berbew | 12f52911091779909badf3c094aee7c00445df1c5bb68bc9046c009885febae8

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12f52911091779909badf3c094aee7c00445df1c5bb68bc9046c009885febae8N.exe
Size

128KB
MD5

62d3aa1e0baaee73481b880f6c11a240
SHA1

be43862740fe6798f2d599be2e4ee7f6d261c19b
SHA256

12f52911091779909badf3c094aee7c00445df1c5bb68bc9046c009885febae8
SHA512

6ca004fc5cca48e9981df10b5fd3b00f6076dd37d6539135016d5c6b4d8481d0e8cb7d62790bdb1589daedaf76900f3a306b37f7201276eb07e7d399a4a8319c
SSDEEP

3072:1X8fq7IWWHUqmDPESk8QYxQdLrCimBaH8UH30ZIvM6qMH5X3O/:SC7IoqmDPESFtCApaH8m3QIvMWH5H

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnkhjdle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnkhjdle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icogcjde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bipecnkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqabib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icogcjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibpgqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfbjdnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcjmhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnaecedp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjdedepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	12f52911091779909badf3c094aee7c00445df1c5bb68bc9046c009885febae8N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banjnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigbmpco.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
852	Aalmimfd.exe
4980	Bigbmpco.exe
4860	Banjnm32.exe
4216	Bjfogbjb.exe
4000	Bpcgpihi.exe
548	Bbaclegm.exe
1340	Bmggingc.exe
4232	Bdapehop.exe
1464	Binhnomg.exe
3220	Bdcmkgmm.exe
3620	Bipecnkd.exe
2628	Bpjmph32.exe
3524	Bdeiqgkj.exe
3472	Cibain32.exe
4984	Cmnnimak.exe
4796	Cienon32.exe
748	Cdjblf32.exe
4672	Cigkdmel.exe
1144	Ccppmc32.exe
3836	Ciihjmcj.exe
4528	Ccblbb32.exe
3936	Ckidcpjl.exe
4304	Cacmpj32.exe
1072	Cpfmlghd.exe
4428	Ddcebe32.exe
1316	Ddfbgelh.exe
3512	Dpmcmf32.exe
656	Dkbgjo32.exe
676	Ekgqennl.exe
4740	Ecbeip32.exe
1388	Eafbmgad.exe
3372	Ejagaj32.exe
780	Egegjn32.exe
4812	Enopghee.exe
1776	Fggdpnkf.exe
5068	Fdkdibjp.exe
4396	Fkemfl32.exe
3240	Fboecfii.exe
1744	Fcpakn32.exe
3928	Fnffhgon.exe
4224	Fqdbdbna.exe
2016	Fkjfakng.exe
3840	Fnhbmgmk.exe
3672	Fgqgfl32.exe
2420	Fnjocf32.exe
3208	Ggccllai.exe
4244	Gdgdeppb.exe
2552	Gnohnffc.exe
3880	Gclafmej.exe
1620	Gnaecedp.exe
2772	Ggjjlk32.exe
4472	Gbpnjdkg.exe
316	Gglfbkin.exe
768	Gjkbnfha.exe
1660	Hgocgjgk.exe
2896	Hnhkdd32.exe
4192	Hebcao32.exe
4104	Hnkhjdle.exe
3056	Hjaioe32.exe
1140	Hcjmhk32.exe
536	Hjdedepg.exe
3872	Hannao32.exe
1460	Hkcbnh32.exe
5172	Hjfbjdnd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aammfkln.dll	Cpfmlghd.exe
File opened for modification	C:\Windows\SysWOW64\Hjaioe32.exe	Hchqbkkm.exe
File created	C:\Windows\SysWOW64\Binhnomg.exe	Bdapehop.exe
File created	C:\Windows\SysWOW64\Qfmjjmdm.dll	Hchqbkkm.exe
File created	C:\Windows\SysWOW64\Ejahec32.dll	Hkcbnh32.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Bdcmkgmm.exe	Binhnomg.exe
File opened for modification	C:\Windows\SysWOW64\Fnjocf32.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Hkcbnh32.exe	Hannao32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqabib.exe	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Qmofmb32.dll	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Jacpcl32.exe	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Kdmlkfjb.exe	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Leoejh32.exe
File created	C:\Windows\SysWOW64\Lpphjbnh.dll	Binhnomg.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Gajlgpic.dll	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Ggccllai.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Hgocgjgk.exe	Gjkbnfha.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Bailkjga.dll	Ddfbgelh.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Agecdgmk.dll	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Dpmcmf32.exe	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Elfahb32.dll	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Fcpakn32.exe	Fboecfii.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Eafbmgad.exe	Ecbeip32.exe
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fkjfakng.exe
File opened for modification	C:\Windows\SysWOW64\Lkqgno32.exe	Llngbabj.exe
File created	C:\Windows\SysWOW64\Dccfkp32.dll	12f52911091779909badf3c094aee7c00445df1c5bb68bc9046c009885febae8N.exe
File opened for modification	C:\Windows\SysWOW64\Bdapehop.exe	Bmggingc.exe
File created	C:\Windows\SysWOW64\Fhkkfnao.dll	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Bbaclegm.exe	Bpcgpihi.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmlghd.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Ihaidhgf.exe	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Jjnaaa32.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Bjfogbjb.exe	Banjnm32.exe
File created	C:\Windows\SysWOW64\Ohjckodg.dll	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Ichnpf32.dll	Lbqinm32.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Jgjjlakk.dll	Egegjn32.exe
File created	C:\Windows\SysWOW64\Kknikplo.dll	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Fbkcnp32.dll	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Acibndof.dll	Kaaldjil.exe
File opened for modification	C:\Windows\SysWOW64\Bpcgpihi.exe	Bjfogbjb.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Fofobm32.dll	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Fgqgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Hannao32.exe	Hjdedepg.exe
File opened for modification	C:\Windows\SysWOW64\Hkcbnh32.exe	Hannao32.exe
File created	C:\Windows\SysWOW64\Idhiii32.exe	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Mghekd32.dll	Llkjmb32.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Gnohnffc.exe	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Dgmfnkfn.dll	Hcjmhk32.exe
File created	C:\Windows\SysWOW64\Ieqpbm32.exe	Infhebbh.exe
File created	C:\Windows\SysWOW64\Inkaqb32.exe	Ihaidhgf.exe
File opened for modification	C:\Windows\SysWOW64\Jldkeeig.exe	Jdmcdhhe.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Igmoih32.exe	Ibpgqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5656	5388	WerFault.exe	194

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmggingc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbeip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalmimfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iapjgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12f52911091779909badf3c094aee7c00445df1c5bb68bc9046c009885febae8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigkdmel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnohnffc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggccllai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngbabj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binhnomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdgdeppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbpnjdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgocgjgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekgqennl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafbmgad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdmlkfjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnhkdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfbjdnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Infhebbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gclafmej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icogcjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cienon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjmhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjdedepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hebcao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llkjmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hannao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdjfohjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfogbjb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinffi32.dll"	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbldfbp.dll"	Ggjjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gglfbkin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaqqigc.dll"	Llngbabj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfogbjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncapfeoc.dll"	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjcam32.dll"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmpkall.dll"	Bigbmpco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkcnp32.dll"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcfmhdo.dll"	Hjdedepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbmdj32.dll"	Infhebbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cienon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkkfnao.dll"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakjcj32.dll"	Hjfbjdnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolphl32.dll"	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gglfbkin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqpbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caaimlpo.dll"	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojglddfj.dll"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmgd32.dll"	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajbnn32.dll"	Koljgppp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 852	4092	12f52911091779909badf3c094aee7c00445df1c5bb68bc9046c009885febae8N.exe	91
PID 4092 wrote to memory of 852	4092	12f52911091779909badf3c094aee7c00445df1c5bb68bc9046c009885febae8N.exe	91
PID 4092 wrote to memory of 852	4092	12f52911091779909badf3c094aee7c00445df1c5bb68bc9046c009885febae8N.exe	91
PID 852 wrote to memory of 4980	852	Aalmimfd.exe	92
PID 852 wrote to memory of 4980	852	Aalmimfd.exe	92
PID 852 wrote to memory of 4980	852	Aalmimfd.exe	92
PID 4980 wrote to memory of 4860	4980	Bigbmpco.exe	93
PID 4980 wrote to memory of 4860	4980	Bigbmpco.exe	93
PID 4980 wrote to memory of 4860	4980	Bigbmpco.exe	93
PID 4860 wrote to memory of 4216	4860	Banjnm32.exe	94
PID 4860 wrote to memory of 4216	4860	Banjnm32.exe	94
PID 4860 wrote to memory of 4216	4860	Banjnm32.exe	94
PID 4216 wrote to memory of 4000	4216	Bjfogbjb.exe	95
PID 4216 wrote to memory of 4000	4216	Bjfogbjb.exe	95
PID 4216 wrote to memory of 4000	4216	Bjfogbjb.exe	95
PID 4000 wrote to memory of 548	4000	Bpcgpihi.exe	96
PID 4000 wrote to memory of 548	4000	Bpcgpihi.exe	96
PID 4000 wrote to memory of 548	4000	Bpcgpihi.exe	96
PID 548 wrote to memory of 1340	548	Bbaclegm.exe	97
PID 548 wrote to memory of 1340	548	Bbaclegm.exe	97
PID 548 wrote to memory of 1340	548	Bbaclegm.exe	97
PID 1340 wrote to memory of 4232	1340	Bmggingc.exe	98
PID 1340 wrote to memory of 4232	1340	Bmggingc.exe	98
PID 1340 wrote to memory of 4232	1340	Bmggingc.exe	98
PID 4232 wrote to memory of 1464	4232	Bdapehop.exe	99
PID 4232 wrote to memory of 1464	4232	Bdapehop.exe	99
PID 4232 wrote to memory of 1464	4232	Bdapehop.exe	99
PID 1464 wrote to memory of 3220	1464	Binhnomg.exe	100
PID 1464 wrote to memory of 3220	1464	Binhnomg.exe	100
PID 1464 wrote to memory of 3220	1464	Binhnomg.exe	100
PID 3220 wrote to memory of 3620	3220	Bdcmkgmm.exe	101
PID 3220 wrote to memory of 3620	3220	Bdcmkgmm.exe	101
PID 3220 wrote to memory of 3620	3220	Bdcmkgmm.exe	101
PID 3620 wrote to memory of 2628	3620	Bipecnkd.exe	102
PID 3620 wrote to memory of 2628	3620	Bipecnkd.exe	102
PID 3620 wrote to memory of 2628	3620	Bipecnkd.exe	102
PID 2628 wrote to memory of 3524	2628	Bpjmph32.exe	103
PID 2628 wrote to memory of 3524	2628	Bpjmph32.exe	103
PID 2628 wrote to memory of 3524	2628	Bpjmph32.exe	103
PID 3524 wrote to memory of 3472	3524	Bdeiqgkj.exe	104
PID 3524 wrote to memory of 3472	3524	Bdeiqgkj.exe	104
PID 3524 wrote to memory of 3472	3524	Bdeiqgkj.exe	104
PID 3472 wrote to memory of 4984	3472	Cibain32.exe	105
PID 3472 wrote to memory of 4984	3472	Cibain32.exe	105
PID 3472 wrote to memory of 4984	3472	Cibain32.exe	105
PID 4984 wrote to memory of 4796	4984	Cmnnimak.exe	106
PID 4984 wrote to memory of 4796	4984	Cmnnimak.exe	106
PID 4984 wrote to memory of 4796	4984	Cmnnimak.exe	106
PID 4796 wrote to memory of 748	4796	Cienon32.exe	107
PID 4796 wrote to memory of 748	4796	Cienon32.exe	107
PID 4796 wrote to memory of 748	4796	Cienon32.exe	107
PID 748 wrote to memory of 4672	748	Cdjblf32.exe	108
PID 748 wrote to memory of 4672	748	Cdjblf32.exe	108
PID 748 wrote to memory of 4672	748	Cdjblf32.exe	108
PID 4672 wrote to memory of 1144	4672	Cigkdmel.exe	109
PID 4672 wrote to memory of 1144	4672	Cigkdmel.exe	109
PID 4672 wrote to memory of 1144	4672	Cigkdmel.exe	109
PID 1144 wrote to memory of 3836	1144	Ccppmc32.exe	110
PID 1144 wrote to memory of 3836	1144	Ccppmc32.exe	110
PID 1144 wrote to memory of 3836	1144	Ccppmc32.exe	110
PID 3836 wrote to memory of 4528	3836	Ciihjmcj.exe	111
PID 3836 wrote to memory of 4528	3836	Ciihjmcj.exe	111
PID 3836 wrote to memory of 4528	3836	Ciihjmcj.exe	111
PID 4528 wrote to memory of 3936	4528	Ccblbb32.exe	112

C:\Users\Admin\AppData\Local\Temp\12f52911091779909badf3c094aee7c00445df1c5bb68bc9046c009885febae8N.exe
"C:\Users\Admin\AppData\Local\Temp\12f52911091779909badf3c094aee7c00445df1c5bb68bc9046c009885febae8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\SysWOW64\Aalmimfd.exe
  C:\Windows\system32\Aalmimfd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\Bigbmpco.exe
    C:\Windows\system32\Bigbmpco.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\SysWOW64\Banjnm32.exe
      C:\Windows\system32\Banjnm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:780
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        35⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Ggjjlk32.exe
        
        C:\Windows\system32\Ggjjlk32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Gbpnjdkg.exe
        
        C:\Windows\system32\Gbpnjdkg.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Gjkbnfha.exe
        
        C:\Windows\system32\Gjkbnfha.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Hebcao32.exe
        
        C:\Windows\system32\Hebcao32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Hnkhjdle.exe
        
        C:\Windows\system32\Hnkhjdle.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        60⤵
        Drops file in System32 directory
        
        PID:828
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        61⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        70⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        100⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 400
        101⤵
        Program crash
        
        PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3932,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
1⤵
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5388 -ip 5388
1⤵
PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
128KB

MD5
aef248845426d6c15d0f896c12da4ba5

SHA1
a3fdea4934f8cf1248341e49b70a96aa39853f2d

SHA256
e08a4f4fb9c30805322b1d9bf39bd0efe4f2cc8d5707ca4affc12b964e0adea6

SHA512
766ea04b3d856fd6de7740f7e219633e32fba76112eab2641ffcc160884b752be7a6586c08fadec607e67eb058cb2d7cd4b7b086febe692e6b56982fb7f7013a

Download Submit
C:\Windows\SysWOW64\Banjnm32.exe

Filesize
128KB

MD5
64537003aba8bd6000b9e2903d6ee2bc

SHA1
85544f54a8a2fad730552b4ba8e627fe1207734a

SHA256
24bb5598f8608998d54cd341b1aa20f67fa3f5237c095d8c839f3d619fde15ba

SHA512
7af15522a7c1d2347243636e5dbc9d49b5c3ff47d0287eeae20cf5dde269dfef88a421a02eb86a25fa8ba65199f11c5329ba17b2058f9267cc0100e48c4ed1a8

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
128KB

MD5
53f1b88f10d2e1184dc12cd6f5bcd165

SHA1
d3642668137d981aec597ef598f625769ad15580

SHA256
3607a06c22c6f55f01780cbd4b731e8ff5c53d7beaa11884d8271e4cc49ef49a

SHA512
d08b958d3d0ccbd0a64e0e045a3ee7bde1e17a3f95f95f64f87d2c26db41e6755b1506a5d36f27a2d9d9185bedee7ecb7f1195a3f9b8df70bba7aa4881ef2484

Download Submit
C:\Windows\SysWOW64\Bdapehop.exe

Filesize
128KB

MD5
ccc8bc77eb7083eeff5016e886a0ed3a

SHA1
8c433da47a43f7a496247cc537391b09fa9c19ce

SHA256
afdbeed1f23a114599a9c2f78e2c2b2ece236193a15f80e215fc9507dcc13da6

SHA512
532be4082a70c970662e3ab8e82cfc27c6a63b6dafb0b03189eb581fbabe5146ea0dda37f23ff4fb014c0e9546991cdaeba739738510d0faf84aff0b8fd6618b

Download Submit
C:\Windows\SysWOW64\Bdcmkgmm.exe

Filesize
128KB

MD5
063215eb001d6f2a7f590f0073c045fe

SHA1
38b5ce94fcf9a40e0459e31d18a2b37b540f12b6

SHA256
e0eed4766e62d60f0524349f2a8a9150d2465f6cbeddc768c4f28efb1e78c11f

SHA512
36774e9873c0edbe39f26168fbabf0e3398b271d7ceca0516bcaf992d44e8ee747b0d92959e1560191588dad5e99e0839d5c05bd1f0bf9c30586cffe81b6c938

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
128KB

MD5
fba9b0dc379f3436f0169ab4a9790d58

SHA1
70a80ff3038ca4f2592a54044833d0dbf3e06cdc

SHA256
03b86924c2a17baae93a78ee0b3a73d1db4198a858c4545820ef7f8ea6c23415

SHA512
d66ef5bd3a68bc655ac6e16ef5eb0ff44896a129a1dbf271a28664ce1106221e829e4fe3ee930146d30be0fff6229690e6a2c7a8a58529e47c763f0081a05783

Download Submit
C:\Windows\SysWOW64\Bigbmpco.exe

Filesize
128KB

MD5
4696d9145e7126c675d238f62acd7410

SHA1
c4514a63e77758901c8f8f2fc8f8debc6d785d10

SHA256
cf36cfd40295a96a9ded6828e6b7726b2c69e0330ef0b1687de10c62c2c1bd19

SHA512
386c891679c9cc5ff79b6c1a657c35956df89df593c4096eb32606145b3aa68bb94467de59553ec7e3c68c8a0195d2a540329b2f4eb3f43b84ed640d430e355c

Download Submit
C:\Windows\SysWOW64\Binhnomg.exe

Filesize
128KB

MD5
336e5598491b9490d6a2053896f34a98

SHA1
b29e0c76f9e8c1b5c08aa388ff033ef843e98ab7

SHA256
db705773d1ee154fae214a43cf9d1ed739e34aea4d9f077dd67acfccb998b3b4

SHA512
75d427078f24a84fc42e00f9294fcbfda995c9ccb12b62859eb11cd8eb0c46082abb8996e5f12ff34ad485192879a76e3ba57a4a9300f800d8bfa3ab59c8e048

Download Submit
C:\Windows\SysWOW64\Bipecnkd.exe

Filesize
128KB

MD5
ea873e665264e7b1561798e9897c9997

SHA1
91adf1a825714104b4f961f5589ccc92c0f11460

SHA256
4d62c9277615f3bc6115f784e7d056d2faf44e02a14574dfc6f9cb810cbd783b

SHA512
b8e115c9e4faee3e6cfb47cf22f069da17c8f50f822f0c717cc4719d042bf24c83bb4e6ba454bda090077dd8f23b1579f320aa19664b4b50f6818e17795ca081

Download Submit
C:\Windows\SysWOW64\Bjfogbjb.exe

Filesize
128KB

MD5
11cd0aa99a2f1e5e7fd3ea43304eb947

SHA1
73d85427ba0ab7087dd3856323a677c81df1fd79

SHA256
bb7b71b11135517a69573fab11ae483011e43e9968e6a609b8986a6cc6c9f284

SHA512
21f0bfdb48877abdbc58debe6e38e9aa64e4af34a2bdb79ee7ce0b8d6a756274a580ba87cb4482dbfa35b678d5e3c7c24566a3c4edcecc414579f5ba57d1a9b9

Download Submit
C:\Windows\SysWOW64\Bmggingc.exe

Filesize
128KB

MD5
e55251e55899de5f4a6d4e083da9be73

SHA1
418f553ce345321d333f0b41c1358305e140dfa1

SHA256
fa39d0b4e363f94110456272a759c5ddb0fd73b0ae63f458129632a6c4aa583f

SHA512
04cd8a6cb1571bba8242fd59a02cb90deb64d1861c28ebb07b76bdb3b20638a0235d244180bafd93b75f230d54719704bcdf4d49d07bc147f3b0dbb2fc078d5e

Download Submit
C:\Windows\SysWOW64\Bpcgpihi.exe

Filesize
128KB

MD5
6be3bc90b361cc2202c01307e143f364

SHA1
c872292df06f0394491e2c02c7688ffea8fdd6e5

SHA256
fbd4b0300df8e34f13941b85fd7f33e927e119719f8b7833d092b226ee9f36c0

SHA512
a7bcc85d03a6b706dcd4c9272813e7f22fc2c5ac3c4630f14c9b6fa987ab5309d4d7c16a7e15a4fbf8eec3100f0da41068c5cb3ca1c9aee74b731eb3388e11c4

Download Submit
C:\Windows\SysWOW64\Bpjmph32.exe

Filesize
128KB

MD5
cfcaf0165fec3437b68e970ed5e31257

SHA1
382abda5d5a13552598b6cf3985c2ada6340668b

SHA256
3e818d7ea596ef43187e99e02001d688554e19edef56ef0317e776f2aece4b7c

SHA512
7313403ab200bc692b69b860942b882e22664f99f748afc720bcbfc101b55ac5d81daa49bf30f0aa35b19170e2e8d4e514aacad8f4c40111a5b21216c35affdf

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
128KB

MD5
e714d0428aa6bd1314765433855b372c

SHA1
22a8eb47a9da6a2f67c35da70c7dcb4b6a15770b

SHA256
a84d0b9cab543a74f42d81725bc318ae8550afa645e7dd095dfbceb0f1390fe0

SHA512
93750af5a9746957a3d8781e6749fbf49d99e1fd3372d102a5de21504bab3e586ec34036651c89c1759568eb9e833aa11cfaa12571985c1aaace07b23185831f

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
128KB

MD5
2fe27ce684c12da3a2bb8cc0728be7de

SHA1
d8eaf3ffd809d7144dc51ac8c0e460a747bc2b57

SHA256
aa0f05ffb35427879abff70d4d43f69c87911db49bc64f6552b7810950d85a06

SHA512
96246a8a3432f1edc0adcff42ad65da8a86cf78c2fad535d4e9959325517b5c2e64a10e7c8e4ef11ea4c40b6aa05483991c6d200c34d048e92f755b258880fa2

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
128KB

MD5
4854548ee4839f08bf2e70928c03143e

SHA1
2b160baaaa7dcc795f5866bbc3c373dcc824793b

SHA256
903889af73b1e02dcebd97be0a2d4dfc99223890bc26398150e8775d0e2dccbd

SHA512
911cfe9223a8f92c1e14eff56aaa46981a72ed3d2f3011dd2f68691bf5109d35346d0f4c5babdd1380810d6a3a47039f978e63afba6713827390ffcee6637e5f

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
128KB

MD5
8c8ab096e2bcf33a4389bc27cbf2ba12

SHA1
b9739d847cdaa7488e7406f34926f58fbb49dd26

SHA256
4bb564a3193c1d87f7ea0aadd8799a1517c5e732be8e620d889957597ae53082

SHA512
7e6234b4971c722ac151ed66a53547f49e6c14935504f3638a9b786a7c1220fa73dcadb25656ef915ceafc3be20a1d75f36b5fb8112f48e4ada0ccc0a734380b

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
128KB

MD5
4851ed57136a26e665207113cae53d0c

SHA1
46c92baa4a7d1cac589885315b0146ecad675134

SHA256
a35d551e7890b819f194b1aea158b868ba6fa0a0b49e46eb5e6b426d2d1134b4

SHA512
d6b72468dc12cdf8ec0d5266954b0a8abb7837a65cbfa67c8f36e761c37c8e6fa8682a1663c19c17ccbd19286fd0312f94eb945905fe0dcd7aa96457cf651727

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
128KB

MD5
bc8eb4f00917200d654b73ecc12d9a54

SHA1
fb9e524ce1f51b9154b4ee49eb730c91c0e8842d

SHA256
087cc5da97debbcbd6ec5ddec27346860bb6068f252dc7ab6847851f2fb17ae0

SHA512
c50d33bc9b916e8175431208ac0783ccab8494d5ef93f561d0eee56f7da1577e6c306a63dcd8a89cb118482b45052eb923035826c900176e27ea263b3cf9a316

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
128KB

MD5
d1965b498d4942807e4211c0d2625152

SHA1
e61d5952d5d734a9c39c4952b22895ab81598dc3

SHA256
b3368ce700c3d76fccdbafce7392cbce7062e86986dbb4785f2bd6a19e941baa

SHA512
9b3d06403f69e08cf0196ef305a8f91a87ec708621aee7adaf42c095ceeafc49207ce2d07c5b7389a9b7e48cd71e09e157fea3acd3fc03ad3196d9f71e8f0215

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
128KB

MD5
fca1e0cd58d5505b109c0cdd7fe48155

SHA1
e3f11cbb81ef8f913bb8902df63c032f370a5a00

SHA256
fd6b7d15f65487bf3ba62c48127ace92f0344fa8cde1377ab5b00ef44a1109e9

SHA512
0a3a84bab87522cd7613932ccf7441eed2959a023eb9902fc83452f742bf3b31700f08068bd783e37fb4442cf3998abe3c20acf5819a0d2c3f41126921075432

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
128KB

MD5
aaeedd614cb9c36498cad77e81ad6c1a

SHA1
4ff4f7a8394007db28ae8c70a464a771407ab46b

SHA256
1377d6fa767e228e6df16075839a151f16f06ddd2836e2106e3db07d7d40e79d

SHA512
1350810556bfce03b436765e00648599327011b733372b620babf1e5b13f55bfc18430d30496fc362bdf8a68f38cb345d8c75bcc62a7590f44ccb6070c1ca4e1

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
128KB

MD5
fd565f95a87f07214ca891b8061128f1

SHA1
3871fbb43acacde2d8d2d5096d9a797c9541cfb4

SHA256
55ae9cabee3151443bca66a6a72b8c56afc264bc5ae2d77743367bff0317268b

SHA512
e82edecb902602a295f9590c4d9259cd0881663489008e8d7ed60ace134cebe4cd42022b7dc0bda3a117b8cf4bdab29d1b2c08865e8de6974269749863f3c502

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
128KB

MD5
d70056f6bf697ed0d8d5f88d74695ba3

SHA1
faea3a3326ff8ec92ccee28a689139974aa5ad7f

SHA256
749c36f2207ea86951cb243d49749d6065d1b06f3e65317a3fac72f8243e57ba

SHA512
ca725b397893575e91ffdb86af40bcdc6bc59bd14fdb557e53c98ea078e199488b144a42a9d54a7ece7c86ee41c65176e7555aae47aced2e132e4d11432c6d07

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
128KB

MD5
9a4b24efe5cd3f6a2ed1eec59d31316c

SHA1
5b2a26272d84eac9af8804e79d2955898ab2ef4a

SHA256
cff46eacec3ac1cfb8d78c2596a62760c75b4432aadad37b087e57129c883789

SHA512
a502d582859560a0d84dc47b35836b7812c2baacb880e387edaa3e43d2abcbd2144ac904238160dbc018300cba183e5df3f8642acc6287f890659fe80b697530

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
128KB

MD5
d86902437c472cd84bdb605e671565c0

SHA1
db3f610b94bac72b4a70389d7264b94739989edb

SHA256
b474a943c0da2c6874c2d518bba7455eb9b8e8def4c6393350d65c9e3818cb47

SHA512
5d79ccfd549608461f175f520405ac92d5d1a91fcb2425f87c0ae5a80f4929f07fb352855533e4119aac2753e721fe456cf3a2219f55c3cbd68b6feb3b69a7cb

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
128KB

MD5
1145e424c96ba085421a0a569efa0fb9

SHA1
06c29553269665d7ef6ad10ff26f5005121cf15f

SHA256
a461b0344822c24d5e0d9a333a1a83ee6c9545a4863ccea34d9cffa6de7b755e

SHA512
57854a60a548ba5767fbbca9f261f927301ccde16151d9c9a0e09e1c7ccc64535394bc4a5f46934ec4771f044593fd39aa6a70a0cafd00150af2fd845a654f26

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
128KB

MD5
05248689b7b70205602608d6e2c3722c

SHA1
faa0901222e4d8917c06a75f13e1acbfe361d153

SHA256
ccbc8717830c1af685fa5f71b71ae31236407dd1eef05e731180652d9e955d66

SHA512
aa478f9de5a02046ec4f989711fa64f671b6e61e1fcfd57add5f7e51c8cf140f941c891d0b2dcbe804fd70d5269ac3b2566114ec0bc20a89f19f8d9f7efc3ddb

Download Submit
C:\Windows\SysWOW64\Eafbmgad.exe

Filesize
128KB

MD5
c8607af02b38c2cf1293fd479fe7f785

SHA1
5f24e96b539928c4f0f87362b3745cd9a02e7022

SHA256
6bd0f81ff7c4e48c10b576231b6565d1abd8fc58f7cc1bf9e2447af67864fd57

SHA512
ad6b4a2e260f2653cfe8ae9eef7fbd7e4c5668fe7a75cd82841740c1fc78988a2110f4eb4c4700402719d40c964941e5f7f6f69093e53edbe59bb62830773ecd

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
128KB

MD5
454db40577c7133a059b5b2fbf400c35

SHA1
bb395fbff0c327c0f3a97d1878c2a42dacfbd65e

SHA256
390546747f054fef2950fd1480db685e7e7bda401eec16f9b62872201bbda559

SHA512
67d35534729e75b3a4bfa235e43b8728fa7f50cebaf6a5c9855caaff8f64e15ba6707a3e7d79e4cf9296006f79dd269ea1534da7d500c3e792ce954efe79b6e9

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
128KB

MD5
4fed8a4ba60f9139ca63fd1ba7be29e1

SHA1
3cc6fe0ecabae38da40a94af90039e65f4fa12d6

SHA256
c40a4080d288fc5b5d022de8dcaf5d7748622de50105fe9343e27b8129e4551e

SHA512
318ee5eacf08493513b5700bc4d10e199c89b5a4cb855534084d359aedb5c84dcf3bfb9d3b3387a3929f28e47fa66086c3a581f157af486dcae012dad775c520

Download Submit
C:\Windows\SysWOW64\Ekgqennl.exe

Filesize
128KB

MD5
8798d1338617462ecb6c8fef2b9cb04e

SHA1
47016f194d087bab81d632eb4e2395a33f2f58ff

SHA256
dbdd218b9f8f82dc8a40fe2c433513c9bfa480ea6ee0e4baab1fcf60429eea3f

SHA512
93eb809b2c585d1ee4e5e7832a8076b8fcf3b21170da5520028a98835289333367e60bfd2a3bd2fd2e5258f57b11607907d1d8102e7c4df4f761e24e037bec25

Download Submit
C:\Windows\SysWOW64\Enopghee.exe

Filesize
128KB

MD5
289da3e943c49ca788dd2adf94ac530b

SHA1
baa054b84791403d46465b09f59e0c4079d71ef7

SHA256
388f017d2920c21cb2662057cf1af589d16e874765bbc2f15fef7e56ce4c153d

SHA512
8a16b2a19e19a0466cb828751e125c5b0b54fce103bac9b5da720ab7645fca25d28febd043f717545421b2e85fc00250c4d22745bf01cf362faa5bd6478e95a7

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
128KB

MD5
208b172331e77c0999671efbcf1a3ebe

SHA1
77292937b6df175d16948b4d97e248f6cadd9063

SHA256
3f8e1a7dbaebd7c571d1f3bfca87b4e1638de3d72074c9cf398cc9291633220b

SHA512
c8679b52857b9a3243f86ec9cb7b26de5ae102091a0fef44d1a15c1114191f63ea01090abfb28fc9bfa12d7c7aac5ffb43b39fc2450c1d7cfdb08552986a32b0

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
128KB

MD5
08fac4084310b9c321bbae89aadd2d3e

SHA1
39916131f67e81af17aabc7709f56ec3ea01359e

SHA256
87eb9e72c5ece6cbad4454cc6736de60664fca801e9cd99a6d31875b6c8ce76e

SHA512
d82c58ff2581ec1a98deb66425a4b9bd3a82617f354531fe0dac7f0601e4fd3a8ca192e47b6261a6f9a13bcc14aeda22f7d96d4660b9acb8ef84e6c6781d48d6

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
128KB

MD5
9400324ac07058ba1134c7c1a1ff53a5

SHA1
47a2eae7e2e8a5d9293427e1f65c5a1a11d36829

SHA256
f0b00691f49f3653b4733f9b702be949085e400c550d24f78cd9e9c842ee07c9

SHA512
d4dd5a62b29a49a360bbfa56713890be5b9690efc95ef2fb41e6286808ca935c9ebc59f2e508bdd5d524d675f0297722ba908cc5f86e465a8014aebe0cb49490

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
128KB

MD5
c2566fac002a1c8aeee402709b4135aa

SHA1
a59434b13b4a0bbff15866b22f5f515fcc43ee9c

SHA256
e3338c25ec3e6822944aaa64c184fa0425e5703b8935e6dcb31f640d760fc60b

SHA512
05cddb617ec0b9b2056925d4bd80bb6ac774b01858e5b32fc76b573b71111fe3c20c356f99e5a272b8adbd15795dfc5f7c55b3b1b929e2a0057357247030f799

Download Submit
C:\Windows\SysWOW64\Gnaecedp.exe

Filesize
128KB

MD5
d067df669da2d76528c1b550b59082f5

SHA1
9677cfc63179a359721b8480937bda2a7b665b40

SHA256
bb8da80c990684883c4ac62cda0f2e4b0f864157ed0bf42e915e424f118db006

SHA512
de709e742d358ccf08f6dcf64a2c5ac01b335fc6bb0f5860a2af696ff162043e0d5c04af7e828630a18c0b6e37d9271caa4711b5f4e11a5761834939d3d3e556

Download Submit
C:\Windows\SysWOW64\Hgocgjgk.exe

Filesize
128KB

MD5
5932efd26d348308b7027cf7456bb44e

SHA1
af16488bea02e8976cadca73bd27d6e54df30e5f

SHA256
aa79b7a9f1e693c7f5081c266250bcd3623cbf36709e753709872107c406fbe2

SHA512
f075a30d543a16c09344ee5533846bc3df6ef333235bc93c75909539cf1243944089ce0a163c6eb13bffd0bd740cbd0d33180e44770c39390488d9bdcbba8a24

Download Submit
C:\Windows\SysWOW64\Hnkhjdle.exe

Filesize
128KB

MD5
defae574e80b81a8cf63b4bca76911c0

SHA1
e14411f75d797adf40be3b6edec2d382fe9d1266

SHA256
ddd65955425582a70663849a5db0c0d017630b06f7333d155fd2155df216a492

SHA512
953aa62e9c91da792e04e2348d8700fcb561cadf34558b8e0569471c382a3456359a082e490e478b5921764414bf1c87c49742fb421856fc733af025fbb89097

Download Submit
C:\Windows\SysWOW64\Icogcjde.exe

Filesize
128KB

MD5
15a386f881ca32a171565c47e8dc6eff

SHA1
5177c0a6cb1995b3467b3d9353ce2ef36c76b898

SHA256
81666af03d3cf5ff7d8c2989e249d8b72f99c585282d1c7a46866f70b99f5f88

SHA512
b6286505e71e61d41a76c852b7b2a797c829b452fdf6894003d1236db36d564fa7a3854d0f09358677fdff4b6854550ccecbd934f76776df1d94641d37a6b279

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
128KB

MD5
b1c08c3f902483c364611fffcdb465f9

SHA1
c1237166f96d05f18d0208bc08b1cb7bea884fa9

SHA256
0e0df8c59f854a541fc1ab3541157b38b34ef2ac1f2d45adaedaf440cd2761fd

SHA512
21c91ab01a6dc732466653286cdc5590e55cc91bbe0bb8548f929d1c09a367151c3187286546524e6a31716b23b5b097edaf6ad96b53e3918b9efed2032f64fa

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
128KB

MD5
898f73249b5e149710d0358a2a95fba9

SHA1
9bd328eeb16ebc108c99244c9ec1976c32c3d6c3

SHA256
ddaddcd81e41a31dfcc535db7b69b078aa1ab89a02e468a9a04a05c8ad7c8936

SHA512
0c78170d8cc827841aae464020e892e12ce71b4d6abd60be735d1b85852311bb23ff0f1e1484bf14bdee82642d02499a9355b1b6eb89e21aee45fbd5fcdf01a7

Download Submit
C:\Windows\SysWOW64\Kaaldjil.exe

Filesize
128KB

MD5
d733ce8108a3d599ad6027267861f40f

SHA1
ef9727ec392fffe23162228b621679fce7fb4f51

SHA256
0651ce35b91627b3d52951d66e45dfd334c7dee2f6f9bdc4b7f85128d073c238

SHA512
ae53ef7d5f60cbefe1344425f85f3de049eab059ca0c933afbcea52d77694c707d731f617663878add2b02a776c2c5e933980c8aae6c8901e790fae78ad8aa93

Download Submit
C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
128KB

MD5
87fa3d85bcb54489ef743a4e3ccd5473

SHA1
d6871b3a0ec01e270c16ff59d69af734e2b57789

SHA256
56b127cd3ae86f0f6b8ffef5f49ab4aef177caeb205ed221c48cd7772d779a45

SHA512
91244aceecc361017b542d4b62a158903ee7b15a8a5c694bfc4759b077e7e984950037076738f8ca8084e8ce9bbb220c5889f318b6507991ab7b060cf2557968

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
128KB

MD5
a93f1cbb30f195ee5ce4c0d7018a2b3a

SHA1
7b5ae564299c97162fdc0d5216e4ff6db7a21b13

SHA256
7a0b4cc86691f14868615bcbd88b85ca18624b612465c95e9ceaf3c5a2d5c66b

SHA512
083734871d0b073b21fbcb43b91d46be7198a1feed40d6208363be585981b4c8e91fc384ffcbb3e89c446feb76d8807276a778d75e1df84afb873ea44de35a0e

Download Submit
C:\Windows\SysWOW64\Lbqinm32.exe

Filesize
128KB

MD5
6d5a886bf7493e4e9f236566cb8a25d0

SHA1
de5b3300c4a556c40fdd06a0c155ce263f675db1

SHA256
5782bf3405ff9666c4505798fc693daeb3efa8d3f3d191aca85ac9a01cf4721c

SHA512
26b44b6040227657a6973cb0dc55786a03132ac7056cac58f66a206037a0eea4a13e3e3354182a5d53b47d1252b4ba0d08d2ce0477226ed918d51bdf2189a126

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
128KB

MD5
1ef9c6fef8369d55fecea9c15decfc23

SHA1
c5ad402634bc47c375754a3cc6628370e6c73306

SHA256
227fbc4d1cc343a7dbe5971f8f9d673663ed167045fa7c2cfda31ba54ec80eed

SHA512
b38f10b02c4744f7ceba47b57e63ddc1ecaaafe3ded375dbb5c0a80bd74116b3f7f6e333bb60c778077ddb9300dcbc171f8f34b651bb12537407f51b96547fad

Download Submit
C:\Windows\SysWOW64\Lojfin32.exe

Filesize
128KB

MD5
7e61cba7345620081692cd650b36c656

SHA1
047ba482f09ac2ec0ec2bcdc4e4e36b084cb362e

SHA256
1b64412f0b358258f22cb9a9d2030eee23702d56b7015b9a11503844dcf0f69f

SHA512
b454ccedbfa4a141cb9d95ecac3b71a6526d666c30697cee904f3fabbc9b326e5002980ec0aab13e1f66ffd46f399ce6442e5f1b7056ebc7a983f16c2fb4f942

Download Submit
memory/316-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-432-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-582-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/656-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/676-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/748-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/768-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/780-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/828-414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/852-547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/852-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1072-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1140-426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1144-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1340-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1340-589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1388-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1460-444-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1464-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1660-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1744-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1776-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2016-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2552-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2628-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3220-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3472-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3512-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3524-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3620-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3836-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3872-438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3880-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3928-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4000-575-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4000-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4092-534-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4092-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4092-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4216-568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4216-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4224-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4244-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4304-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4472-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4672-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-576-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4740-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4812-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-561-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-554-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5068-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5172-450-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5204-583-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5216-456-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5256-462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5344-468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5404-474-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5464-480-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5508-486-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5552-492-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5596-498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5648-504-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5688-510-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5728-516-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5768-522-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5808-528-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5856-535-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5932-541-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5972-548-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6016-555-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6064-562-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6108-569-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads