berbew | 62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5e

Analysis

max time kernel
99s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe
Size

1.9MB
MD5

fd9ae66b863dadc3f724cc2a1793a1f0
SHA1

c452513a2093e1b5962c39d5ada88c5ab7b8cacf
SHA256

62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5e
SHA512

e0b0719c7d85e711ae83aad6c81c6df567f491cd44d0dd583a5e6e613a3f43b8f75764a8a1325e80d58f54bad3129c49e664bc0a25908763172439dd30c48ad1
SSDEEP

24576:/NaaBNIVyeNIVy2jUKaNIVyeNIVy2jUtc9uO2NIVyeNIVy2jUKaNIVyeNIVy2jUO:2yj1yj3uOpyj1yjH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgjmapi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iifokh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpijnqkp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3628	Icgjmapi.exe
1240	Iifokh32.exe
4128	Ippggbck.exe
1212	Jfaedkdp.exe
3644	Jpijnqkp.exe
4116	Jfcbjk32.exe
1860	Jmmjgejj.exe
1124	Jplfcpin.exe
5080	Jfeopj32.exe
656	Jidklf32.exe
4172	Jlbgha32.exe
1552	Jcioiood.exe
4640	Jfhlejnh.exe
876	Jmbdbd32.exe
2116	Jpppnp32.exe
2360	Kfjhkjle.exe
2632	Kiidgeki.exe
1780	Klgqcqkl.exe
3468	Kbaipkbi.exe
5064	Kikame32.exe
1908	Klimip32.exe
4420	Kdqejn32.exe
972	Kfoafi32.exe
3052	Kimnbd32.exe
776	Kpgfooop.exe
4952	Kbfbkj32.exe
4880	Kedoge32.exe
3812	Kmkfhc32.exe
1680	Kpjcdn32.exe
2420	Kbhoqj32.exe
2056	Kefkme32.exe
4120	Klqcioba.exe
2344	Kdgljmcd.exe
4956	Lffhfh32.exe
2944	Lmppcbjd.exe
4888	Lpnlpnih.exe
764	Lbmhlihl.exe
4468	Ligqhc32.exe
1528	Lpqiemge.exe
4308	Lfkaag32.exe
4624	Liimncmf.exe
1704	Ldoaklml.exe
1260	Lgmngglp.exe
3916	Lmgfda32.exe
2020	Lpebpm32.exe
2748	Lbdolh32.exe
3264	Lingibiq.exe
2576	Lphoelqn.exe
3972	Mbfkbhpa.exe
2328	Mipcob32.exe
4384	Mlopkm32.exe
1276	Mchhggno.exe
3300	Megdccmb.exe
4772	Mmnldp32.exe
2684	Mdhdajea.exe
2060	Mgfqmfde.exe
1028	Mmpijp32.exe
4636	Mpoefk32.exe
4404	Mcmabg32.exe
4476	Migjoaaf.exe
1760	Mlefklpj.exe
2440	Mcpnhfhf.exe
64	Menjdbgj.exe
1272	Mnebeogl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fojhkmkj.dll	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Mmnldp32.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Iccbgbmg.dll	Icgjmapi.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Jfcbjk32.exe	Jpijnqkp.exe
File opened for modification	C:\Windows\SysWOW64\Ligqhc32.exe	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Kedoge32.exe	Kbfbkj32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ippggbck.exe	Iifokh32.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Klgqcqkl.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Lfkaag32.exe	Lpqiemge.exe
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nngokoej.exe
File created	C:\Windows\SysWOW64\Nlplhfon.dll	Klimip32.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Elogmm32.dll	Ippggbck.exe
File opened for modification	C:\Windows\SysWOW64\Jmmjgejj.exe	Jfcbjk32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe
File created	C:\Windows\SysWOW64\Leedqpci.dll	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lingibiq.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Kbaipkbi.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Jlbgha32.exe	Jidklf32.exe
File created	C:\Windows\SysWOW64\Migjoaaf.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceckcp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2388	4964	WerFault.exe	234

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iifokh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnbea32.dll"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagplp32.dll"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll"	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll"	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memcpg32.dll"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 3628	824	62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe	82
PID 824 wrote to memory of 3628	824	62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe	82
PID 824 wrote to memory of 3628	824	62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe	82
PID 3628 wrote to memory of 1240	3628	Icgjmapi.exe	83
PID 3628 wrote to memory of 1240	3628	Icgjmapi.exe	83
PID 3628 wrote to memory of 1240	3628	Icgjmapi.exe	83
PID 1240 wrote to memory of 4128	1240	Iifokh32.exe	84
PID 1240 wrote to memory of 4128	1240	Iifokh32.exe	84
PID 1240 wrote to memory of 4128	1240	Iifokh32.exe	84
PID 4128 wrote to memory of 1212	4128	Ippggbck.exe	85
PID 4128 wrote to memory of 1212	4128	Ippggbck.exe	85
PID 4128 wrote to memory of 1212	4128	Ippggbck.exe	85
PID 1212 wrote to memory of 3644	1212	Jfaedkdp.exe	86
PID 1212 wrote to memory of 3644	1212	Jfaedkdp.exe	86
PID 1212 wrote to memory of 3644	1212	Jfaedkdp.exe	86
PID 3644 wrote to memory of 4116	3644	Jpijnqkp.exe	87
PID 3644 wrote to memory of 4116	3644	Jpijnqkp.exe	87
PID 3644 wrote to memory of 4116	3644	Jpijnqkp.exe	87
PID 4116 wrote to memory of 1860	4116	Jfcbjk32.exe	88
PID 4116 wrote to memory of 1860	4116	Jfcbjk32.exe	88
PID 4116 wrote to memory of 1860	4116	Jfcbjk32.exe	88
PID 1860 wrote to memory of 1124	1860	Jmmjgejj.exe	89
PID 1860 wrote to memory of 1124	1860	Jmmjgejj.exe	89
PID 1860 wrote to memory of 1124	1860	Jmmjgejj.exe	89
PID 1124 wrote to memory of 5080	1124	Jplfcpin.exe	90
PID 1124 wrote to memory of 5080	1124	Jplfcpin.exe	90
PID 1124 wrote to memory of 5080	1124	Jplfcpin.exe	90
PID 5080 wrote to memory of 656	5080	Jfeopj32.exe	91
PID 5080 wrote to memory of 656	5080	Jfeopj32.exe	91
PID 5080 wrote to memory of 656	5080	Jfeopj32.exe	91
PID 656 wrote to memory of 4172	656	Jidklf32.exe	92
PID 656 wrote to memory of 4172	656	Jidklf32.exe	92
PID 656 wrote to memory of 4172	656	Jidklf32.exe	92
PID 4172 wrote to memory of 1552	4172	Jlbgha32.exe	93
PID 4172 wrote to memory of 1552	4172	Jlbgha32.exe	93
PID 4172 wrote to memory of 1552	4172	Jlbgha32.exe	93
PID 1552 wrote to memory of 4640	1552	Jcioiood.exe	94
PID 1552 wrote to memory of 4640	1552	Jcioiood.exe	94
PID 1552 wrote to memory of 4640	1552	Jcioiood.exe	94
PID 4640 wrote to memory of 876	4640	Jfhlejnh.exe	95
PID 4640 wrote to memory of 876	4640	Jfhlejnh.exe	95
PID 4640 wrote to memory of 876	4640	Jfhlejnh.exe	95
PID 876 wrote to memory of 2116	876	Jmbdbd32.exe	96
PID 876 wrote to memory of 2116	876	Jmbdbd32.exe	96
PID 876 wrote to memory of 2116	876	Jmbdbd32.exe	96
PID 2116 wrote to memory of 2360	2116	Jpppnp32.exe	97
PID 2116 wrote to memory of 2360	2116	Jpppnp32.exe	97
PID 2116 wrote to memory of 2360	2116	Jpppnp32.exe	97
PID 2360 wrote to memory of 2632	2360	Kfjhkjle.exe	98
PID 2360 wrote to memory of 2632	2360	Kfjhkjle.exe	98
PID 2360 wrote to memory of 2632	2360	Kfjhkjle.exe	98
PID 2632 wrote to memory of 1780	2632	Kiidgeki.exe	99
PID 2632 wrote to memory of 1780	2632	Kiidgeki.exe	99
PID 2632 wrote to memory of 1780	2632	Kiidgeki.exe	99
PID 1780 wrote to memory of 3468	1780	Klgqcqkl.exe	100
PID 1780 wrote to memory of 3468	1780	Klgqcqkl.exe	100
PID 1780 wrote to memory of 3468	1780	Klgqcqkl.exe	100
PID 3468 wrote to memory of 5064	3468	Kbaipkbi.exe	101
PID 3468 wrote to memory of 5064	3468	Kbaipkbi.exe	101
PID 3468 wrote to memory of 5064	3468	Kbaipkbi.exe	101
PID 5064 wrote to memory of 1908	5064	Kikame32.exe	102
PID 5064 wrote to memory of 1908	5064	Kikame32.exe	102
PID 5064 wrote to memory of 1908	5064	Kikame32.exe	102
PID 1908 wrote to memory of 4420	1908	Klimip32.exe	103

C:\Users\Admin\AppData\Local\Temp\62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe
"C:\Users\Admin\AppData\Local\Temp\62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\Icgjmapi.exe
  C:\Windows\system32\Icgjmapi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\Iifokh32.exe
    C:\Windows\system32\Iifokh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\SysWOW64\Ippggbck.exe
      C:\Windows\system32\Ippggbck.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1212
      - C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        25⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        31⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        36⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        56⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        69⤵
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1980
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        82⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        87⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        90⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        92⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        95⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        103⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        111⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        112⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        116⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        117⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        127⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        131⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        133⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        138⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        141⤵
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        146⤵
        Drops file in System32 directory
        
        PID:728
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        149⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        151⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        152⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        153⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 396
        155⤵
        Program crash
        
        PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4964 -ip 4964
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
1.9MB

MD5
ddecdea9b759473928604380dc7d18a2

SHA1
fed1d9a5b93c72635f1fb3659dab9d330d3da44a

SHA256
79f53ea81a4420198334c7bac6ce8ee2dd69e4455df4acb7381cae8fe05cfea7

SHA512
1363fdb077d305cd46e7143fd088995e0a64f5f94c564e8cf06219e820b18f305f3788354c30c3847218b2718e8f1da67b67de1f989de03502afbbd47df34deb

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
1.9MB

MD5
7ab6a5f5f55d1b94c925e4467024659a

SHA1
d262f5df712c1f82ca8a6852646374e09907bcce

SHA256
ec377667063347f24c7f3f9a02179ead0b1c9d43d48a967d157eb427ab614af5

SHA512
a8ac54da98d6b3a33ca8c909ebbb6874086495cf6e59c1bc6347feef6804b8eaf8da80c567fae0ec51a66420782675d70d2b11e848e22100e226ba5d67df804b

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
1.9MB

MD5
532ed1189eb141fecd24e59d544524b9

SHA1
564937904eb3f07ce9632b889dbf6b056fccf70a

SHA256
18a95855b0cb0ba6bcb21069c2779796d52947f861582de4d7b5a156d1427b62

SHA512
f5e145139ac670d39f4bd9c3fd7fe9dd875f6ebd4e7acfdea57e3dab74c7712ce8a5c7275d4081d8b6a57db258198035a58a6e2e9fbcbab061dd0feb42a8abe3

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
1.9MB

MD5
b7baae380ec8aad40f629b4490dfd3cd

SHA1
a0f7f5d517320ddb23df8e524db7d84b8f149712

SHA256
da3fe0136bb2e154d5252744746dc85c3f1af063ca47f86f3e2c818122a99080

SHA512
176346037028018ad61a3052ba9acaf7ff87903c20607673688ddc294bf6125c59a595b45cd4cfdda633e512788d488ba0a45a9a0d1044d13c08486ac84464b2

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
320KB

MD5
5257c3f2050cb40e6e7d9d02b71e98b3

SHA1
8d2b91d499e19122e10a9fb71a9fdd36e916cba9

SHA256
5a7c1b6741c1b38bdf08ea1bd1f1fa3a52a1332f7a88c8169307ddd3fadb1ff3

SHA512
e322ce2a5bc639a284d96f96a8ce956d77857892ff135c6da29b2ece005331a04103cc7a1cdd9d0f2a0d1ac889e27629385d4a48a49ddefe95aa6a7a4ff18f66

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
1.9MB

MD5
f31fa3cf94de41eb744d9b7ddb028d6d

SHA1
50730d22cc2192da986f6252f63709a9e5aeb2ca

SHA256
3710753f12ef60134cb94d31af79173da450eee27ff244074e37f3cf4a96fa7a

SHA512
385d625e7133740edbdc388584e29489ee5d1028277cf81804270f57c2da37d12bbc6423d2e0faa43799ca69cb21a74917cfcf0f03ea58d49b6ade496460c3be

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
1.9MB

MD5
37f6b75536ccb4da6fe43405a148e673

SHA1
d8556dd35607201bb432ed96b1da88f38b07d0d4

SHA256
e0d0eefbc89202f03857b3bc1803236bdc2f10283cb9fca4376830a6284ece80

SHA512
3f8529668673c30595bac5ef94700758ae3d8809e860984a14f1dd2a4df28533f668fa31e32607095a412261e48b200d0782dd15e8934acbc51205145db6128a

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
1.9MB

MD5
0bb6da59cbb6218a35677d56e46d8a8b

SHA1
fc59f6115e524b7c2375cceefe1b98a30d63995a

SHA256
955dde784af6e2441e6557606fb4a33a20fab7bcb74b8e8c0d3ad36ea8f3ea88

SHA512
9afa3bd31ab48fa373f81b75c0b028231c26487ecdd74e40a0fa496cc35f74df6ccaf326025125f4179704c43a5b9247a72b4d1e0e1d395af641abf556e69473

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
1.9MB

MD5
695d0d58e111f088edf481094269004d

SHA1
112ea6d3d8b350b057c5021d9d4b8293dccf8bc5

SHA256
c5a4af6a92f66de84af889128fce711ee02f1791c0369efd520e42891298a979

SHA512
02700fa5ea71f892363287e90f2bd0bb5a56814947f7eb4e052ad2c2a1cf6f15def8a9a433a6cd6dd9d9909593e7fa1870f5bd2588a805e61914775772600ad2

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
1.9MB

MD5
55cd91d365e0241b3268ec18bece2287

SHA1
2719dfcb99477e764f937bffebf58977af2d29ac

SHA256
bf8fade39591eb382cec1847b8417aa40734fd158e031d8797c48fdfcb826f9d

SHA512
3b20f18aeb94d1c3aab5341cae691c89a48373ed5a972dde3995a14c5092b58b1447709c4f5056695442ea0452114696c4e577d472a802957f3d1c7e31526dcd

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
1.9MB

MD5
3ed92fc9284fded44a7fde442fdb9bd8

SHA1
d2e01f885c6f4045046e4d0a64ce026277a6aeb3

SHA256
39143b16396bc81e8287b7b76509e87501a510a0ce500a6759b0a877d3139219

SHA512
0c82fe13209b6b98d5650c7bd82b5a1541204ac68852c0878b1b9af1e74c402ab58ac16b4f83fd7a6d551ad9def5af9a62312b6169f3cdd1ae3c05df37c1513c

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
1.9MB

MD5
54441685cda6f249cea7470a1511f9cf

SHA1
db98de7643e99cadea7770fa494bef3d0c772e4b

SHA256
538ef9140c74af7a4c88355d742603f90569d37538b0f0f7ce34cd29f6e066ae

SHA512
fac44154aa147316146b7be8676195330a1085895dd203b64989bc820bca2dbeda521795211ad0a982e9085ded558fa7d1180741b423abf267a9c77b536dfb5d

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
1.9MB

MD5
fe40286bda56d4a3d400aebea7e4ee93

SHA1
8f914f461420c88ea6f527b61c9abccea992d16c

SHA256
06efba746f37458b5cc602b440616b5b5c48e6c0c54f78afee275d7daff5024c

SHA512
fcc43a99aae0e1d6440ff7fd9d2f5296b98d60ff9ad864da23d22b917cd4ab4125b24ab02cb617c3c188b808bfc4662202e23dd2d989cba6b752abbfc719003b

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
1.9MB

MD5
df24b14e92ac480e211e456cf9f8430f

SHA1
f622a3c6bd76f132e25d32d2ff481092e9fc53b3

SHA256
6a2fa4f917ce8720e6832a22882d04d36ddd665aa243fb72f531d3a57d9c19ca

SHA512
826f7889d23d2e03819869347d0d9bdedcde201a282259a8276f8fd440b471b3f01c8450cef5bd5920ab446c94b7f2642f4fa4c98838eb637188df252876de8f

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
1.9MB

MD5
d4b6957922707c522b60da50d436992a

SHA1
c31cbf126b159593466968cf9562f1aa2ec14da4

SHA256
917f499e54420e995d2fe9bed96477ddc538259fb5354c31e51e436650433ded

SHA512
9b5d3f1ac09906142803a4c5975061a22618ee0b12b8299d61bccc3c293f70b104ef0fa4008131e0135537c4e5ad06c154eaa59c2cd6d9c85aed25689237b588

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
1.9MB

MD5
3be88337f8358d3209b58606c5e6a1ab

SHA1
40d4db6e2c78712f07c0921061fab1cc964697de

SHA256
55320a7bf65c2127a60c316cf2485a87f71d541cbfc71674fdc51933507c1f88

SHA512
aa68ca7a5a146ea36e1f27a57ef8f5c67e21765fb69eb7ae1018ff3990c59acecbc36d5b26a38a41b7ea39d09e21b9dcc62d43973f14dbd473cca98bcf76211c

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
1.9MB

MD5
7fc75652925cd7c993104c4f62aafd3e

SHA1
1c32ad49e8903b5e7cb6a46110dc2e01c00d8a17

SHA256
75908beff9cab23ee8d816e12d1f06bbca916a82aebe8c94dd22d989c1b8573e

SHA512
892d23ecf6588dbcaf61c7595bfc32808da680230171c841aecc9ff26ce8098ed2b0373ce84b38a1c48eb29b9be044863900b5dd0d6b13023c63849e2309fe36

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
1.9MB

MD5
5498109bac71d767f09c997a4e7029a7

SHA1
5b8de08e5da93066d5e98891ac14ae24f18e29a8

SHA256
2099d369a720f3be2c1887cf85b45df6c8179ffc3ed851bf494bcdb2d44351b8

SHA512
5e7abb3c9cabfe76c167f99097f044ba02bc4c2d2ac2bd53e41ce1123f720cd13f35517d9be7caccef2d52b8c4e8938b2d9f75ac0b5261517f4824bd45c96704

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
1.9MB

MD5
3772e0112b9dc97423d6dff58223e063

SHA1
18494323bd40185d8c62242e512358d62210cf44

SHA256
9b07eaad23da325f0916026d75c6578cb7a3447076cf0fe3c2a9b5892b29a3a3

SHA512
c734132c20b97d6b2041f44e81f84b12dea1f061ff5c8013648401e695252135ea27a9aa0f25edfe142d34eca68635e55f3b263b248a36f1bd3f7165728e9d55

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
1.9MB

MD5
693fff0e1ef170fbc47bcf40c576661d

SHA1
e35b9c6a0defba23a3670705685cdf901bda155f

SHA256
a09651bec00bd2a5c99d8fcc52deb932759b869fad77a6d5c0ea0737aceda4cd

SHA512
86adf713bf180384592cdf90914d253f04dce4855a67ede511fcebb5bcf8053651eedb6f4e1323eba358777821be375d9beae9e395855822cc068224f67ef806

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
1.9MB

MD5
7f496af4317f0d4c773c25be90a2eb57

SHA1
6c4a8ee01a820c84727a7d277c6ae2a94d0d6f67

SHA256
31606e6f63c9b5582d1180ecd5128a574b0354c4cd51d16b68e34e4c15d3a6c0

SHA512
9ed48252d0f700a65b8ac8ee4466a906f0e53f6759c867c24cb48c4273dc36bc1f9133c45cae77e900aca5854157b4f5a72b163aa8bae9658f201502b70231a8

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
1.9MB

MD5
221ac2e90875c5fad27a00f8453a4413

SHA1
44ece7cad109e2f98ac0d3aecd8ef18429d39557

SHA256
3a7b5f81c974704db7f092b5fabab9c32cff3996f2c0c837f7c249daa2a264aa

SHA512
48c45a0a6b6799f43bec055785dea8619c0764b5b089f3352d245404d58fd48860c14d477174f9350db465bf8a676ba17c4761afe67845995c9690bbfe225734

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
1.9MB

MD5
99ca65b65c74596e5571b9dbe0ec8e9a

SHA1
964f91de29db5ba2773087ed56f5f107f1d232d4

SHA256
cc42eb8c15f94a1107d90e345ccf672301701f854426c1a64ba13de12d8b33c7

SHA512
da830732b3a6f022ebcd7ba0f337194eb18d462d46af26a799401ca8cc4b7823921284d4236e7c091995795b6509dc1e170e91051ed38a33df8425b7b4c0cb1b

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
1.9MB

MD5
9663a5614cea862f4f8e0bbc7f2820b3

SHA1
1c20bfc9f9954d871c078c44dc7f39b435d5e4f4

SHA256
fa7c826b456136a26757253c538c8d41b1e7285ee76d959a4b3b796fefa48256

SHA512
b47e220d587304f24c75be22574451ca20293dc9e56291ba06a66eee25c94c34b4386bfe247ee2103c70c140f03dcf9ab7e217df8c16e38a63ea528b5e48f888

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
1.9MB

MD5
36376600e6795a987b442983e8322280

SHA1
06b8540aa22d3dd2826e0532e2459c731fdd6534

SHA256
7efb800a87af5ddf3a85dd9f3d63e327beb0aac89c6940f77c1e4cc07d082c2c

SHA512
9760655ebc03e8287b85c2a7058b5b2838841c1d00e89c6573811109f38104989f91050f35ae4214d6fbe897b8c9c34aa60bd6f1b4291fa45c85a642d109c7d5

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
1.9MB

MD5
a3e97ad5f8b4ac29b5542e5e31a6f99d

SHA1
1d3fa0fb08cfac8aee1de80fb56b5627948fcfa7

SHA256
b4313af2d48fc38ffe8e7ca542cd158367b66e040059dba4b8e9c4ca51d66a32

SHA512
0dbe39531bb0cdec733169e7f204d88d85a61b81a57c652be70274722afdad8bc44a3f8f8138302ee2c4146bb6d5a5794d98c2079ecad3aa057acfac7f978a1a

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
1.9MB

MD5
538ccce75bd178b81d39ed9511d8d76e

SHA1
9d6f594389f0a8fc2af145e3c24178f9b5a0f76e

SHA256
8db13127cb5ca5b9fab56e1185d2bcb8bf1d5869427989baf965676ae6b5458d

SHA512
e88002ca397d1a32b36ad5d032aa7f06e42a133960815ac9e7930d1a85c5ec6162be305542f2dc8e1e614710f8b8231b986a308ca4c003d2d78c8cb6e000d917

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
1.9MB

MD5
3a4674e28b9345aec24beb37928d8da8

SHA1
2457f5a8a2c6702718fd1c61ca4030eebf98f53a

SHA256
10f726d2e89466478110fac082dbdb21583cb0de59bd1d10c3d2c758cdb5f5b3

SHA512
c7d8c9f6acf6022c4b11a39279c3743d54542c3b8e95b321d0e5fb98a592c5ad952262f6d4d8900f776bca6e344202597b89645fd99ee233f0e094b9f19a9baa

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
1.9MB

MD5
af5dd2dce13100907a63a883de4e70d6

SHA1
e58ba6361bcf366e0b43b040ea71c00fdd0720e1

SHA256
5e4a8a229238494ed575417c3e0ad094a2919f37d6ca4e5b4ffa44babc70853e

SHA512
06c2b86a86b8ffd3cdb39c603200cf857697c52432748d69100ce966dc955860ed3865d48bfbc2e85c2a11cca4eef0a752aaf10f171e19e1cb56a74f4626b52f

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
1.9MB

MD5
f6a76fed2618727bcdb9fe0c50f4fc32

SHA1
1215574fc884847e4dd0348785d75b759684004c

SHA256
56334084386274f236b81932afafa4959f1c79e8f77008728f1cb37fffbc2505

SHA512
8838c029d0fc301869ecf51aeea05ec8e98261624de1a3f251059770f52ed2d6ca8e9623a9ea9b888d349fb6a3d7d3078ff621506899519e90542411f25085ed

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
1.9MB

MD5
b4fbb628f0bc3140d57bff7a29e67446

SHA1
72f357e9a1bd2cf0ad2cc23ff0be0c818863bf08

SHA256
2b1fa91c21bfa475ce712d4329769cf3116f7d5548d2a2a97c08e668f150d447

SHA512
fbda9c134f9560b5639c8357da2fb1fc387de4b23cfdf26ff05d486d4a9e620d8446959096a27ce58d4940cb5af452bd113cbc7b89bd8716853d686681aecd7f

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
1.9MB

MD5
a1cc1470471c3fd8df39285132a7c7a6

SHA1
697c4503382cd260057c5c5e62cf1674488c292c

SHA256
2513a06ca6e9a9282b7846cafdc8f7089c00402ceb550c4314ec7d9aabffafd3

SHA512
be2d3b5c8f784e86ab0b6481d9ec1e25c7384b4f842a2520c6626eaf79b1dcbcf8305e4496864beedd5fe863e40aefa35c5badb54768b46d1ef9947e79526949

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
1.9MB

MD5
fe160c601bba842ed3d9abeb16424511

SHA1
31a0673d2cbb8e877a3cffedf9fe31c139ff464b

SHA256
78f5442ac6e5f02978aff8dca2a527afd44c97ac1f9bf3677ef621921596decf

SHA512
43ee25f87ffb453ab542f22d84971987928239c3fe7eee4000be6e1e20e2d9c8a42ce5cc071c9ba728d3f2bc25f2e37ab42d392bcd72e0d83d7f64d95d946595

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
1.9MB

MD5
06d98c9634ff57f07a86fef5977dda32

SHA1
86a422526e93677afd613db354ebe0636e7976b6

SHA256
d89a6aa46f736c59197af39d36cda77db753d4a45a957420addf75d4de2d607d

SHA512
a6b02218fd527451bc9a7e07e44c29af0926600ef14570e90c3cee2806b72811092f666483acc22d90acb0e420b532eff6224e8e6ebfd9faafdc99c1a02f5deb

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
1.9MB

MD5
d12ac7b5fec8a700f36de9cd6c568ad0

SHA1
f3bdafcadb78b813ebafc8e7af026c8928d86acf

SHA256
5d07bb7b21c4b97d79bb05c96b7180b091c74d67c594f880af7c8adfe4fa1319

SHA512
f9558602c4d5c586c82e4ebdfc4f49d44d50583330a4f7f2568ec5cd0b7bfac5ecd2f4a223cfe2a29857c0e6b1e00d216c788857fe06d5ec7452f046ffcb7447

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
1.9MB

MD5
e77d8a99ee8a2d0952196eaa6d058576

SHA1
47256ae2b76fd148315d976552743a95cb7496f3

SHA256
7c110595939836d8c8b25fd867dc1a0ae8d4e344bbbda979fbc5ffe5ed293e10

SHA512
65b2512ccb7691c3b3909e8d405e189436819d1d11a9978d23cb49c619ada8a974522334e21696f56d5ddd6ce19fe49b1f4de0bb00607d58ce72ab772353da97

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
1.9MB

MD5
f74ccb0ce8e32e75eeeb18573784dce1

SHA1
faabfdd4b14fcf178ebb5700132e6ff8a0cabb5f

SHA256
c297eaae04008e0dbf78cb0fde5572d0461fd41183cdec8febb58f0629c1145b

SHA512
fd8c2d8fcd3e86b7933c862eedd654c79298b9e515ec504bb40541135cc9a3a08ef8886150d823bda29c59fe964135f87bab9cacdcec0499f966809aabdab37e

Download Submit
memory/64-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/824-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-596-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-993-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5156-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5196-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5276-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5316-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5360-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5404-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5444-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5532-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5572-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5612-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5656-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5688-994-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads