5769c

SHA256
a1db1378aa9a4dc7bfa203568365e777498da705d80a88dae867e04242c7c96e

SHA512
596029531e41744af5ae0d3b2b1cddaf72c21a90bd203fdcbdee9622c58b489f2504367347e3717f62bcbe8e27f57ccd52737a99a29c613259677c11c88431c4

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
108KB

MD5
f1d3ae8e5e401e180b7c3f384ccbb623

SHA1
cc34334432c6ce43a6b7f11711d3283b1a7d8ad2

SHA256
a7f0ddca52bc4ded8debadf8c7473caffa69d51d13e0cbf8b3fb1dd4405573f2

SHA512
bf78258363bba40173c82a911e530316a53e1b4995caff3a3aba9468caaff0fdecc03b32caf1e8a5c5954fd2d38b4541038004e541a48281c6d1b705135edaaf

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
108KB

MD5
1b855d67021c34a208f0bc0f1e55cfa6

SHA1
daca43cd311505e160f345c0dae3816335673f92

SHA256
f36996b5a7b392c37cd90cc5ec4a2e8f2a7ac76f67cc40248f0b116eca743e61

SHA512
7ecf82949094a00b08f4d2978dca8eef2c17129bf6ade2baf90b4521c993e7dd8f69fa4f6d832307eb3a591aed05aba363f52448bebec70520a00dd177671b37

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
108KB

MD5
ce7be8eacde26ba4a6a8c5309d7b0e32

SHA1
383f1ea2127a817c1eed4ebc7d9c8e02b8748331

SHA256
8a27155b457d222aac34eab286d87d25edbc204959ea4c5f97c6ffb91f3d79f2

SHA512
3952a191baa13f907921de19ee2588847bf0b5ca7c4634e83e5a057c9c137c89751f49fdae573d74fa48a6956c8e19bf7e08ec9a681818824f40da8765c76088

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
108KB

MD5
97f039c847fe0e3ac207cf4760abf6ea

SHA1
8445a45d1045cf3b04147380eb4542a2f833e5b0

SHA256
4df2db437b316f0259f1bfdb2bb0ba3b2d44e9fad28c0a5c14b70eef53fc2d38

SHA512
52dc02cb5c1fc22a38751b526a914696643aefce6dc3c6794422931c38f2b80e9819ac1c03672ed900fa1fb4a42bfdcfdf561f10fcb1c24d30079a1303ece266

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
108KB

MD5
c532b3d2a5280b9c84e4e383811fa8de

SHA1
3a0dbab5d92827fdf29d780810488ffe2c0c783d

SHA256
7c4bf9c42b0a868aa13b4e4809d8429aaa39810056b850c2f5db5d68e2064e64

SHA512
19bbe86d5b4b614ad4d353cb44804661de3d518566519e3ede37ea67e166c0791914f7412a767b0dc14b69ec12d348408bf1174bb6284dfc8b46fd68d492e219

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
108KB

MD5
1241e898d76ef0bab30f32920d265ffb

SHA1
1cd3f3a8f01bc943814068337a72960fd56e4c1f

SHA256
79fbb594640c1468bac9498a8c7eec63a34c391085ee080c79a05813d529e0a1

SHA512
690419b7ac60c9c5e261623b1017f586d693a84f2fe464419376d7d3f0d56d1cbd65b277847b8bd87c4f82b26b7e046b13a2183328b9327803ef222023116b97

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
108KB

MD5
ab0f044b1afbe1729cab34f791d26abb

SHA1
85169f4aa8bb096bbf5731645544f961d4e1e89d

SHA256
167dcd2b5d0fe043bce2b1e944f3d7dd1644c9660333b7fe04d481e69cbeca04

SHA512
3b6bf752a7b881a986da8bcd87a1891bfbf6d404517f106a78e08571b80038aac89c482780100d5a120259b723b7ccfa9cc2416223288a8af4dd480bc047e627

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
108KB

MD5
320b9e67514c310be0be37d3e4e05c0b

SHA1
d517ff691083839b85229a9568314500798f2bb2

SHA256
38b6070bc826aa9ce46cc4be6f1418635f2b1fbfb8ee954584725a89266a679c

SHA512
31b44bbf23211ffc92d5719c67736e7fed3a5e4e26b268d438ef61e4e021d221ea50feae09273572338076421b29fb181c7f64bd36644fe0bdc85ebbce6db92e

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
108KB

MD5
5a65bca1c932291e76c77fa7d59886d9

SHA1
3f7bbff04a7e9f675e1209d449ff9c63b7e0e920

SHA256
b57b5d9f921a8023b0fe083c3537fedc3cee9b7c3486586fad2c69d19f34999d

SHA512
e0a603a670ae65927604976b9b23a486b9aa3175a8421c19e921872bf7ef0f757c5d4bedb16f53ebddf525dc1959ebfacec85c7d0aec3e73ea74f1c506114cc1

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
108KB

MD5
89808f2ac75f71b3e805fe5af7dc8999

SHA1
9917e4e831f16289d4c98712601984963414dce2

SHA256
beb7a04ef3d32a2b0803825477537efa64be485ce98ad26fd1d7aaf41e039ce7

SHA512
4bd8d0f2095e7b2b5bd426a3935aa2dccdfb20f7b2752ba11f00ad648a02cb5409ff7771c1adcf883969f1bd9e2bfcd464486cfb712098294186d737016b1e73

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
108KB

MD5
ae3195888b40c4a949e0296958f2a319

SHA1
6ab0b99e9c296e8ef891e9876c0ecfcd1aa60564

SHA256
3e585cda6968aeca5570b1264a9abb034ddb1755ee3fc3315caa1497e4413935

SHA512
7f2cf10a4e846aaa53f82792bab8556c299de1fe2a8d9cf57189c2bda418e7e8e88dc3f958ba56a286485ad66cf9cb885043e49010c8a1ff381b4527b43fe820

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
108KB

MD5
bc692fa090f8d6c34d339fc3733aacbc

SHA1
5b46a6701adeb7a4b96a4fbac415b476eae9550c

SHA256
15bb383e12ed35e94c2e7fb13e52906fc2b2948ae81215563f3d196e95fbb02b

SHA512
fc50ddaaa724532e4f1dd55cfc9ee854c58895ceb169396c25d37fcb59b11222b808f047bc3dcb6227b8b85049db763e1f14f35945d5f3260f643e400d6a0186

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
108KB

MD5
a17fd5d58178be7c92962b0772088e6d

SHA1
cad2cc7eb9aaf14befed5f9ba3bc3cb95df3282e

SHA256
166ad1cf596dbd5821d1d0a8dead58c8cae0d2c135788fdbf6b4bf206941eebd

SHA512
6bffd0f7a74714e31ea425232adc1da85770a5a46e2976aa2279bc3a510ee061183e82d76352f17011fbe7fe6abaa361cff50eaa0362c3d81f8578567309f9b6

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
108KB

MD5
71df8f9df905ad2c82bb5ea9d1bcc4a1

SHA1
7c84e63a2363fd901e7ffc85f54cbe634fdc83d1

SHA256
1137e7c976bdc5b4b0b52fba954fff3c245c0845a98b728891230b06c83cd0d6

SHA512
b62cff8e4fd63687785db180f5aa71a09f8de55ede07a44fb3e2afafc18eae5679d512e0345e0a523ae31aec8360fc494a908b51524d661fc4531e187cab85ef

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
108KB

MD5
6fffa9a3b7e01bd7062b727550498d0f

SHA1
646638080e42b21425779af872236660e35b1824

SHA256
8b394d6d254baf600438f151c9a0743dd49c1566042966d736ce027cff0cf689

SHA512
212170afcdec6f8cc23fd6870bb3b969825212edd217b841d8605a29b81b48980f9e1b20778150e193d47e2118ca80b2733499e5de60c7520704a701e77f17ae

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
108KB

MD5
ebd87de41f37de85fd76c6eecd2fc8c3

SHA1
c36d0276b3c7d9d86771c492ced4adbe7955b33f

SHA256
1bf4d75a9f23d66456c67fe2efda9975704d98bf88c84334099baeb11f3fb43c

SHA512
578ae832f696f74e638761dbf664ede9dc96654ef456e67a45fddf04cd8a14dd56b7cba7839466a2fee109be3820761b9c5cb418b26772924599d435da134376

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
108KB

MD5
133853f62238e2bad7433f3b772b074b

SHA1
a0873fbeb4be8d819d6b73a89052c7bd7b831396

SHA256
d9192e7f71b54c743d11d2ac2a901840975128c6de92c9fbcae1fc34057ad4e1

SHA512
8606d6e21c7a05c5f704558dda7d69f3ff176e10f899b4476037cc83201c9df8a457d16475a87e506c1e3175bad519858b4c20f5f1dea64270de26475f5283db

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
108KB

MD5
bffdfaa22e7aa4cb13a21c5f2bcb14b9

SHA1
fc3a347787b82ddced405af512f45e26dad8da01

SHA256
bc1b37aee1e2c3de2f061b9db8a073152190ca043e014135b28430373c934fb9

SHA512
2114d6434c398265f39517c0c3f6aac921e855658a34d986dce861240581c92a75a3fe334947565d6d1f1d2e2ce0fde9b9ae56ed64b86d01ffc4892758a79c21

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
108KB

MD5
c56fa1cb2e0b652e945c24d834ab84c5

SHA1
6ab766aa23affae829c03da365dd367098c9e140

SHA256
a7b7e58054b8f2d63097ca7560649961536dd3d7926216e4954a62dc83973d7c

SHA512
e59f4d7db2b7d47d85c75e61d3f0e628da09ec9abb55f054d8e1b784226404a59d51622fd0923361bb35c98b966d029134cf366e13d971616d82ca16d12cbc74

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
108KB

MD5
a1ed63bfcccc113696a4c9498fc8e4ed

SHA1
61ec7002a7cdbaf5e1767053eae2dbaf3316d04e

SHA256
17c2aa680ae5418c2cf00ab3b9426f9f3aa503b982d801ee7f70d05405b092f9

SHA512
84fe44fe27977ccb0a2da3a56326322145e4b793624b6a4358aa4fe8abe6b83a7aec56ed8112594cf844b11a66cf2716720e3d33aef1e59afda206e8b0023eb4

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
108KB

MD5
da40b48a4f3b257fcb22c58ffb0369a6

SHA1
6a83008bcb836c089fdcbbe6ce37c7637f068d7e

SHA256
269721abe43beaadc70562c46f4075b0590d754f7b204b7af30bf8fe95f876f6

SHA512
44a707249747bc65c91519d655dfc9279ab9900914e7255412592f94b8cf52eba7c76fa7bafac5b22bb32fdf2617ef6a4f3ad523ec5d0b97548607f25a86f963

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
108KB

MD5
b51727556e54b56b88f4493ac307ac45

SHA1
aef0ba07e0f25538625af828ee7b4ced494184d8

SHA256
5b2f41a35f381828446032116c452677229d8bdb402b7e154bcbd0e51058e7f2

SHA512
8375862398a018fe58d0d57e61dfd72f6769c9178cc8f87f0b60cf81089e91efd68797215e3c667b8a58ac14843e7b600132b9a60ebc346a300263dd4cadf1c5

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
108KB

MD5
4a256561b4b9cc0156854a0a8276c29f

SHA1
791087aa0ce4bc9fde986502a96c110687ae1a1f

SHA256
b04ac78918fc098bf853eb504ea0e325de33e2815279212e7543539af94507f3

SHA512
291cd9b1fb1555d9a2a2ea132201bdbc1204297ac61f7d360f48124d1531e0d98a037f4806262d9351540f58edc0eeb6a7d51c039a06e4e358e4affd2275fa3b

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
108KB

MD5
54605aa417bc7bbe4392e9aa0deffe04

SHA1
a37df6c90762d935c39989c452bb869cf713a315

SHA256
b4aae9d9e0f183e0e5304e7db36661682e16ff6d6ba41f8ee6b3e82fda52bcbf

SHA512
4ce6d1dd3719962660d42b1edb78dfe571f992d8832da1c53db971d820b7da3248b2073cbb912e54e72cb097e2e429bce67c0dd1050d122931a302d758d84d9e

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
108KB

MD5
c8ca03da8635e4749ec4b24909898fd9

SHA1
0188042764d3d168f894a78ee3d75917ee0eb544

SHA256
85673dc402994d3ee1092b037d5f107a4cbb5da5143fc86c60d3151ff7ee3c98

SHA512
b6d80ca946fe0970aa3c0a1bcf9abd15ffc924e92278fd10d49aeb4dbba612677bc0007041c26b4b8e8bb1b4cdfc5b52707fd9d749f605279110300322369383

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
108KB

MD5
db6adcf8e57ab82f75c9611e46f6b891

SHA1
1d7968222a1b09d5fb7f137bf5b0cedea6713102

SHA256
285b97c4b518278c07ce553734f9b0b5c7ae189737e0d9b098e0633ffa41474f

SHA512
120771ab7382ffed72bea776444ccb2692bae095bca064ce464080beb586992a688fb38362d29754f64dda356f890c0e09525c0c32ba70cc2c09c8727c5b4976

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
108KB

MD5
465ffd6dcc67088cb14c9abb3b2231eb

SHA1
16a55a38703ff5688c07b8965aa7a8b2b4de33f1

SHA256
c3fdbb89ad5bd5288c74410b1bd4ac426ec1734ab20a479d87d6fef955e11d06

SHA512
8d2c57918982a6b3e2c0ca891e2a0060010b67ffa9968b9693f26328d65bb122a84a117e991f8f002dd896c3765f0c4630790c49f37bc35f0dc6c91323292228

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
108KB

MD5
f09d69077680f72aec2ee9e8ddf99814

SHA1
4916dd312bb3443dfd2eb2161b443e43caa1fb34

SHA256
c0134ba46473397b124ee914bffb2f0fc7e497a25ab1d24bcc684147e8d8528f

SHA512
4afd0d876bbb48ea419db9f98e50add0f9a90152dd3e44dd6b6ba2a004fe891e681455b99e9cf1da2cd4e6cd8a234bd1e58158fde75f77ce294933e5536935ad

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
108KB

MD5
99f736664762e935cd5f786b01b50d74

SHA1
7bec0f5ca70ebb7e11cafea2739c5b410b6ce873

SHA256
79a0acb8aa6efce7d4909cf15a32cb50985185d0b3d677f946e5a1a097fd3cc5

SHA512
9ced6d3feb5a9c42bc9ed03e22df4ab4a7f0b7e9855512b37132ff4e121b49da81e35476bb3b8e023fc9d9188a797243b33e02ac74b0a59ff6173181c9c5c275

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
108KB

MD5
7e3acc5526d061dbd616852faf640628

SHA1
981f521af485b8d9e8aae3f3b92c7f02e84e8a7e

SHA256
0277bb2d0499d6c3c2c8b9d2f8e563797b323f04d4cf3bdf2df72daa197a73bd

SHA512
24a6a45ecb4c8691d3cc0221d6c8f5254341b5e37648923efd7a66a41da2d87037781ec2854da919c56692e257426bc812d866efda8dbd7f531bb7007a4e44af

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
108KB

MD5
03ad0d04fe7ef5b0b32a980d9b72379f

SHA1
ddd1676e1c028a13acb5285c04d9b0ca12080704

SHA256
da1592fd28384fec4960fc32ea07ac76102e80fcfca1e7f7024e485d07f76e7b

SHA512
42135948b1783f7fbbf52ace80ea69d4f7b7805e963c1fc17c2c9fb55c06f635e1e262943490e0310a729a5a6d82e7470e4ba026d441f19cafe025988eb6c127

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
108KB

MD5
f2a0bf0ca2e8778bf43f52d2487fd419

SHA1
cb61f5619a9fdbd6284ee897fbf8e0f9bfc904c3

SHA256
4ffa45fe7e8ff42fb750996cbcb5e79b79685c87317d81cd76e95adaceb71197

SHA512
d46d0c80b040bba4a59c8d35383055d050effa3cce8fce5cf73a9151fbcc9fc68e22133402c9f4987ce9e3b4b033f633a434313f0c367bf379192e5c45397ba6

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
108KB

MD5
5b57b70cba7e8ac8062425a64bc102b8

SHA1
7076d1cb68ba54e29e3558136a3ef0b1ad794a69

SHA256
e7555bf39a5dc6d06bdfa5bc6e4f657c9c1a6727c5d6615d217a2b3031eb4405

SHA512
87466122c4938d3305df2e472c0592469ce6cc43875469f41c81f48df6689c5cb261341d979d35f0cdef867257d1360253eeca897269a20a8656776b0d7c67e4

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
108KB

MD5
352cb9f6687d10af7e155894d406c3cf

SHA1
b84c0edf6763585f759be62723c20dd7d2f0ded5

SHA256
5430021dbb8727524d14c099e794d1c89da0e685f87d425edb002a9c88758d67

SHA512
1b503d98df4a886990a83c9cb6036cd536a930e4c213d9800e2cb31e04a514e2a926fed9ea9ca8c1b81e9e337188600a15e8eafed5d97c1760ef9cef749da5b2

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
108KB

MD5
b69654ab61cbef182b1d24f69ca47a00

SHA1
27e3c3b169811021215fea4cf45e20161247544c

SHA256
fc31ac151eebaa85427d5dee4a6fbc42efde94713ac4fd02a007acb36a62bce6

SHA512
2edec5d32964aa970f6f50532de91804dc7a182f6e6de2f94a40f4846fef06f90f502c8e52fabf5c19161d3135894b94da1c4ed7cec2dd0da1138c6d4daf2def

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
108KB

MD5
6c84fa301badbcffe07c72dd67f541d6

SHA1
d8dde8b570a4a000433bcb0d41d789f73cf00566

SHA256
134c58ffa5375321ff00bc7b719d60e5fad4a0cbc19ad10d64d574cf4615c097

SHA512
2574cfd4b4fe4bec04c2465bff91c37ec72a031efc630ea65cd8c3fd8b26007d3e0c9893ec0bfc9b0fb59ccb506a2669c04997b4d097e5256122cbc97bd71054

Download Submit
memory/408-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/468-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/548-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/552-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/640-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-1234-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1084-507-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1112-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1204-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1256-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1256-584-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1512-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1536-513-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1744-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1916-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1944-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-446-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-577-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-1181-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2200-570-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2200-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2216-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2248-1227-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2248-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2280-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2344-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-543-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-557-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2728-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2864-563-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2864-1268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2864-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2872-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3000-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3108-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3108-550-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3184-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3312-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3504-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3508-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3584-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3588-519-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3608-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3612-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3680-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3700-1205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3700-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3776-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3788-598-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3788-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3892-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3988-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4048-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4048-591-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4160-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4176-525-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4292-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4436-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-1144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4444-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4444-1162-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4448-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4504-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4512-1129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4536-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4652-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4712-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4728-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4732-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4748-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-1156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4820-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4848-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4916-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5076-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5128-531-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5164-1071-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5168-537-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5208-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5252-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5336-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5380-571-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5424-578-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5468-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5512-592-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5556-1099-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5556-599-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5600-1096-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5744-1033-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5820-1086-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5900-1050-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5984-1049-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6148-1006-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6200-1004-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads