berbew | 1f708735c2d5a34cf41775e88ce40168734878ee49cff5b0dccf6c008b7c0b42

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrojanDownloader.Win32.Berbew.exe
Size

101KB
MD5

8bd3f7b8c78c8dd85008916594963a20
SHA1

dd2817282310f9dd2b3882d0d220ecf5baef4be2
SHA256

1f708735c2d5a34cf41775e88ce40168734878ee49cff5b0dccf6c008b7c0b42
SHA512

d4c11d9081188bcf7d8468efd0fd80fa99f5c93c9375811f376fa563dd6f344a07669cec512e5a5b776eab27c433a7c43d07d91a003b56cbc23105f530a3530a
SSDEEP

3072:4FG2tYZ1CzyPA+U1duXqbyu0sY7q5AnrHY4vDX:4wzjUy853Anr44vDX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhdggb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nefdbekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjkbnfha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedmkmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfbjdnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nooikj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnaecedp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igjbci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfbjdnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khihld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnaecedp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gndbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjcmngnj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
5016	Fbdnne32.exe
4216	Fqfojblo.exe
5076	Fjocbhbo.exe
4032	Fqikob32.exe
3256	Gcghkm32.exe
4728	Gnmlhf32.exe
212	Gcjdam32.exe
4428	Gjcmngnj.exe
2380	Gqnejaff.exe
760	Gkcigjel.exe
624	Gnaecedp.exe
4896	Gcnnllcg.exe
1420	Gndbie32.exe
5108	Gdnjfojj.exe
1672	Gjkbnfha.exe
1136	Hepgkohh.exe
4508	Hkjohi32.exe
2328	Hqghqpnl.exe
4640	Hcedmkmp.exe
2564	Haidfpki.exe
3704	Halaloif.exe
3268	Hcjmhk32.exe
372	Hejjanpm.exe
1952	Hjfbjdnd.exe
1840	Igjbci32.exe
4484	Ijkled32.exe
4400	Ijmhkchl.exe
4756	Iagqgn32.exe
4368	Ijpepcfj.exe
4008	Ieeimlep.exe
4752	Ijbbfc32.exe
4748	Jehfcl32.exe
5112	Jjdokb32.exe
2720	Jdmcdhhe.exe
1992	Jnbgaa32.exe
1336	Jaqcnl32.exe
396	Jjihfbno.exe
1284	Jbppgona.exe
1708	Jeolckne.exe
4964	Jhmhpfmi.exe
3192	Jjkdlall.exe
3768	Jlkafdco.exe
4528	Kahinkaf.exe
1232	Kdffjgpj.exe
4288	Kkpnga32.exe
3976	Kbgfhnhi.exe
452	Klpjad32.exe
2072	Klbgfc32.exe
4132	Kopcbo32.exe
1968	Khihld32.exe
4300	Kkgdhp32.exe
4496	Kemhei32.exe
3708	Lkiamp32.exe
1488	Loemnnhe.exe
5020	Llimgb32.exe
2588	Laffpi32.exe
1000	Lddble32.exe
1412	Lojfin32.exe
1564	Ldfoad32.exe
2428	Lolcnman.exe
3504	Lajokiaa.exe
4880	Lhdggb32.exe
1932	Lkcccn32.exe
5012	Lhgdmb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oofial32.dll	Ldfoad32.exe
File created	C:\Windows\SysWOW64\Lajokiaa.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Mhpgca32.exe	Mccokj32.exe
File opened for modification	C:\Windows\SysWOW64\Ollljmhg.exe	Ohqpjo32.exe
File created	C:\Windows\SysWOW64\Llfgke32.dll	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Odjmdocp.exe	Oloipmfd.exe
File created	C:\Windows\SysWOW64\Qfgfpp32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Pmejnpqp.dll	Qfjcep32.exe
File opened for modification	C:\Windows\SysWOW64\Gnaecedp.exe	Gkcigjel.exe
File created	C:\Windows\SysWOW64\Kemhei32.exe	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Aiaeig32.dll	Ohqpjo32.exe
File created	C:\Windows\SysWOW64\Gdnjfojj.exe	Gndbie32.exe
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Jgcnomaa.dll	Llimgb32.exe
File created	C:\Windows\SysWOW64\Jbjabqbh.dll	Mccokj32.exe
File created	C:\Windows\SysWOW64\Hfdgep32.dll	Ofdqcc32.exe
File opened for modification	C:\Windows\SysWOW64\Qihoak32.exe	Qfjcep32.exe
File opened for modification	C:\Windows\SysWOW64\Igjbci32.exe	Hjfbjdnd.exe
File created	C:\Windows\SysWOW64\Jjihfbno.exe	Jaqcnl32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffjgpj.exe	Kahinkaf.exe
File created	C:\Windows\SysWOW64\Hhodke32.dll	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Hbfhni32.dll	Lolcnman.exe
File created	C:\Windows\SysWOW64\Mdbnmbhj.exe	Madbagif.exe
File opened for modification	C:\Windows\SysWOW64\Ofdqcc32.exe	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Pbddobla.exe
File opened for modification	C:\Windows\SysWOW64\Ijbbfc32.exe	Ieeimlep.exe
File created	C:\Windows\SysWOW64\Ebcgjl32.dll	Acppddig.exe
File opened for modification	C:\Windows\SysWOW64\Pmjhlklg.exe	Pbddobla.exe
File created	C:\Windows\SysWOW64\Aflpkpjm.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Ofdqcc32.exe	Obidcdfo.exe
File opened for modification	C:\Windows\SysWOW64\Jjdokb32.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Jnbgaa32.exe	Jdmcdhhe.exe
File opened for modification	C:\Windows\SysWOW64\Kopcbo32.exe	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Khihld32.exe	Kopcbo32.exe
File opened for modification	C:\Windows\SysWOW64\Laffpi32.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Bkclkjqn.dll	Laffpi32.exe
File created	C:\Windows\SysWOW64\Hqghqpnl.exe	Hkjohi32.exe
File opened for modification	C:\Windows\SysWOW64\Lhgdmb32.exe	Lkcccn32.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qihoak32.exe
File created	C:\Windows\SysWOW64\Gjkbnfha.exe	Gdnjfojj.exe
File created	C:\Windows\SysWOW64\Debaqh32.dll	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Qkfkng32.exe	Qihoak32.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Aflpkpjm.exe
File opened for modification	C:\Windows\SysWOW64\Mdghhb32.exe	Mcfkpjng.exe
File opened for modification	C:\Windows\SysWOW64\Pokanf32.exe	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Hejjanpm.exe	Hcjmhk32.exe
File created	C:\Windows\SysWOW64\Mjfkgg32.dll	Ijbbfc32.exe
File created	C:\Windows\SysWOW64\Ljnakk32.dll	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Mccokj32.exe	Mdbnmbhj.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Mcfkpjng.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Gjcmngnj.exe	Gcjdam32.exe
File created	C:\Windows\SysWOW64\Ebpmamlm.dll	Khihld32.exe
File created	C:\Windows\SysWOW64\Emnhomim.dll	Mkgmoncl.exe
File created	C:\Windows\SysWOW64\Kdffjgpj.exe	Kahinkaf.exe
File created	C:\Windows\SysWOW64\Nlgbon32.exe	Nconfh32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpagc32.exe	Maaekg32.exe
File created	C:\Windows\SysWOW64\Pnfceopp.dll	Hcedmkmp.exe
File opened for modification	C:\Windows\SysWOW64\Mccokj32.exe	Mdbnmbhj.exe
File created	C:\Windows\SysWOW64\Napameoi.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Ncloojfj.dll	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Gkcigjel.exe	Gqnejaff.exe
File opened for modification	C:\Windows\SysWOW64\Jeolckne.exe	Jbppgona.exe
File created	C:\Windows\SysWOW64\Kbgfhnhi.exe	Kkpnga32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjdokb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkpjng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejjanpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbgaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igjbci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkcccn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeimlep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjihfbno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Halaloif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijkled32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oloipmfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnaecedp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcnnllcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdnjfojj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nefdbekh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjdam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gndbie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkgmoncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlgbon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkcigjel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hepgkohh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkgdhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdcpb32.dll"	Gcnnllcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpcjnil.dll"	Odjmdocp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilbckfb.dll"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nefdbekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmfbkh32.dll"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll"	Oooaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debaqh32.dll"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoggpbpn.dll"	Mdnebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfedfi32.dll"	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbdmo32.dll"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Pdngpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	TrojanDownloader.Win32.Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caekaaoh.dll"	Madbagif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcboj32.dll"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgpcnpb.dll"	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odjmdocp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hepgkohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimlepla.dll"	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcokoo32.dll"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knojng32.dll"	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaqkhem.dll"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejjanpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Halaloif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Madbagif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnegipj.dll"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjkbnfha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcghkm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 5016	3688	TrojanDownloader.Win32.Berbew.exe	89
PID 3688 wrote to memory of 5016	3688	TrojanDownloader.Win32.Berbew.exe	89
PID 3688 wrote to memory of 5016	3688	TrojanDownloader.Win32.Berbew.exe	89
PID 5016 wrote to memory of 4216	5016	Fbdnne32.exe	90
PID 5016 wrote to memory of 4216	5016	Fbdnne32.exe	90
PID 5016 wrote to memory of 4216	5016	Fbdnne32.exe	90
PID 4216 wrote to memory of 5076	4216	Fqfojblo.exe	91
PID 4216 wrote to memory of 5076	4216	Fqfojblo.exe	91
PID 4216 wrote to memory of 5076	4216	Fqfojblo.exe	91
PID 5076 wrote to memory of 4032	5076	Fjocbhbo.exe	92
PID 5076 wrote to memory of 4032	5076	Fjocbhbo.exe	92
PID 5076 wrote to memory of 4032	5076	Fjocbhbo.exe	92
PID 4032 wrote to memory of 3256	4032	Fqikob32.exe	93
PID 4032 wrote to memory of 3256	4032	Fqikob32.exe	93
PID 4032 wrote to memory of 3256	4032	Fqikob32.exe	93
PID 3256 wrote to memory of 4728	3256	Gcghkm32.exe	94
PID 3256 wrote to memory of 4728	3256	Gcghkm32.exe	94
PID 3256 wrote to memory of 4728	3256	Gcghkm32.exe	94
PID 4728 wrote to memory of 212	4728	Gnmlhf32.exe	95
PID 4728 wrote to memory of 212	4728	Gnmlhf32.exe	95
PID 4728 wrote to memory of 212	4728	Gnmlhf32.exe	95
PID 212 wrote to memory of 4428	212	Gcjdam32.exe	96
PID 212 wrote to memory of 4428	212	Gcjdam32.exe	96
PID 212 wrote to memory of 4428	212	Gcjdam32.exe	96
PID 4428 wrote to memory of 2380	4428	Gjcmngnj.exe	97
PID 4428 wrote to memory of 2380	4428	Gjcmngnj.exe	97
PID 4428 wrote to memory of 2380	4428	Gjcmngnj.exe	97
PID 2380 wrote to memory of 760	2380	Gqnejaff.exe	98
PID 2380 wrote to memory of 760	2380	Gqnejaff.exe	98
PID 2380 wrote to memory of 760	2380	Gqnejaff.exe	98
PID 760 wrote to memory of 624	760	Gkcigjel.exe	99
PID 760 wrote to memory of 624	760	Gkcigjel.exe	99
PID 760 wrote to memory of 624	760	Gkcigjel.exe	99
PID 624 wrote to memory of 4896	624	Gnaecedp.exe	100
PID 624 wrote to memory of 4896	624	Gnaecedp.exe	100
PID 624 wrote to memory of 4896	624	Gnaecedp.exe	100
PID 4896 wrote to memory of 1420	4896	Gcnnllcg.exe	101
PID 4896 wrote to memory of 1420	4896	Gcnnllcg.exe	101
PID 4896 wrote to memory of 1420	4896	Gcnnllcg.exe	101
PID 1420 wrote to memory of 5108	1420	Gndbie32.exe	102
PID 1420 wrote to memory of 5108	1420	Gndbie32.exe	102
PID 1420 wrote to memory of 5108	1420	Gndbie32.exe	102
PID 5108 wrote to memory of 1672	5108	Gdnjfojj.exe	103
PID 5108 wrote to memory of 1672	5108	Gdnjfojj.exe	103
PID 5108 wrote to memory of 1672	5108	Gdnjfojj.exe	103
PID 1672 wrote to memory of 1136	1672	Gjkbnfha.exe	104
PID 1672 wrote to memory of 1136	1672	Gjkbnfha.exe	104
PID 1672 wrote to memory of 1136	1672	Gjkbnfha.exe	104
PID 1136 wrote to memory of 4508	1136	Hepgkohh.exe	105
PID 1136 wrote to memory of 4508	1136	Hepgkohh.exe	105
PID 1136 wrote to memory of 4508	1136	Hepgkohh.exe	105
PID 4508 wrote to memory of 2328	4508	Hkjohi32.exe	106
PID 4508 wrote to memory of 2328	4508	Hkjohi32.exe	106
PID 4508 wrote to memory of 2328	4508	Hkjohi32.exe	106
PID 2328 wrote to memory of 4640	2328	Hqghqpnl.exe	107
PID 2328 wrote to memory of 4640	2328	Hqghqpnl.exe	107
PID 2328 wrote to memory of 4640	2328	Hqghqpnl.exe	107
PID 4640 wrote to memory of 2564	4640	Hcedmkmp.exe	108
PID 4640 wrote to memory of 2564	4640	Hcedmkmp.exe	108
PID 4640 wrote to memory of 2564	4640	Hcedmkmp.exe	108
PID 2564 wrote to memory of 3704	2564	Haidfpki.exe	109
PID 2564 wrote to memory of 3704	2564	Haidfpki.exe	109
PID 2564 wrote to memory of 3704	2564	Haidfpki.exe	109
PID 3704 wrote to memory of 3268	3704	Halaloif.exe	110

C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\SysWOW64\Fbdnne32.exe
  C:\Windows\system32\Fbdnne32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\Fqfojblo.exe
    C:\Windows\system32\Fqfojblo.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\SysWOW64\Fjocbhbo.exe
      C:\Windows\system32\Fjocbhbo.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Gcnnllcg.exe
        
        C:\Windows\system32\Gcnnllcg.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Gdnjfojj.exe
        
        C:\Windows\system32\Gdnjfojj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Gjkbnfha.exe
        
        C:\Windows\system32\Gjkbnfha.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Hepgkohh.exe
        
        C:\Windows\system32\Hepgkohh.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Haidfpki.exe
        
        C:\Windows\system32\Haidfpki.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        28⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        42⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        62⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Lkcccn32.exe
        
        C:\Windows\system32\Lkcccn32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        65⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Mkgmoncl.exe
        
        C:\Windows\system32\Mkgmoncl.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        70⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        74⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        77⤵
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Nefdbekh.exe
        
        C:\Windows\system32\Nefdbekh.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        79⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2256
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2476
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        86⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        87⤵
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        90⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        97⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        106⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        110⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        119⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        120⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        121⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3004 /prefetch:8
1⤵
PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbdnne32.exe

Filesize
101KB

MD5
621d97d6ff7358da09e4158cf5626615

SHA1
f9edfa4ab37853b5d8dca5182ff878c684028177

SHA256
e6b3479a8175b25981567f7158895bb63d072fddf2d1245bb44a77bdde840add

SHA512
1cc5d033d995f1902aebf74ee9b97b8edeb4b31afca7901fc5717aa3eba8293dc6ed9a72a58ef0fd9e0e1f15f86c3a1b68db3c0be10590b6b3d8aa3f1af2f11b

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
101KB

MD5
a2bfe27cec46f0c40f4e1f8ee3e9bda2

SHA1
f4c065965c5464f4799eb67e3d7b320b57b7e0f2

SHA256
8a15c23d5e058b29c960e6b6f7da07523a98e800beb62e9ca02b0ded68dbeadf

SHA512
cfb6e33cc59357127a479816e6a7f390f0f96cd9a205efef4fc87e4d02be2a228f6875f15387e23419dc192460f76dab1dfca97bf9cc6390908252815348606c

Download Submit
C:\Windows\SysWOW64\Fqfojblo.exe

Filesize
101KB

MD5
833c68d9f6df3a372b57a242c71e7e11

SHA1
18ed6ecc726426b8ed0a1060e09c3ce544480f3e

SHA256
589c572b5f0087a59a174aa3fb0651dd052ed54edfa04999c9e08f89ea5f1017

SHA512
15d1f548c5ea2b7efadd211e2a9250618abb42ea7ca6837964763b86ac7a55cd03c5abce44069ae1f26a09983e8de4010c536465a8726c525a9bc878f6163bc9

Download Submit
C:\Windows\SysWOW64\Fqikob32.exe

Filesize
101KB

MD5
1af966dac00f2887ed708bf8be58b797

SHA1
137096cb065ff02f8c8b6650ef6f3fd6e5beceb7

SHA256
c379e0266baeb116419400a8a11394a8110f2043507ccb3e8b4cc33a398bada3

SHA512
69cae7c12954e88f6cf6fa4d8e1d0d63684e1be8e16a8d3ec26e8083b3cd275b37430f338f02b57988233bfdb1e7c20c02cf1d4446d7ba68f152196d207f2afe

Download Submit
C:\Windows\SysWOW64\Gcghkm32.exe

Filesize
101KB

MD5
d19b8d984625f4d7fc5ac31c9700e44d

SHA1
26cf5b67d378af10a7da9f2d6c415791cfa322b0

SHA256
5d7774f8219c31d520d2558142b0d311b5f2228615cf0d4fe36cd019242f1384

SHA512
fe7d36314c1f103a5185af11ce27b65d8e941acf24fe359605289bfdf1d288b94932b885517c52457cd72a096b7fe1670227688afa381774024eb19eacb488a2

Download Submit
C:\Windows\SysWOW64\Gcjdam32.exe

Filesize
101KB

MD5
f272e6672bc26a6d9fe4c895d4e1c529

SHA1
96e5250f256fc6debc23a1fb9c34a70f12285dd2

SHA256
d0bf9fc1db6a6c12934c5d4b2c886cfb3dd2c2bf0f6feb604fe14b5edd1da997

SHA512
285f679dffb4f9cbce34bc67518ef9f42ebc1562d9d3da5ee196ac58052214ead4dca4e491424c5afd5ff4674cd65b9aa9c6415ac87cd06fd832d471040842fb

Download Submit
C:\Windows\SysWOW64\Gcnnllcg.exe

Filesize
101KB

MD5
b4347f72e62934f3f310bc1d5fadc587

SHA1
71e8f681ff3fb8c8934c7e43c356bb075596567e

SHA256
0e6e80d14066263d2455fbd0513758fd5f5fda094b207a5722d98f800bcb28c4

SHA512
e1fdf32aa58ad2a9f3b068ac229504bc268516d074c0ab9dfe587fd8cb247c66f53d4ec0528f3ab72e0627a14f204da39bf1812df8d8a356ac4cbe33169ba6cd

Download Submit
C:\Windows\SysWOW64\Gdnjfojj.exe

Filesize
101KB

MD5
e4a6c2e5b553845ebf1d479e9c8aef86

SHA1
5e442d8476a2e0a87f188dc01106cec957507c62

SHA256
a5532fb72bd97e72d5cae3e9ac8093590f1e3f23bfd244b01e65822d73992ed5

SHA512
d12df0e1ce4c3e760dcb3dd51b8f43a4f20b15eb2717824d693232974653460bf93fb1f2d32a820aa9e3f428afd938b5301778c5bcd0e7a0338c06fef265ff1f

Download Submit
C:\Windows\SysWOW64\Gjcmngnj.exe

Filesize
101KB

MD5
f69481f86aa955fc8d5766f651973da2

SHA1
16fd9bbc8fed4783346ef8a4ee1609b3c275a2a5

SHA256
ba752e86104c53338800605f036c7f34c7b71fca8676e18ef6a8c782dc4efb85

SHA512
72a42a15a2ce4574fc63f18ec2ea5a6e6fe5af4b7b6954ea8320c9fdba560f503c0ba1b01cb9358f6815280e986720a94b674c42220682f8aa6ceabb4728c16d

Download Submit
C:\Windows\SysWOW64\Gjkbnfha.exe

Filesize
101KB

MD5
fa42402d3de67f31e5ee349ad2b19721

SHA1
c7fd4c23f89d7e5ff941be1b024dd8d551d598bd

SHA256
d41add74ec45cc8efc787a44c88febb758a074b185775a8ccc5824d063c64b6b

SHA512
42c29bf7154f7a904f7643e9454efd2e8b111ddef2bf50432a03f7223dba9d0bc748e538c98a20ec99f45badc4be0966b448ce79a0742eea5454774fff52941c

Download Submit
C:\Windows\SysWOW64\Gkcigjel.exe

Filesize
101KB

MD5
2d2db4f2565fdedf284a5b26bb603e68

SHA1
ac129349e2955b030d84ce0346efb38508c87135

SHA256
2b0769a6c15a542b83324ec6806125c4c8fe611e8096560c422b96014be93c19

SHA512
9e55499c4f17b086adb051ff4f253996da78ba31c3e101c3ebdaf9cb11565a5e92000d911706ca84552684a2ea0bd93bd818c9bc5390102777efd1737c87d43e

Download Submit
C:\Windows\SysWOW64\Gnaecedp.exe

Filesize
101KB

MD5
b1b628af7117dc1b0bc654bfcb2b438d

SHA1
6c85983c41abb2e181201386f72988ab2cae8136

SHA256
15e65926f2ffd9cc51f8eaa8c048bb20cc3837ad07b64ad7487b5957b419e689

SHA512
ee2bba1e703edf253475e4847c3ecd7829f057539c406c03424bafe86a07bb8585f53f5fdb17d08ff01a2f49a2750d17a0063c67906a7db0926e35e1ba51f7eb

Download Submit
C:\Windows\SysWOW64\Gndbie32.exe

Filesize
101KB

MD5
8aa960a178b43b8f8110a23d608680e5

SHA1
141bcb3ac16ffe6d23f1bdc5be905caf2522a9c3

SHA256
ca5597403a9e48e55b41fac685b8986add29b7f23d394f9a28e1ff8f4b424a5c

SHA512
e7aa56263e01d4ba640589a8e3fa032147bed32bf7b6bdca242682f0353bd9c1be10df0e2a276415d59f12536110f4f3167f7bdfed5e87e9c575866c91915b43

Download Submit
C:\Windows\SysWOW64\Gnmlhf32.exe

Filesize
101KB

MD5
6df30f69b76577d91f3c5afe47e387a8

SHA1
129f51f9b9f6a06c3f4880b3b6f67bc9d1d9084c

SHA256
f096337b23e20711dcf8a76978363296d946d166d16715447835e3ab5701e7d3

SHA512
759499701d6c1e9166d24b3238e3fa659915303c43b9ef18b5a3e96f0106d07107b4e96f5feb992d9250b41d128b5a64da1d51125fab6f49145b6cdb0ad3f257

Download Submit
C:\Windows\SysWOW64\Gqnejaff.exe

Filesize
101KB

MD5
ac2c09343184b73066d5d75085ad9e15

SHA1
ce9a785efae4010d1a734a8ee5bc973274b10ef7

SHA256
a95080a0e2dc11e9374c52bddafb11de9f432de6421ff5d12f60c3edfe4b283b

SHA512
d1e2465bf955e5c91b2253d055d86c61bc72ef3fb30b2be2347eb37da39a4ae976a4ad4590fa9b0864afd1c9c775eb86b1ee79848c29fb40278dc782eba7fcb5

Download Submit
C:\Windows\SysWOW64\Haidfpki.exe

Filesize
101KB

MD5
4a0dea9f1da669c9757646dd09ee0095

SHA1
b11ac78a9496ae20890eae55f4d2b5e2d191d1da

SHA256
cfd0da34f36f151a04a7172a7819da5ad2f72afed2a1dd99009c56f5bc6703c8

SHA512
f1396cf0809c3a19a43a25f6a379fc73993531733528fad60629b0be37663571f2841e502f17db0fdcc9b8d70de2a8cfaccc50d8ba74bacd637f5f1db18fbc93

Download Submit
C:\Windows\SysWOW64\Halaloif.exe

Filesize
101KB

MD5
66b8691937bfe7f17e06020d8d977fab

SHA1
1f83070c28b251293b01ea7f2215bb5957d9ba1c

SHA256
ac06ac7e23c7f5a0af63223201b11f61f2b714095d0f8ca5344b4fbd94886e63

SHA512
7d92a9227f8e368b22ad94f1b8ef8374549a9d2ba5f415eb7b68effc1b57247a0c7d3d5d9014510d7fe952c0e24e8aec3883dd560d846177aae30fcb81ff15c4

Download Submit
C:\Windows\SysWOW64\Hcedmkmp.exe

Filesize
101KB

MD5
b990086f3d5be1f6ed4131a6c6893813

SHA1
0c008760c5fff68b5e03b39465692c1b4152de3c

SHA256
e19476a93fed096baba4c4033454ec460c11cde8445bbfa6f39733895c90f594

SHA512
94a87eca0ebf2101109620ede6896a57243d317acea26e591b238a40bb64f38432b1151060e4b62ab3b00f82705e5ddb59f439ef8f3761167600b1e1a874c83b

Download Submit
C:\Windows\SysWOW64\Hcjmhk32.exe

Filesize
101KB

MD5
af51d8cfb7032c0df555ec66c3843f4d

SHA1
edaafa7fc965479810ddf306ee8858482fa72fc1

SHA256
a0892c3a9c1e03fa914af6c4062b7f7dac61d9d429a40928f8909022a7b271a7

SHA512
4e1740ecf241fa3a966af47f9b1ce04ac9339244aec60ecd217eba7057f7881f275dc4a761910c5d837497d9ac06c03f2ecee4c905d565f7a167fb94afec0025

Download Submit
C:\Windows\SysWOW64\Hejjanpm.exe

Filesize
101KB

MD5
26e75cd083bcfc4e4236d4c6bc74c16f

SHA1
cf969a4eb599537fbd46a414a14ff4d72b4cdc88

SHA256
cfeef809174ec04fba3380f387559a9ea46df6b80cc31ff4072495a160e00e0c

SHA512
efbdd316a8920f4ef4da7cdc3559f14f7fcbb93a3f4f026dc510210ad9765c7154d6c69f3a04678fde3c9bbb2b8c3345e6a562fca527d088a90e004c9b039d49

Download Submit
C:\Windows\SysWOW64\Hepgkohh.exe

Filesize
101KB

MD5
e66362be3abaf16b37a05a10caffa748

SHA1
4e0eddb49c23d24de4b672b3b57ecc8a3ad8a43b

SHA256
f3b3125ad5d38085b00624cc998f8da96f421a3371d0c9754021e0022f645813

SHA512
76a88ba8974d1a36c03fc1610bc4f3f204029bfaae65110b711d12aac875f33a473c423da7293eb7d3cd5385ff8cb2855f9fdef56e9e3db7753f77d033b4430c

Download Submit
C:\Windows\SysWOW64\Hjfbjdnd.exe

Filesize
101KB

MD5
0bfdfccd800329dd4c9475a71a4b005e

SHA1
1e250ed31edd43a0fb63339a2460761d9a13d480

SHA256
c0004a91205a91860c71ca9b32a88266568f7a2a7378b883decc29f756760304

SHA512
38d29c415ae444749912927f8fddc17afe6860f17c7fc6981cf21cf05cb2caadbac5cff2468c9239f845d9783ce6faf9f88fd7ba18ac923794b987d116f0cc72

Download Submit
C:\Windows\SysWOW64\Hkjohi32.exe

Filesize
101KB

MD5
5978b1b287b02dc34a29e62396931a11

SHA1
f96e7c6342bcbfb96cf69fe8884b98b4fa67a8c2

SHA256
022dc8f2f5787c31ce65479b41cf0a87eae3f5f099cdf46fb6246208a2a05a61

SHA512
94fb414a9e0f6a687296578b1b1159d40d902679a4fc37fd21a295a1f80854806834564526ee1dbf1f914932988b646010e0483d70011e0cd883a9aa2ee04e1c

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
101KB

MD5
ed4e2e5a59a71a19aeddf35eea2725da

SHA1
1d663d8722a85e1046abcabb18d0241365f74bb5

SHA256
ff47f4ffff24306fa60f0092d35cca43f79d58a8fc1338f7ffe399fcfd340675

SHA512
d9216320a3981d70670e267b499d3b6509d0bc8bcb5ab4812bcec9bb6db83e6b6ebd8002961d2838380fc8edef5417ca9d553309a4457892f4ecb9fd0964c4ae

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
101KB

MD5
e9405381731e7454b241c4d07ddab679

SHA1
2457b559b9b20b3be27c68452b7aad985de19871

SHA256
cf8f3535fc6f36879b9b68674a5712cb218a43c16d1ba08d7bb30fe5e38861b1

SHA512
76d06ae0a171d4c0ed55ecf083e988fbea0297af6a74945ce8378169482e0990a6a05cc0b8c81c25c864537f30b3b7bd8ad7ff8656ad411e023689d8643e06ec

Download Submit
C:\Windows\SysWOW64\Ieeimlep.exe

Filesize
101KB

MD5
3fb50b9829a0be5f96033879106dcb96

SHA1
1a04d823a985d5dddbca87089ddc03d65bb1743d

SHA256
0b76865f13e7a93f92bb71e3a490bf75e639c2305a6ca74b5baf6fc6b6734a51

SHA512
d21868e40d562c114163dc02a54ef089be6649cd48a62c8bf0721dbd4b37f49b4e251d70784e7880b771079bec702718e2e5a520a6001b226eadeb88f2ded793

Download Submit
C:\Windows\SysWOW64\Igjbci32.exe

Filesize
101KB

MD5
ffd22873599121e1e45d61395f7ff357

SHA1
dac358e38e7931f58dd4b1a92fdc0881992b2105

SHA256
85923d6cbdee1d68b32d8a7089a2598f856097ca95be5847f6e3a3748ff1696a

SHA512
e83fed5ae6689144a5724ed19434cd1f2cb693170cd68b3fef0dfb4ae6527e314f7149c936f79d96d7b7667e8aa68513616e43aff8e615f3c14070d223d145b2

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
101KB

MD5
7bab375f25ae79b8ea9e36d12ee7e5d8

SHA1
4a6667d86a36a9e873480c538ce84f6286c16a05

SHA256
cd931a6e9bbcfc2bc791223121261858a4f16ff571505035d83b5f75004f7392

SHA512
5bc42e278c1c97abd40cfcf7f821c39b04a3040a1469d7ec534f048f21f9f7ee50db590c2c4a44f053afaeda919f16a81cab3526a01a29f9032251371261c97c

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
101KB

MD5
82984a7fd5401a1f8e094a9487e16473

SHA1
effa455197fec2b198e61029735adedf2710da2b

SHA256
b8bc60571bcc12630d46f1691d3869c8dcb3183a886d2e73bc5668f527505711

SHA512
3213b7bc2359458f94764a42d46adbe80c8dcd95059a229f3941892fc7c0134a67be63a26e94f19115a628d6b313daa5a27e180a192c8ee7150ca6086eafe6e2

Download Submit
C:\Windows\SysWOW64\Ijmhkchl.exe

Filesize
101KB

MD5
d5b4b29efc53af5f705b966cd96a63e7

SHA1
ab9d90cc36761ad9a8ba24df1236f4f6716cf909

SHA256
a611f4bc2f34dcb51905369c5219f6dae648234bc7a7753c05840c1ef0d31710

SHA512
1bfcb4a6ad94804fb335700c18a749501c24ee0552aa0c1276d740fdb8e3f6d7f84cda909ad014b3001e2a4fb992d83666afa73de617e2e3ec6e9a6ca205f7cd

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
101KB

MD5
b828efa332bf86a997051024b517b38f

SHA1
8383a8d17db42b8354495508697b00f8dcdc43d6

SHA256
e2d32f19b0e91f908c75e277360246a42f8dd645179ed392421cc61f3e23b178

SHA512
35a85d1d8d9f33255b355c39cb9df8ced1e3587eaf1f5dfa24967c7bc205677e8e038eda5b712aebecea3cd0a965afe0fa1df034857237e3a58e3953b360d440

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
101KB

MD5
456154b7ca9a2e85a166d7a51c56ffc7

SHA1
df2fd778a3a2d07f15762f3fbcadf39c9a86fd9f

SHA256
dc7063bb9cdf8a3a3f501c929407ec4c9969a6c168eb3330e8b95e025d03ef0a

SHA512
1d37a8658569e6f6125f17cf393d5ac3c368fe28756cca7cd17319b528ed63a61d2c190d97946ee4bf5ee8d6f851566f2352de0a917946aec0200b3357e83fac

Download Submit
C:\Windows\SysWOW64\Kemhei32.exe

Filesize
101KB

MD5
1380750cdba0921c0abcdf5f62008e19

SHA1
015bbfb71607167fbea82acce7cfecb16d6ee112

SHA256
b7526595aa60e110a616f7f580bd64ffcafb3ef9dfe95119ef2ca42b20184560

SHA512
39b327bd333580ce8721f2f14f5add1c61b472503c0d0c784bc33788344ea7824c5111c083419ed508cddda421ef758dd86679dab1568dec1ca441a205351373

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
101KB

MD5
f0c8906b0b110c55af0deadd915de39d

SHA1
53f24859daf072713c67f48c725c9a2b404b17eb

SHA256
32c7442bf0b6b525a1d9f115590eb0e98ce4f5a864c23dc56dd121ef452dce46

SHA512
bf83d3730291d555239fcee8d0427615dd5a39257249057c420500237e0af6cdcdece0b27ffe0d4bca9b2e363b9ba1124be74794a7ea116221ec3e87322a02d2

Download Submit
C:\Windows\SysWOW64\Ldfoad32.exe

Filesize
101KB

MD5
039dcf581d0208e750dd419242dd1dd5

SHA1
92290e4dc02344ba99f02e70449960c21e0199bd

SHA256
0c68a2a3ecd1cd658d1c97f3995f601ecdbe758fff34b2f934245f41b91bfeea

SHA512
40ed6b0d3ac1e4a9dab4f1c9c40de5a005eeac078b39d77cde84b8f89110c3cf99637b5d740c59e25b59477693ef645b928f5507216ad1335e9d546877c5f6af

Download Submit
C:\Windows\SysWOW64\Lkcccn32.exe

Filesize
101KB

MD5
61d64b6b8fa71e0586bce7f4fa81b417

SHA1
40acb6601adc87aef1719dda7a567e11e4f8877d

SHA256
3e1e81a60c3d3d4a95722c18f368ba7af1c63950bd72ef9fc79bcf53c713bc2a

SHA512
c5474011bb53d4abd93e6710ce951e5d7f3f3ade4af13af2f90ea6c889b46d08b6e386cb7a558facc04e7f3a4800728ea5b0031d6451b61581520e33699d36c2

Download Submit
C:\Windows\SysWOW64\Llimgb32.exe

Filesize
101KB

MD5
b62ffebc7e94de0deab82b3e4af9fd95

SHA1
48baf68fefa5862940c3af93825c21177c882ca5

SHA256
2f235e7212885ca3c5f55bd51e8fc834d1e2d097820d5e3b98f995f9addac3f8

SHA512
9d322712301b5d3e7e088f06a3cbd91e614c28df4bd262c2b2ede916941473a1194c3c0a55a07f828a52beae850d01f7ac89fd0100137261304456ede5d94c99

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
101KB

MD5
fbf0ab1042205226f509609a318537d3

SHA1
b874e87e16f319f2352075ac8c05387532ac8187

SHA256
eb8a13fda8ae586ea96c342b479b69d04f8e531becd2ebf705602afc370dac92

SHA512
3f2fd8e36e169de173e9e2e847259fb0e678bd4035fa63c8a4ea4445e915d2eb614c96b6b33f76ad02d9f9cf6eb121fdcbb43c6ea6ea6c2ed312bbc1dea6b075

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe

Filesize
101KB

MD5
8630af30402e8270d5edad755fdbc01a

SHA1
2227a9c99397aeed84997af37504a2febcf49386

SHA256
cc0a650ce0a240231728352b73d1977c44236d9f29fea8d4d5316323ff610921

SHA512
6f7e87ff0455a4d89c867d16233b1830518618b89d3534c19205a363735b2f2c29895ee6572ad6e0fea8f87e2db3e1e45d26bc9db4c4d56fec663af8da52d4dc

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
101KB

MD5
8dcb1c1cea6c9054201b3932d0527757

SHA1
ae625abfc7fa7f899e576e23367c14d85ddd2e6b

SHA256
4e5e4e6468ded7be48fdd0e0caf759f93ac2ef1f05e466c05f2f72fe74a4608f

SHA512
a4c3990211fb99260b5abe90ca88c3d987ed78639b72d0278bcbf50eb07892ed3b796d98254f9a38ad114929ad2d21002682371aed5edcfd5d93fbafd3c3b303

Download Submit
C:\Windows\SysWOW64\Mdnebc32.exe

Filesize
101KB

MD5
8faf47c78ee744ebc8cb86c7453cbdb4

SHA1
19f7e59f3981301b068a1bf0a1ac1bb2a11c32f9

SHA256
71b0a2417eaff26d28ddebd7ebc37ad4b3d5cbb1ca7792a13c3813fd15a6c042

SHA512
b0588388b2db78859043b6be2165f950f8d33d76806eec844d64b36f8f209205a4ff9acbdd64ef2f4ea8669078ccb3052c61e06121919bd2a3f89cb06959b5a3

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
101KB

MD5
427c4755969dffde01ed97a97dfb9679

SHA1
d0e00846db6905be0bac93082e472847d352cae9

SHA256
42cd890475b114264f6f7e8342ddfe9a58289b530379059ee4fd8e5e95a70646

SHA512
f0def5e7bfcfb0acebca7aa211e2fc958112fdfc2e69e6cface507bb3a77fe7d9dfc13eb050d0f9893b9a85f35894b61db09630211e31300dfc8ad62e65f9ce1

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
101KB

MD5
827a86d9a13c57d534c111f658badff3

SHA1
2a439cd2c9310d2c3398f6010bf1f08de38458da

SHA256
7d45627a3a0f316bbe75a3a54dfd268c4ddb327d53d0c7a2a01023b8830a48e6

SHA512
19a0e5e1876aa9eddca880128411d41ac6e88378127833462eb3277f9e862cdceff6508ba5de985cb00b22b529c090520164ff3136ce8000194bbbbbf0d32444

Download Submit
C:\Windows\SysWOW64\Nomlek32.exe

Filesize
101KB

MD5
326c75c4de517b0c9ffaf2a29abebbc3

SHA1
24ae1794f967af72884962c4ceae93f2c375a47f

SHA256
cedd547fe70909b25802c741c10a9ed2fd971a6a696e5d13bd7839b77a8ab0b1

SHA512
ba7cb6140635ce65a1a15e32f1375de7f861fd67cb8f6253596d85b3de2903d2348f1bea101312eef8fa12a259dfec33ecec3913d60e8bf688b8ee4f357a0868

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
101KB

MD5
b88dc618071f09c21a515891a3a26cc1

SHA1
360f776df35f79a060bf45b84de9c955f93251a3

SHA256
8695458547fbddd5c9ca9d670531f0a7470984545583d17cf4383d29e9767628

SHA512
83cacd83b4a41fb2a50f44223130d936bdfbe43f636a4c39aeb7be7bd543aa11c5aadc9a66b897abe3eac103bfdef22ee73888aeb7abed42f508e9f9b2bd59c8

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
101KB

MD5
98f05bb5bbecdd7101f416cd8615cbd5

SHA1
6f95dfadae0c5cd1e53649935a5ff891ed1e455a

SHA256
24121d87041c58613c02989c99fe85d464f756739b926f7674e04a1fabc36cf8

SHA512
d40d61396ce4e81b96ac3895d25c67a5f22ef6f3c69ece32da2519f6ba44330dc0eaca80c8acef20de42637a05f2d970565eab7b46e1de8028e827081827e8e5

Download Submit
C:\Windows\SysWOW64\Pcdqhecd.exe

Filesize
101KB

MD5
4467397fed687a37f49aae48e929a63d

SHA1
18b654b99a7db3241287769b69a4a2e7f3d52798

SHA256
8ede077594123a48df3bc81e923c9c6e8ddad3b4523ccd20031f543ccc3f3edc

SHA512
c797f85ceacac43b521da3ccf18068204343de0a2bd2c9b8e42b77d368d82e5071213fd5097362f074f0ab6136d2a4abf229397f9729c9b2be6cef31082472fd

Download Submit
C:\Windows\SysWOW64\Pilpfm32.exe

Filesize
101KB

MD5
e06e5780c19659c974406726ab8ac821

SHA1
85fae80844b4b1ce600a0bd724ab14170f786f90

SHA256
1d3fcc22d178894900cf57f55618bd571b76bf92532bf08b33f645ff945405b4

SHA512
197f7bc4893caaf508e92f6201293c80e3b93da713b954fe61f127b96087bf554094e01442572391bb8d5d46a7a987542850420a70edf3ac5f9c020ff6cdb383

Download Submit
C:\Windows\SysWOW64\Pokanf32.exe

Filesize
101KB

MD5
e8eb4cb23b7e8c27cc6f418ea431e944

SHA1
1293169cc0b326854262476a473a1c2690b4286f

SHA256
6fc605ef135c3d9e369de5576fa960757e570ff3f5ede0ff358605d1c10e834d

SHA512
d9636ad4fa24a7bce4ae1f5526c35ecb9fa65870bc4fa1e5ec1a2554037d9aa9923f202ede8a83445317568a40c85a0837ac25aa178ba97137d574ff20d758a6

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
101KB

MD5
8147ff84505efd6f9506203dd6127102

SHA1
0b1928831fe6bde69fe94556f1ec3aeef9eee4c2

SHA256
f09e3b611fde6d4e751849362c0c36b3a46ea7b99cd7bca273870ac9923b8ad2

SHA512
9d1abfa4e6be5cb97945530921c80c4382c98d3e5a3d5a27db37caa07ba1d583e37f918c71b938f447a7e4c925bdca819a353891bdb9240c21c6c60fe8276f60

Download Submit
memory/212-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/212-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/648-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1000-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1412-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1488-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1840-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2256-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3256-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3256-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3688-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3688-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3708-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3768-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4008-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4132-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4228-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4508-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4640-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4756-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4836-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4964-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5128-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads