berbew | dd8403e29d9539e145d61a95b6c91601df77c0aa7c38b06c25371d05fd27f559

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd8403e29d9539e145d61a95b6c91601df77c0aa7c38b06c25371d05fd27f559N.exe
Size

196KB
MD5

3f304b7d1d876a7292c767cdf72a9610
SHA1

4453fdd5684f7d11f529a6af05c875c460809913
SHA256

dd8403e29d9539e145d61a95b6c91601df77c0aa7c38b06c25371d05fd27f559
SHA512

545de56b5ff602d2ae9ec32f5c67703f2fe8482fe88726c70fa44ddad0c5364ccc18b2d80c3accd25008a8e1e4a92ad3f851f375c454303d2e4135dd81651dc7
SSDEEP

3072:x9n5yq2bRSnnPWOeetgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ+uFli55p1:x2RuhQrtMsQBvli

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmfqlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebbhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gahamm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopicego.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndoknjpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjgbbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Foekebeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lplpfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekfjhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplhmmmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajjhom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnkpla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogpcpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjhdpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fgfmcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgijif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mebked32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Foneec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fejjgmpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gaedgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddqci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfjcco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmijod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdddg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agbbcpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfhkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmijod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqjeok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjopaha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhkcih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mimgecji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njdmfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojplbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Depnja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eelneoli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edfdbkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lehhof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjhdpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfonliog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djmgbhen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaghfpnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fehmanbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojnpla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Egmjmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcicha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bepeccei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chckjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Canlic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfonliog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkbpmgqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Goghkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjnicomc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mliflo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhaph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmanji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmogieho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlgjfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdmndjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpbmpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edmallef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Geaphlja.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2428	Kbjclm32.exe
3640	Kehohh32.exe
592	Kmogieho.exe
1964	Kejlmhfj.exe
2988	Kdllko32.exe
1144	Kfjhgk32.exe
4872	Lpbmpp32.exe
224	Leoehg32.exe
3024	Ldpefojd.exe
3532	Lmijod32.exe
2380	Lfanhj32.exe
3568	Llngpq32.exe
4968	Lefkiflm.exe
4016	Lplpfo32.exe
3608	Lehhof32.exe
3424	Mclhhj32.exe
4796	Mlgjfo32.exe
2004	Mepnoecb.exe
4972	Mliflo32.exe
3100	Mebked32.exe
1824	Mimgecji.exe
3416	Medgjd32.exe
2344	Nnkpla32.exe
1608	Ngdddg32.exe
3632	Nplhmmmp.exe
3916	Njdmfb32.exe
4756	Njgjlban.exe
4344	Ndoknjpa.exe
864	Ogpcpe32.exe
3096	Ojnpla32.exe
2984	Ojplbq32.exe
4876	Oqjeok32.exe
4396	Onneho32.exe
1700	Ofijla32.exe
3256	Odjjjh32.exe
2304	Pjgbbp32.exe
2896	Pmeook32.exe
2120	Pgkclc32.exe
3540	Pmhldk32.exe
2532	Pcbdad32.exe
3144	Pjllnopf.exe
4864	Pdapkgol.exe
512	Pjnicomc.exe
1948	Pqhaph32.exe
5032	Pgbimb32.exe
4208	Pjqein32.exe
4288	Qgdfbb32.exe
4620	Qmanji32.exe
4928	Qckfgcpo.exe
2184	Qfjcco32.exe
4816	Qqogqg32.exe
5000	Acncmc32.exe
3564	Aflpio32.exe
4860	Afnlnn32.exe
3592	Ajjhom32.exe
3500	Agniha32.exe
3008	Ajledl32.exe
3308	Agpenq32.exe
5024	Anjnkk32.exe
2764	Agbbcpnj.exe
4984	Anmjpj32.exe
3160	Bcicha32.exe
904	Bjckekkk.exe
2536	Beiobd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ldqaomli.dll	Kehohh32.exe
File created	C:\Windows\SysWOW64\Ldpefojd.exe	Leoehg32.exe
File opened for modification	C:\Windows\SysWOW64\Llngpq32.exe	Lfanhj32.exe
File opened for modification	C:\Windows\SysWOW64\Ojnpla32.exe	Ogpcpe32.exe
File created	C:\Windows\SysWOW64\Gjlglpjd.dll	Cmdmndjj.exe
File created	C:\Windows\SysWOW64\Kehohh32.exe	Kbjclm32.exe
File opened for modification	C:\Windows\SysWOW64\Pjgbbp32.exe	Odjjjh32.exe
File created	C:\Windows\SysWOW64\Acncmc32.exe	Qqogqg32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjpj32.exe	Agbbcpnj.exe
File opened for modification	C:\Windows\SysWOW64\Gecmmlho.exe	Gahamm32.exe
File opened for modification	C:\Windows\SysWOW64\Lfanhj32.exe	Lmijod32.exe
File created	C:\Windows\SysWOW64\Ekgcdipf.dll	Egmjmg32.exe
File created	C:\Windows\SysWOW64\Eaghfpnh.exe	Eknpie32.exe
File created	C:\Windows\SysWOW64\Flijfl32.dll	Bjhdpk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndoknjpa.exe	Njgjlban.exe
File created	C:\Windows\SysWOW64\Opcljjgj.dll	Pjllnopf.exe
File created	C:\Windows\SysWOW64\Cnkfahig.exe	Cjokaj32.exe
File created	C:\Windows\SysWOW64\Fdadnico.exe	Foekebeg.exe
File created	C:\Windows\SysWOW64\Kipalbeo.dll	Goghkb32.exe
File created	C:\Windows\SysWOW64\Nnkpla32.exe	Medgjd32.exe
File opened for modification	C:\Windows\SysWOW64\Oqjeok32.exe	Ojplbq32.exe
File created	C:\Windows\SysWOW64\Kfdkkhqb.dll	Pmeook32.exe
File created	C:\Windows\SysWOW64\Qfjcco32.exe	Qckfgcpo.exe
File created	C:\Windows\SysWOW64\Anjnkk32.exe	Agpenq32.exe
File opened for modification	C:\Windows\SysWOW64\Fgkgoefg.exe	Fejjgmpi.exe
File created	C:\Windows\SysWOW64\Goieqb32.exe	Ggbmod32.exe
File created	C:\Windows\SysWOW64\Kdllko32.exe	Kejlmhfj.exe
File created	C:\Windows\SysWOW64\Ofijla32.exe	Onneho32.exe
File created	C:\Windows\SysWOW64\Kgmaig32.dll	Ofijla32.exe
File created	C:\Windows\SysWOW64\Djobpglq.dll	Afnlnn32.exe
File created	C:\Windows\SysWOW64\Pcpdpg32.dll	Bglejofp.exe
File opened for modification	C:\Windows\SysWOW64\Ehjjbkkm.exe	Eelneoli.exe
File created	C:\Windows\SysWOW64\Egmjmg32.exe	Ehjjbkkm.exe
File created	C:\Windows\SysWOW64\Kfjhgk32.exe	Kdllko32.exe
File created	C:\Windows\SysWOW64\Pmiaoi32.dll	Llngpq32.exe
File created	C:\Windows\SysWOW64\Kpbfhebi.dll	Njdmfb32.exe
File created	C:\Windows\SysWOW64\Pjqein32.exe	Pgbimb32.exe
File created	C:\Windows\SysWOW64\Cakpccfh.exe	Cmpcbe32.exe
File opened for modification	C:\Windows\SysWOW64\Djmgbhen.exe	Dfakaile.exe
File opened for modification	C:\Windows\SysWOW64\Fgijif32.exe	Fdknmj32.exe
File created	C:\Windows\SysWOW64\Bkcndi32.dll	Fkgbod32.exe
File created	C:\Windows\SysWOW64\Kmogieho.exe	Kehohh32.exe
File opened for modification	C:\Windows\SysWOW64\Geaphlja.exe	Gaedgn32.exe
File created	C:\Windows\SysWOW64\Laoboo32.dll	Dfakaile.exe
File opened for modification	C:\Windows\SysWOW64\Anjnkk32.exe	Agpenq32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjli32.exe	Bepeccei.exe
File opened for modification	C:\Windows\SysWOW64\Dfonliog.exe	Cmgjcd32.exe
File created	C:\Windows\SysWOW64\Ekfjhf32.exe	Edmallef.exe
File opened for modification	C:\Windows\SysWOW64\Fhmpnhkh.exe	Fdadnico.exe
File created	C:\Windows\SysWOW64\Qgdfbb32.exe	Pjqein32.exe
File created	C:\Windows\SysWOW64\Akqckq32.dll	Lehhof32.exe
File created	C:\Windows\SysWOW64\Hgdgonca.dll	Pdapkgol.exe
File opened for modification	C:\Windows\SysWOW64\Acncmc32.exe	Qqogqg32.exe
File created	C:\Windows\SysWOW64\Akdncp32.dll	Beklhd32.exe
File created	C:\Windows\SysWOW64\Dhndbh32.dll	Bmfqlf32.exe
File created	C:\Windows\SysWOW64\Mpdble32.dll	Ekfjhf32.exe
File created	C:\Windows\SysWOW64\Lpbmpp32.exe	Kfjhgk32.exe
File created	C:\Windows\SysWOW64\Hgdgng32.dll	Edmallef.exe
File opened for modification	C:\Windows\SysWOW64\Eenkkojf.exe	Egmjmg32.exe
File opened for modification	C:\Windows\SysWOW64\Edcglkoo.exe	Emjopaha.exe
File opened for modification	C:\Windows\SysWOW64\Cebbhc32.exe	Bnhjli32.exe
File opened for modification	C:\Windows\SysWOW64\Cjagfi32.exe	Chckjn32.exe
File opened for modification	C:\Windows\SysWOW64\Eaghfpnh.exe	Eknpie32.exe
File created	C:\Windows\SysWOW64\Bjfhkk32.exe	Beiobd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5892	5924	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfanhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjqein32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakaile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgkclc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eenkkojf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beiobd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Canlic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopicego.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emjopaha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agpenq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beklhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplhmmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egmjmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feeqlndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eelneoli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Foekebeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdadnico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd8403e29d9539e145d61a95b6c91601df77c0aa7c38b06c25371d05fd27f559N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehohh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpbmpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhhqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngpq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lehhof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfgcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fehmanbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Geaphlja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onneho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Goieqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgkgoefg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjclm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoehg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnkpla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anjnkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmfqlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dokphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cakpccfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbpmgqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhkcih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggbmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gahamm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplpfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjjjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agbbcpnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bepeccei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehjjbkkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdknmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdllko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqjeok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgdfbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkfahig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalhjahe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhmpnhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnoecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndoknjpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfhkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Foneec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefkiflm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjckekkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjagfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fokhodmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebked32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhldk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmijod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mimgecji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngdddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cakpccfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfoom32.dll"	Dfonliog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfakaile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dalhjahe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aflpjhka.dll"	Lpbmpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fehmanbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpbmpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldagpfoc.dll"	Lefkiflm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjgbbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agpenq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfonliog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Foneec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbjclm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmanji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmlefgap.dll"	Anjnkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfakaile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaecmf32.dll"	Egpgcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgdfbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kehohh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogpcpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmhldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japafilj.dll"	Kbjclm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfqpp32.dll"	Oqjeok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbmfakbe.dll"	Bnhjli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fehmanbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famokb32.dll"	Mepnoecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnpgm32.dll"	Mclhhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njdmfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odjjjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odjjjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgkclc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acncmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijpppg32.dll"	Dopicego.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	dd8403e29d9539e145d61a95b6c91601df77c0aa7c38b06c25371d05fd27f559N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgdfbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipalbeo.dll"	Goghkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kehohh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lplpfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhdanle.dll"	Nplhmmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgbimb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghgolpb.dll"	Eenkkojf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkcndi32.dll"	Fkgbod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldpefojd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdddqm32.dll"	Qgdfbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edmallef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egmjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckiekl32.dll"	Kmogieho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Leoehg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbfhebi.dll"	Njdmfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgeabg32.dll"	Ojplbq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjgbbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdedjca.dll"	Qckfgcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmdmndjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joghjo32.dll"	Dalhjahe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kejlmhfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edcglkoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lefkiflm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onneho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qckfgcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcicha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beiobd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 2428	4496	dd8403e29d9539e145d61a95b6c91601df77c0aa7c38b06c25371d05fd27f559N.exe	89
PID 4496 wrote to memory of 2428	4496	dd8403e29d9539e145d61a95b6c91601df77c0aa7c38b06c25371d05fd27f559N.exe	89
PID 4496 wrote to memory of 2428	4496	dd8403e29d9539e145d61a95b6c91601df77c0aa7c38b06c25371d05fd27f559N.exe	89
PID 2428 wrote to memory of 3640	2428	Kbjclm32.exe	90
PID 2428 wrote to memory of 3640	2428	Kbjclm32.exe	90
PID 2428 wrote to memory of 3640	2428	Kbjclm32.exe	90
PID 3640 wrote to memory of 592	3640	Kehohh32.exe	91
PID 3640 wrote to memory of 592	3640	Kehohh32.exe	91
PID 3640 wrote to memory of 592	3640	Kehohh32.exe	91
PID 592 wrote to memory of 1964	592	Kmogieho.exe	92
PID 592 wrote to memory of 1964	592	Kmogieho.exe	92
PID 592 wrote to memory of 1964	592	Kmogieho.exe	92
PID 1964 wrote to memory of 2988	1964	Kejlmhfj.exe	93
PID 1964 wrote to memory of 2988	1964	Kejlmhfj.exe	93
PID 1964 wrote to memory of 2988	1964	Kejlmhfj.exe	93
PID 2988 wrote to memory of 1144	2988	Kdllko32.exe	94
PID 2988 wrote to memory of 1144	2988	Kdllko32.exe	94
PID 2988 wrote to memory of 1144	2988	Kdllko32.exe	94
PID 1144 wrote to memory of 4872	1144	Kfjhgk32.exe	95
PID 1144 wrote to memory of 4872	1144	Kfjhgk32.exe	95
PID 1144 wrote to memory of 4872	1144	Kfjhgk32.exe	95
PID 4872 wrote to memory of 224	4872	Lpbmpp32.exe	96
PID 4872 wrote to memory of 224	4872	Lpbmpp32.exe	96
PID 4872 wrote to memory of 224	4872	Lpbmpp32.exe	96
PID 224 wrote to memory of 3024	224	Leoehg32.exe	97
PID 224 wrote to memory of 3024	224	Leoehg32.exe	97
PID 224 wrote to memory of 3024	224	Leoehg32.exe	97
PID 3024 wrote to memory of 3532	3024	Ldpefojd.exe	98
PID 3024 wrote to memory of 3532	3024	Ldpefojd.exe	98
PID 3024 wrote to memory of 3532	3024	Ldpefojd.exe	98
PID 3532 wrote to memory of 2380	3532	Lmijod32.exe	99
PID 3532 wrote to memory of 2380	3532	Lmijod32.exe	99
PID 3532 wrote to memory of 2380	3532	Lmijod32.exe	99
PID 2380 wrote to memory of 3568	2380	Lfanhj32.exe	100
PID 2380 wrote to memory of 3568	2380	Lfanhj32.exe	100
PID 2380 wrote to memory of 3568	2380	Lfanhj32.exe	100
PID 3568 wrote to memory of 4968	3568	Llngpq32.exe	101
PID 3568 wrote to memory of 4968	3568	Llngpq32.exe	101
PID 3568 wrote to memory of 4968	3568	Llngpq32.exe	101
PID 4968 wrote to memory of 4016	4968	Lefkiflm.exe	102
PID 4968 wrote to memory of 4016	4968	Lefkiflm.exe	102
PID 4968 wrote to memory of 4016	4968	Lefkiflm.exe	102
PID 4016 wrote to memory of 3608	4016	Lplpfo32.exe	103
PID 4016 wrote to memory of 3608	4016	Lplpfo32.exe	103
PID 4016 wrote to memory of 3608	4016	Lplpfo32.exe	103
PID 3608 wrote to memory of 3424	3608	Lehhof32.exe	104
PID 3608 wrote to memory of 3424	3608	Lehhof32.exe	104
PID 3608 wrote to memory of 3424	3608	Lehhof32.exe	104
PID 3424 wrote to memory of 4796	3424	Mclhhj32.exe	105
PID 3424 wrote to memory of 4796	3424	Mclhhj32.exe	105
PID 3424 wrote to memory of 4796	3424	Mclhhj32.exe	105
PID 4796 wrote to memory of 2004	4796	Mlgjfo32.exe	106
PID 4796 wrote to memory of 2004	4796	Mlgjfo32.exe	106
PID 4796 wrote to memory of 2004	4796	Mlgjfo32.exe	106
PID 2004 wrote to memory of 4972	2004	Mepnoecb.exe	107
PID 2004 wrote to memory of 4972	2004	Mepnoecb.exe	107
PID 2004 wrote to memory of 4972	2004	Mepnoecb.exe	107
PID 4972 wrote to memory of 3100	4972	Mliflo32.exe	108
PID 4972 wrote to memory of 3100	4972	Mliflo32.exe	108
PID 4972 wrote to memory of 3100	4972	Mliflo32.exe	108
PID 3100 wrote to memory of 1824	3100	Mebked32.exe	109
PID 3100 wrote to memory of 1824	3100	Mebked32.exe	109
PID 3100 wrote to memory of 1824	3100	Mebked32.exe	109
PID 1824 wrote to memory of 3416	1824	Mimgecji.exe	110

C:\Users\Admin\AppData\Local\Temp\dd8403e29d9539e145d61a95b6c91601df77c0aa7c38b06c25371d05fd27f559N.exe
"C:\Users\Admin\AppData\Local\Temp\dd8403e29d9539e145d61a95b6c91601df77c0aa7c38b06c25371d05fd27f559N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\SysWOW64\Kbjclm32.exe
  C:\Windows\system32\Kbjclm32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\Kehohh32.exe
    C:\Windows\system32\Kehohh32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\SysWOW64\Kmogieho.exe
      C:\Windows\system32\Kmogieho.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Windows\SysWOW64\Kejlmhfj.exe
        
        C:\Windows\system32\Kejlmhfj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\SysWOW64\Kdllko32.exe
        
        C:\Windows\system32\Kdllko32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Kfjhgk32.exe
        
        C:\Windows\system32\Kfjhgk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Lpbmpp32.exe
        
        C:\Windows\system32\Lpbmpp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Leoehg32.exe
        
        C:\Windows\system32\Leoehg32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Ldpefojd.exe
        
        C:\Windows\system32\Ldpefojd.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Lmijod32.exe
        
        C:\Windows\system32\Lmijod32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Lfanhj32.exe
        
        C:\Windows\system32\Lfanhj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Llngpq32.exe
        
        C:\Windows\system32\Llngpq32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Lefkiflm.exe
        
        C:\Windows\system32\Lefkiflm.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Lplpfo32.exe
        
        C:\Windows\system32\Lplpfo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Lehhof32.exe
        
        C:\Windows\system32\Lehhof32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Mclhhj32.exe
        
        C:\Windows\system32\Mclhhj32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Mlgjfo32.exe
        
        C:\Windows\system32\Mlgjfo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Mepnoecb.exe
        
        C:\Windows\system32\Mepnoecb.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Mliflo32.exe
        
        C:\Windows\system32\Mliflo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Mebked32.exe
        
        C:\Windows\system32\Mebked32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Mimgecji.exe
        
        C:\Windows\system32\Mimgecji.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Medgjd32.exe
        
        C:\Windows\system32\Medgjd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Nnkpla32.exe
        
        C:\Windows\system32\Nnkpla32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Ngdddg32.exe
        
        C:\Windows\system32\Ngdddg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Nplhmmmp.exe
        
        C:\Windows\system32\Nplhmmmp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Njdmfb32.exe
        
        C:\Windows\system32\Njdmfb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Njgjlban.exe
        
        C:\Windows\system32\Njgjlban.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Ndoknjpa.exe
        
        C:\Windows\system32\Ndoknjpa.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Ogpcpe32.exe
        
        C:\Windows\system32\Ogpcpe32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Ojnpla32.exe
        
        C:\Windows\system32\Ojnpla32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Ojplbq32.exe
        
        C:\Windows\system32\Ojplbq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Oqjeok32.exe
        
        C:\Windows\system32\Oqjeok32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Onneho32.exe
        
        C:\Windows\system32\Onneho32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Ofijla32.exe
        
        C:\Windows\system32\Ofijla32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Odjjjh32.exe
        
        C:\Windows\system32\Odjjjh32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Pjgbbp32.exe
        
        C:\Windows\system32\Pjgbbp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Pmeook32.exe
        
        C:\Windows\system32\Pmeook32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Pgkclc32.exe
        
        C:\Windows\system32\Pgkclc32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Pmhldk32.exe
        
        C:\Windows\system32\Pmhldk32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Pcbdad32.exe
        
        C:\Windows\system32\Pcbdad32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Pjllnopf.exe
        
        C:\Windows\system32\Pjllnopf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\Pdapkgol.exe
        
        C:\Windows\system32\Pdapkgol.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Pjnicomc.exe
        
        C:\Windows\system32\Pjnicomc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Pqhaph32.exe
        
        C:\Windows\system32\Pqhaph32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Pgbimb32.exe
        
        C:\Windows\system32\Pgbimb32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Pjqein32.exe
        
        C:\Windows\system32\Pjqein32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\Qgdfbb32.exe
        
        C:\Windows\system32\Qgdfbb32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Qmanji32.exe
        
        C:\Windows\system32\Qmanji32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Qckfgcpo.exe
        
        C:\Windows\system32\Qckfgcpo.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Qfjcco32.exe
        
        C:\Windows\system32\Qfjcco32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Qqogqg32.exe
        
        C:\Windows\system32\Qqogqg32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Acncmc32.exe
        
        C:\Windows\system32\Acncmc32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Aflpio32.exe
        
        C:\Windows\system32\Aflpio32.exe
        54⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Afnlnn32.exe
        
        C:\Windows\system32\Afnlnn32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ajjhom32.exe
        
        C:\Windows\system32\Ajjhom32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Agniha32.exe
        
        C:\Windows\system32\Agniha32.exe
        57⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\Ajledl32.exe
        
        C:\Windows\system32\Ajledl32.exe
        58⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Agpenq32.exe
        
        C:\Windows\system32\Agpenq32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Anjnkk32.exe
        
        C:\Windows\system32\Anjnkk32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Agbbcpnj.exe
        
        C:\Windows\system32\Agbbcpnj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Anmjpj32.exe
        
        C:\Windows\system32\Anmjpj32.exe
        62⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Bcicha32.exe
        
        C:\Windows\system32\Bcicha32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Bjckekkk.exe
        
        C:\Windows\system32\Bjckekkk.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\Beiobd32.exe
        
        C:\Windows\system32\Beiobd32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Bjfhkk32.exe
        
        C:\Windows\system32\Bjfhkk32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Beklhd32.exe
        
        C:\Windows\system32\Beklhd32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Bjhdpk32.exe
        
        C:\Windows\system32\Bjhdpk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Bmfqlf32.exe
        
        C:\Windows\system32\Bmfqlf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Bglejofp.exe
        
        C:\Windows\system32\Bglejofp.exe
        70⤵
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\Bepeccei.exe
        
        C:\Windows\system32\Bepeccei.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Bnhjli32.exe
        
        C:\Windows\system32\Bnhjli32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Cebbhc32.exe
        
        C:\Windows\system32\Cebbhc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1744
        
        C:\Windows\SysWOW64\Cjokaj32.exe
        
        C:\Windows\system32\Cjokaj32.exe
        74⤵
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\Cnkfahig.exe
        
        C:\Windows\system32\Cnkfahig.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\Chckjn32.exe
        
        C:\Windows\system32\Chckjn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Cjagfi32.exe
        
        C:\Windows\system32\Cjagfi32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Cmpcbe32.exe
        
        C:\Windows\system32\Cmpcbe32.exe
        78⤵
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Cakpccfh.exe
        
        C:\Windows\system32\Cakpccfh.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Canlic32.exe
        
        C:\Windows\system32\Canlic32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Cjfqaikf.exe
        
        C:\Windows\system32\Cjfqaikf.exe
        81⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Cmdmndjj.exe
        
        C:\Windows\system32\Cmdmndjj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Cmgjcd32.exe
        
        C:\Windows\system32\Cmgjcd32.exe
        83⤵
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Dfonliog.exe
        
        C:\Windows\system32\Dfonliog.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Depnja32.exe
        
        C:\Windows\system32\Depnja32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Dfakaile.exe
        
        C:\Windows\system32\Dfakaile.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Djmgbhen.exe
        
        C:\Windows\system32\Djmgbhen.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Dokphf32.exe
        
        C:\Windows\system32\Dokphf32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Ddhhqm32.exe
        
        C:\Windows\system32\Ddhhqm32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Dkbpmgqi.exe
        
        C:\Windows\system32\Dkbpmgqi.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Dalhjahe.exe
        
        C:\Windows\system32\Dalhjahe.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ddjefmgi.exe
        
        C:\Windows\system32\Ddjefmgi.exe
        92⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Dopicego.exe
        
        C:\Windows\system32\Dopicego.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Edmallef.exe
        
        C:\Windows\system32\Edmallef.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ekfjhf32.exe
        
        C:\Windows\system32\Ekfjhf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Eelneoli.exe
        
        C:\Windows\system32\Eelneoli.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Ehjjbkkm.exe
        
        C:\Windows\system32\Ehjjbkkm.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Egmjmg32.exe
        
        C:\Windows\system32\Egmjmg32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Eenkkojf.exe
        
        C:\Windows\system32\Eenkkojf.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Egpgcg32.exe
        
        C:\Windows\system32\Egpgcg32.exe
        100⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Emjopaha.exe
        
        C:\Windows\system32\Emjopaha.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Edcglkoo.exe
        
        C:\Windows\system32\Edcglkoo.exe
        102⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Eknpie32.exe
        
        C:\Windows\system32\Eknpie32.exe
        103⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Eaghfpnh.exe
        
        C:\Windows\system32\Eaghfpnh.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Edfdbkml.exe
        
        C:\Windows\system32\Edfdbkml.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Fokhodmb.exe
        
        C:\Windows\system32\Fokhodmb.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Feeqlndo.exe
        
        C:\Windows\system32\Feeqlndo.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Fgfmcf32.exe
        
        C:\Windows\system32\Fgfmcf32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Foneec32.exe
        
        C:\Windows\system32\Foneec32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Fehmanbl.exe
        
        C:\Windows\system32\Fehmanbl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Fdknmj32.exe
        
        C:\Windows\system32\Fdknmj32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Fgijif32.exe
        
        C:\Windows\system32\Fgijif32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Fejjgmpi.exe
        
        C:\Windows\system32\Fejjgmpi.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Fgkgoefg.exe
        
        C:\Windows\system32\Fgkgoefg.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Fkgbod32.exe
        
        C:\Windows\system32\Fkgbod32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Faaklnfm.exe
        
        C:\Windows\system32\Faaklnfm.exe
        116⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Fhkcih32.exe
        
        C:\Windows\system32\Fhkcih32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Foekebeg.exe
        
        C:\Windows\system32\Foekebeg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Fdadnico.exe
        
        C:\Windows\system32\Fdadnico.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Fhmpnhkh.exe
        
        C:\Windows\system32\Fhmpnhkh.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Goghkb32.exe
        
        C:\Windows\system32\Goghkb32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Gaedgn32.exe
        
        C:\Windows\system32\Gaedgn32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Geaphlja.exe
        
        C:\Windows\system32\Geaphlja.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Gddqci32.exe
        
        C:\Windows\system32\Gddqci32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Ggbmod32.exe
        
        C:\Windows\system32\Ggbmod32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Goieqb32.exe
        
        C:\Windows\system32\Goieqb32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Gahamm32.exe
        
        C:\Windows\system32\Gahamm32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Gecmmlho.exe
        
        C:\Windows\system32\Gecmmlho.exe
        128⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Gdfmii32.exe
        
        C:\Windows\system32\Gdfmii32.exe
        129⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 420
        130⤵
        Program crash
        
        PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5924 -ip 5924
1⤵
PID:5552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aflpio32.exe

Filesize
196KB

MD5
4e02b21ef35cc3b88823db58ab157749

SHA1
7928636fc8f447e123fff4c5147b968b860516c4

SHA256
3d7329829bc04ad02543a7f5301b90cfc5e199d038cd2c1d3d53acdc5f5e5a27

SHA512
b171e87e70e70edeba67b40670f163f2e4350138e65f1a7502e5ffcaeff3f2e358fe5dcff31196c8a1358a953bb9bbc1e577f0b5ddee263896ed327781de50c6

Download Submit
C:\Windows\SysWOW64\Agniha32.exe

Filesize
196KB

MD5
9a32faa7d9b6336b4c93ae4be00f1bea

SHA1
2eaf59855f8d2e7e032ba28015d71274f6b75b2b

SHA256
21e9cf578379ef2c54505c25d7c65e8882ff501f800c8a784fb8584646b2dd67

SHA512
07810046e405528796e9023bd828c99009cbb446daec9f708ed8d1bcb1922c639d9e46fff870812d4bc9bf029d7d1698010e14e98994e71406b1c7491a610b6c

Download Submit
C:\Windows\SysWOW64\Agpenq32.exe

Filesize
196KB

MD5
5bfa47c4037b8f00527a16223fea7925

SHA1
9480a8989f01099e919dde00d91673e9fc1cae76

SHA256
157c44305dedaff697ce0fefeffec215d87761979706c07a6a79f27da57fc583

SHA512
c74331fa504e0daecb8a10b5bfb174b211f5e179a048d8863acbc6977736baf91dcde68afb348a052f9ad7b5f505b462ddb27fd10f93674611eb4a4539f237cb

Download Submit
C:\Windows\SysWOW64\Beiobd32.exe

Filesize
196KB

MD5
35c7ad0e765c8aa388911f31775075de

SHA1
6cfe4a7198608348d3630e74e05c7526753db2be

SHA256
8e1b851fd804a42fe86cc540fb480f9111f235337dde3586d9af34308865e8ee

SHA512
fdd6c168bd5a8429210f6e4dc7d60380a40705c11354f6621c056c1289d44352e5e163be043f7e032fc1214dd9e9c6f9f708223f0411625a94dab9b5f028b867

Download Submit
C:\Windows\SysWOW64\Bepeccei.exe

Filesize
196KB

MD5
8f6f22e5413453c8846f789034e82d88

SHA1
803c670eae9ca9820219cf4361978759fa2408a6

SHA256
20125516564658e3d56f31d203cd63d597e383a89a22ea455a59727f82ffea4b

SHA512
0fe17262fc6f66dd9966078fbae437be51bcf615beba0d84ddd15d1da1a6cfc25d4e3b90cc64b539fd744561a8d07b1ee8f2c412d7e4df8a33f28dc7b6fddd9b

Download Submit
C:\Windows\SysWOW64\Bjfhkk32.exe

Filesize
196KB

MD5
065193e8a270297f4b3aecad30d3f03f

SHA1
04291e9e9465e28e529b6c092ad197e820948605

SHA256
ab4e87848d04e0429e7918307df60cee8044195f7f9afc2437409697140d487e

SHA512
09704d9f93f130901ca88302503839b1cb6079c7dab92e9537a955f20291ad45059dea3a388518234fa9607e60519ab85d9b75c29fbf3b6081f5a65409604c58

Download Submit
C:\Windows\SysWOW64\Bjhdpk32.exe

Filesize
128KB

MD5
8a637c297d296281a69544038a4f79c7

SHA1
60a1f6635814afd3e0d37ebcb7f1db5198c87001

SHA256
d080ee9721d11d74bb211e9fb9b1df5e61af7c7007c2de5802369271a91f5515

SHA512
9f141db17181663bfe2fde8d1f5396cda25b82c3efecd3a9d2b1e7a4fb63d982f7effa1d349cd52a177efc8dcbda0330cf0a07479e44745a5e55b83b5f16c6c1

Download Submit
C:\Windows\SysWOW64\Canlic32.exe

Filesize
196KB

MD5
e9bd228d4abf814bf7b4b3a33526d2fb

SHA1
18df533e332eb70276bd972e9c3703a4dfe681f4

SHA256
fc0424e564f182a6f05bca8b86478069dc031f185faaf7a801a886f723284e91

SHA512
381c7ac35f587d54ea145c3c3e7155f23b78316a67c9df3ebb8c6c5b505d2487efd145e4bbf72705f85e32697cf6db867d1d6aa2ba80d5ba8222a8c55b2d7f34

Download Submit
C:\Windows\SysWOW64\Chckjn32.exe

Filesize
196KB

MD5
44e1a0476374806b0effdefeadc5f1c3

SHA1
1ae7b5e9bcf5aa75b7247bd6492e9d76581bf657

SHA256
11567fe0e1141231738705ab310e8f46c565446d52b509e042e664e91f3a6c02

SHA512
cdf6ff277f1a4c8132c0ff67cfd096f38c653e0d25fa1b29985a1ad1951d2dc84422e2f1447ab34989834bba39349526f734062841d6a1fcbe84aee34e76e85e

Download Submit
C:\Windows\SysWOW64\Cmgjcd32.exe

Filesize
196KB

MD5
744decae03dee084e5f17398ecc8931a

SHA1
c1595c50c9e4d2948dfe232c53e9892bf0a28dae

SHA256
6141f0a77fee72adb6d11ebab29564c8175a156c0ca816272ada755071d94bb8

SHA512
cd78275344e465bce50a00acb5915fdea6e322b7eec9b2b2f8d143acd17fb130a5a9ced7ccd41bfbd5f003ba2947fd5a0d2631191250b596a21f76af19ab9fa4

Download Submit
C:\Windows\SysWOW64\Dokphf32.exe

Filesize
196KB

MD5
c502ff301164225d3df7aefd9ffa981b

SHA1
0865a7f4b9944a71404c46d31cc168b60bf82174

SHA256
76d0dc87b2d6c0289fd0813353facf36470943b46b69ce256a1cd0ab2b993f87

SHA512
238bf00932a87abe0f945bab43abcd401e568e11b9e283453c27ab719e00977ec49468b20a669be0c862a802c4fec646cc9f9298eff30c426fabc49febc25a6b

Download Submit
C:\Windows\SysWOW64\Eelneoli.exe

Filesize
64KB

MD5
57aea176afa82421230bdca64456dba6

SHA1
9cb444c8a72f1cadcd5b4aa95ff92a3dd16faa37

SHA256
4db8be31af575830ca65f12cc2619273f7382991dc59965f147ab289bcf5f650

SHA512
b7f4773b82144f4fc8ed7a330d292cb44698634cbe6cad45a523d5ef63b54b6a1a64522334e8d6d775a95247ee9454a1fbe6fe8ea38e2fdf31ccfd9a66264596

Download Submit
C:\Windows\SysWOW64\Egpgcg32.exe

Filesize
196KB

MD5
31be76ef818c28fbbefce6a8d8c98b35

SHA1
4d258faed5d5b7e139ed75e8af9ab817089ec729

SHA256
9757452dbbd3b29c064f98b3d89ebcf7fa067d43af59bf25242fb9584235efa6

SHA512
a00a9710f9c7dc7dc9c614739be788c197319e29d2f837ebb51ffa9357384468c0ac6a77a2c0e675d7e3081ebb1c521d05df6aa7e11f0159888a0c0317b92bfb

Download Submit
C:\Windows\SysWOW64\Fejjgmpi.exe

Filesize
128KB

MD5
59ee23122473f276f6790c1c71c8809a

SHA1
3e734cc5c6270d0a661fd720e9fcb1ac9392a2d8

SHA256
b1feb471f0647b1f217816ee4225b1790b1fd4104dd1386527cd2c1333036197

SHA512
42ec5c890badf5019e005ca891347456a320c967383e849a041ebd32b28b40857dbae8e9b3f572504615ef36fba2c87c73bea5141e590fcbaeeb2a4793feeeda

Download Submit
C:\Windows\SysWOW64\Fhkcih32.exe

Filesize
196KB

MD5
58e55d1f8ec175b24d68794317f545e1

SHA1
090b7dacc397712dd5483ef549834904e298f91d

SHA256
4005bb084a4066dd41cd11ab00b430af43ab2b9cd4e7beafa586ced88a11f8f0

SHA512
d76e6888ceee2f688ea7435428a9ac270c9481f95a5b8694e7067e2466e19df6a1c81adeb8456fc9e2fa51758792023a773876043e161f6223060d97c2f21b40

Download Submit
C:\Windows\SysWOW64\Fokhodmb.exe

Filesize
196KB

MD5
a4428d65ef78d8bf7f79eaf6d966758c

SHA1
2d6fbf799e9808190193fcd36521e2741a3d526b

SHA256
536e723eeddeba442ddde8f87e3bae317c6396ba55368f5fb00a91bbc783d386

SHA512
825ed31e4c616c98eff0eaaf6de8b1d72fd0e21c820594ced679f6a20f7a508333fed29cd653125c5f2e5e2368f96c272800e87945a058863bc6fad5bb2b5de7

Download Submit
C:\Windows\SysWOW64\Ggbmod32.exe

Filesize
196KB

MD5
d29e5118b7768968d517dc2007f95cbe

SHA1
3dbe141135eb6f59c4ee6c5bbbdbd942abf3ad05

SHA256
3b9a75f7220801a5a75cbb6db7b118c6d2a09f2443de2e68257d34811c835d63

SHA512
210c94e0dbd3a49a440bb0f2adb2167b8549470a2fef448b47e44ed754769ca68124b49477558e427884a55e894d5a057ad366042487ec147c84a21c9eb2e953

Download Submit
C:\Windows\SysWOW64\Hooioi32.dll

Filesize
7KB

MD5
7b60b1d8fd54aaf8099646461f9a9cc4

SHA1
2a42af5c7f40277b47dbee5f322d59e1e4258b11

SHA256
5b13d9e22a092c1fdc8e6f531ab2f2dec0f7ef0a5392ab1079240a6f4215dc0b

SHA512
e340978fb5011abc3d48798e8d4b1d4d60255da278597d32b0ddf0b95e1b4be8263338f5bc802f363f0bb3f830ffdfe9b541f18692fcf74a63634c99857de002

Download Submit
C:\Windows\SysWOW64\Kbjclm32.exe

Filesize
196KB

MD5
07de6600d888fc378009821c5c83329f

SHA1
80f483cc195ce9f782df9119f722159e82d24176

SHA256
d601dec60b1d28a08a6d3a368eed60f301f2e0f0f646984c7d9827f78283c534

SHA512
3a3a2657eb80a9a040e12944985157c87b2dcbe20fa2a8e1cf32ce7e77e6d537efd87318c94b1da657943ddb10196819eda305322174d0188e5b63b6b9b77c11

Download Submit
C:\Windows\SysWOW64\Kdllko32.exe

Filesize
196KB

MD5
a27bc510b98ff7878538a80ebec52477

SHA1
d111f4a0c6323e2e2868b99f4a9a955ffa06d501

SHA256
0c2421c62f11a04b01fe3a6e2e2035a7b9bb78cc794e79e3856f8b02648fcada

SHA512
6fdc31a7d6036b4d210e5990cfb1d3cc6458e33e0eeaa0e2a3a105a1285a9dfa3ee53771bbf9b650149ad9e7a701cce013173b336c2c5d09f90fdf953a1ec633

Download Submit
C:\Windows\SysWOW64\Kehohh32.exe

Filesize
196KB

MD5
a207dcacff6f999f7388ca30f3f13181

SHA1
23b03295579dae19d9653a62775832199373e482

SHA256
7741f125bcde8cd2ee3db1bf62c718eb9f57253406f55c3c686f5aae7c6baec3

SHA512
3057358f6667a61335f699ee9425d0dec828afe24a5a7896039da3a59c3a47dfd8e4a6ef2fbb06c8dbe510453204115091d195f737ab9c7108bf39ac24426a9e

Download Submit
C:\Windows\SysWOW64\Kejlmhfj.exe

Filesize
196KB

MD5
71709dc3bf725960edf80a7a1dc19489

SHA1
0b75c309b4e55e925d3b9318358768f59eb7fc06

SHA256
3187a2a0daa835bcf06f2b37b76b3ae1481c15a2d4e5c924182e7ea794bd94d9

SHA512
204fd275d29347c063f4380d58993d8ac2e86d3ac29337a5391e983c18e47be02c2cc05b930dda456b658f21ea4c8db8dc1b6fa5b44b1a3a5d3ce83c8d96676a

Download Submit
C:\Windows\SysWOW64\Kfjhgk32.exe

Filesize
196KB

MD5
095d60de09cd3b7186617fabc9935e6a

SHA1
11815ad0cce78910d5c54e4322a98d20c1777c0f

SHA256
50d67e146b8b0939995baa906bfe2bfd5a6b3c41a3f26d89939645969ab19c8f

SHA512
2a46b4852b7bfd6131b9596c6ce83b6bac9f1a51857abd4f0a349edf31c7558ff957d9691fb69ffe2f4f382b584f6ac38d950c1c9c7106cbfaeebee79be97b51

Download Submit
C:\Windows\SysWOW64\Kmogieho.exe

Filesize
196KB

MD5
f12a2fae6419fea99149c58dc169a4d2

SHA1
50cd2105f60f6e85c475ee526aa7afe47dfae153

SHA256
82ecacf501e754e88824506a59842ed006428f9416c82ad3bc6cefee78dc281a

SHA512
6284801b117de00292954971988333c1517eca38b2a5b13738ed2d384367c41bd4306a4a5fc7a8cdb8080450a70a5bd757ab840d513ea899360de2c14f3e4063

Download Submit
C:\Windows\SysWOW64\Ldpefojd.exe

Filesize
196KB

MD5
19e96ce23ec857fa119acc73a1d63a82

SHA1
06e34961247540beb0f613f1f975d38d8fc91654

SHA256
b9b183399ca6a2da15cb87b1b8662ca977987374f472ddc00b454df73e5b5375

SHA512
fc78769ffcdf53191cd2095009b943596e10fb84f8d972607410396766f8aa460aaad2d835be62a5dee0d5a3400ab5b0217a0767c6702f553778dfdb2475ec27

Download Submit
C:\Windows\SysWOW64\Lefkiflm.exe

Filesize
196KB

MD5
fd4cb87340a010bb83172966d60da5b5

SHA1
59f77d53105b9bff00c2e84489cbec5d73613d88

SHA256
03002a46738f41bf7814146e5dd98c5a59257740eeade6b8a2cd58fa01f6b70d

SHA512
c717a61b1cba4693714d1bf4b84c159d2fcf34247da29c2be2aaa182d6a637f94a3957e982168e0af3459b340f9a36a5e7976003a1da356ba56d1e8c79e60e7f

Download Submit
C:\Windows\SysWOW64\Lehhof32.exe

Filesize
196KB

MD5
bfcc610b9203bc06d83e9758b424f79d

SHA1
eaf7bafc96ffa70bd6e20748f767b43556125332

SHA256
19072832c3101b124d9818ebff5ab2c84b5dc68b92cc6270dfa875f0d2bd9b30

SHA512
395005135aee41bc043fb97d532ff6bd92edc151babee0dc86ac13e647a0619d0cc6708cc373d8cf9971de0431423c4867805589fa2bba5156f1bfaa43bb3056

Download Submit
C:\Windows\SysWOW64\Leoehg32.exe

Filesize
196KB

MD5
f4f324732186fafb35d5d73d78ff5fcc

SHA1
8b81a492ddc12483a0ef0e705ee4e81be2ff016a

SHA256
16bf62e4218e5c1561b73d3c9cdf7a5fff206042e3748cc338f28a6c00c9a197

SHA512
471ab6cbc7f2b7bc822c20f01feb0757c3ed121ca5b9dbc107509849d70f5d8d0885e1b1eca4c57bb0903a7dacb158cd26ea52da2bca562c7d26bf306aeb0198

Download Submit
C:\Windows\SysWOW64\Lfanhj32.exe

Filesize
196KB

MD5
bdb36f56d9fda744d0e6e7a0365e7e49

SHA1
f85439810ffa155d09351d23927694ed2ed4c169

SHA256
4865e8bdaa9d0336d7adaccb20a51b321711885d8a890cd5365112f2caf1c3d1

SHA512
80916b81ef2aa99e5713c3f2d6b68954aacd2b95ed0871f626ef0a561ec8ef7f2687dcd5e50694c49c530cf5f17a7a1c39a085fbd1f928f94bad947035e79b6f

Download Submit
C:\Windows\SysWOW64\Llngpq32.exe

Filesize
196KB

MD5
009fb89941c2f758f38fcf09daca6266

SHA1
45e70127b03a64a48c8b0c11aae51ab9c822361d

SHA256
bddf86a5aff364031aa7c8c25bc8f559144cb2a1e7bc1cbc9a82ace5a0c36e7a

SHA512
31e39ca1c8a42e3b43758cb8336c98dcb56cd98b05c7b170b1ba4e1daa3f68cc00a05b8e151ba83a872f70934ad2fe8b4449c218e64762fc61ef52a7c06374cc

Download Submit
C:\Windows\SysWOW64\Lmijod32.exe

Filesize
196KB

MD5
29267d1fbd4e4bf5ecde29c4dabd4900

SHA1
8b1582612ac34f558ab85315c79078c5493589aa

SHA256
3f5dc68e5613149fb92557d3b2dbe04a5d72bb9bc7dcb7bddc69ea4cde812065

SHA512
947aa6834c698c5cdd178d1f78768d3c0a4193572aef4221a53e482b2453d2c20b1ca5e76546bb9481b6b9b162759c09e2e382ef40a034fff84cd3a817d49664

Download Submit
C:\Windows\SysWOW64\Lpbmpp32.exe

Filesize
196KB

MD5
761d7cb13b24f5d37bb94dbe58f4af96

SHA1
c65784e18374b559be5b7297328ce236d8cd60a5

SHA256
65753ee72f57af17f5ec68060d6f15423cfc31de7df6538f86679217cfef33e7

SHA512
63e75e23a0d397af1fa5cbdd92c5a57e6b0e1ee4a4786eb46c215d4a8e830133b44da33a25652de374f0ef861149fed8788ffc6465de8ecb3e9238c49064b360

Download Submit
C:\Windows\SysWOW64\Lplpfo32.exe

Filesize
196KB

MD5
4854b4b520e0ce2d6448c2527986b64a

SHA1
f834e7a3e26295a39d011f9b7364ad1d07059895

SHA256
f00aec2eada970874f51289b31d41ba8c2fb63770832523cf8c9f5645c1d5058

SHA512
841113148dd69d06aa74570692c417f6a4438dca51ad4d17132e046c87037ebbb4e4d823197e45335b18f5cdc61c16d40807863263af7f58d3d7097488ee3eca

Download Submit
C:\Windows\SysWOW64\Mclhhj32.exe

Filesize
196KB

MD5
5817044e5cbcff88b6c205971844947e

SHA1
ae44f12ea98ed7d97d91e239bbdd6f13cfdb315b

SHA256
3d7618b786a78dcf357cb2795365f44624a77c5ce2bd7ea11c023580d4597427

SHA512
fa1f23cb9bfaf378937d331a3be38a84b8b8024bc85a8357a93acf55527a97099e84041ed6b2fe8e692ad1529aef3527e66e5c94c400edd7d79c278aa716ebf7

Download Submit
C:\Windows\SysWOW64\Mebked32.exe

Filesize
196KB

MD5
30e04af09e05ef6c8a7a8fe7bfcd704f

SHA1
c2855c2a3aa3b3b50c67fc5df0570284dbbd8f87

SHA256
af094b104678973f262cfe5c607278544dc7ecc8bea71cc4100f9ecbcb64e8bf

SHA512
8cd483caf051878f32553d9c840a5af592c877d2ff11d87b041848f39bd092c70d4cdde2fceb16b02977d3e72ccf160a57c3f138c885f28f61c7f4141c89be3a

Download Submit
C:\Windows\SysWOW64\Medgjd32.exe

Filesize
196KB

MD5
badab39ec0e588a2686037603a40ecc9

SHA1
f4d89879aaa70f0bb78b7a9260624467236d63e9

SHA256
4d6628af91912485dc042f7204b8f73c1bf9fa70faedab904215d20a965de22c

SHA512
92981549ea77732ffeb1cc88a2c4aa31bc0519a824860b3d1aa67640c544a014bd121299c554e44f8fd68b57826c936c233c948558a411ec75129d5a9e1c9472

Download Submit
C:\Windows\SysWOW64\Mepnoecb.exe

Filesize
196KB

MD5
21548b6bd935c0bef110c48517b09aec

SHA1
1534183d75549b934df77446c504bfd347c3c421

SHA256
a72ef041fd9171bbe727c8025669536aab196e9aff75d662cd6f47598993896f

SHA512
e12a6dc56d65d065008e10ebe79e1c9b5fae4af29e0980f55dfa958a7ff61e888eeca55749dbac2e2d6cdde1c64f9a36ed0ea13bfc9de800d1ea34154d2b949a

Download Submit
C:\Windows\SysWOW64\Mimgecji.exe

Filesize
196KB

MD5
ed1ae6c531ecf70c22cd0351284a45fd

SHA1
624752c2c0e77d8673528841f2b7f984255cb715

SHA256
6b549b8442346462e22668a9263a6004f6a3c756d1e0f4bd15d1324ccbcedf6e

SHA512
d0dfb700916d41e7a4fdfe10a0e1af80561b76008fef654bb7356802fadf833d2a5332a25ff3b461929470402dfd3c43ff6cc62b596b7ab55c8878666979921c

Download Submit
C:\Windows\SysWOW64\Mlgjfo32.exe

Filesize
196KB

MD5
47fc78e2560b14a91892666c803a896b

SHA1
e26a9dc31ebfeb73194fefda935adbf7c9f9a2ee

SHA256
3ef5d6f0ca5383d405c4f5683d41dec01e39d388c693b1c3a5e16dbb62b3eeaf

SHA512
4f6570e5dc2ff3c0e7c9e910b1a48ec8d01a892311334b789b56aeaa5d52e690de94337625e7a7d4df3806d9744722bc6079c5b70d4ec47490510598bc3bd89c

Download Submit
C:\Windows\SysWOW64\Mliflo32.exe

Filesize
196KB

MD5
5ab8d6fb3bb8fcf1efc618487e2c8a47

SHA1
6b228c44d091d9afe627747f60ab4741a29f23fe

SHA256
5cf4db698a66e42037897a26b670afacdd79889b362324091d2aa8de4b3973f0

SHA512
e08da1d54e7c9726db6eb3306281f7d3fd361ae7f67899b59a7a57e3ec1882f6f7cc495a2b3a312d5b62dca9d70fbce565fab4e8b94d32b36d6af705388e8fa5

Download Submit
C:\Windows\SysWOW64\Ndoknjpa.exe

Filesize
196KB

MD5
40e4be0f6ddfa1142f86a0c36779b33c

SHA1
79a4a80cdc61a166961828774aafabaee2043ef3

SHA256
b494c0ba85591942e949a160cc780427924e602869bc3898f3c2c6aae4a97948

SHA512
3e0fbcec366254e2bf11e22780a1af2bc90420bc2b3dcc5e14a27dce14872a8878dd0bc71bfa74cb2c25d0cdffc298ff2a31301b69c97132873ed0474da84a50

Download Submit
C:\Windows\SysWOW64\Ngdddg32.exe

Filesize
196KB

MD5
645704870c1717ed481ceaf598eba694

SHA1
cf8f95bad9dd8ebde9218d73ddb85041f8e7d7df

SHA256
666d72d80eebcd0d01fb4397bd8e1b0ada793c94b24ec6248e806b6b9f1dcf72

SHA512
33c28759c8db09e3593c16e991ac4dc71da2ecf4768aa3ae23473714cc191c281165d8ff806a283a6fec39fd577d54bddb8fd50fd90240d626ce6af511f6c506

Download Submit
C:\Windows\SysWOW64\Njdmfb32.exe

Filesize
196KB

MD5
5833ada651330b63cb532623d99c7ffd

SHA1
bc34755d7218e66ddae8dc8d4b298b49f237532d

SHA256
ec8e330dbada783a344c2e19f3ec927849a3e498ada2552aa3d55b0df6e08d13

SHA512
8215ce48bc0269bcce90bfb55860854146e37b5a82e8f1d4d4572bace0a33b9c1c10095be1bf13b1d141e975a3a58f5f2d0ecaee681641635211db7edf918556

Download Submit
C:\Windows\SysWOW64\Njdmfb32.exe

Filesize
196KB

MD5
4be5eeb9335e9fa8fcaecbba3def82be

SHA1
2892331397547c33501a2cc090f25b300f09eb67

SHA256
75889743598aa214d205d62624e27957b6b7bb8ddea28d71687aed517f075c98

SHA512
510e32d636fbff928166c293b411eb7e38a7408c96673328b54ab9ae97d1897936e3b8953cda5c0b3dd656393134f1c92b4d86726deaf3d9b7cdade13b2c1c2b

Download Submit
C:\Windows\SysWOW64\Njgjlban.exe

Filesize
196KB

MD5
ef5ceeeb0c6abc43151bbd6422437229

SHA1
19ef54192f1f602432e19303feec2abbfdd4fcb9

SHA256
68897d711cb4c48df586cadf360fa583e42ae2f9758b5b9b7263cffbcaba9430

SHA512
35b13e05007fc38657d8c94348de71da140bc6a05ac26aab0f403a9df18962e64f69f9cfa6355093d62c607d5740f8fa8e3f698549e872a133de8c0af0233b8d

Download Submit
C:\Windows\SysWOW64\Nnkpla32.exe

Filesize
196KB

MD5
3fafb8bc6cf0bfa5e206216ccc1ce962

SHA1
e76afca91e0c7af88f5696d502030e9bfccec215

SHA256
874973fbe49d4345b1dc234cc770e39319e5dcaa4b91c44510e11ed3b2d9d9c1

SHA512
91691961ba56eb9b392894181e03e2632df50a63a071e83c68589ba5ba9c4b304a8fe5163abde4a6249c710bcee59aef6671c5d9ce970f41de3aae28bcdfbcd1

Download Submit
C:\Windows\SysWOW64\Nplhmmmp.exe

Filesize
196KB

MD5
30e1209074a8456d30938cac9d70d57f

SHA1
f11635d27154fe1c68710e5a46770ab34f86bbb1

SHA256
0fc2a18e79be79e0235980d498b330ccd4f127f7703c4bc8b2f75c69179cade9

SHA512
18fda3221671a8135fec16fd76503e04055ac99217c77ef406b0a78981399efef2d2c2b7e8387943b4066e84eb11e48c38afa33137b4e9913ec66228a8611177

Download Submit
C:\Windows\SysWOW64\Ogpcpe32.exe

Filesize
196KB

MD5
f96b93986db0165ab8442f936dbb9a86

SHA1
70f612d74b83c3afa703ca7ad23086e4dc7fe795

SHA256
3627b2af62357da93f26c7266471ee3141c4c7dc90e2b8bbff5b36a72cc8476e

SHA512
451f42fdc03e2e4b71836e5016ba68fe4612c673b01ed92e36d193695bda7bc896beedbd8cdc53e405d3f7d4a44e14652b9ee8cc5e2f401de3b85ad3ffcbcdf6

Download Submit
C:\Windows\SysWOW64\Ojnpla32.exe

Filesize
196KB

MD5
7b4e65319001f647d4c6a69da0990173

SHA1
eb22c39a554220e4c94fd3d05220d058f72a8b7c

SHA256
184b25281002a93ebe75a0b8252a146692f3bd9593d830f9815c159a3a5eaaed

SHA512
b166bb4797a035fd083fcb0a2845dc9aa31e3d04e5dd56a1653abb170cadda8a1d3c948478803a65c6c5c6455254ed829d218f3fc07e571353f83b9f62adfae9

Download Submit
C:\Windows\SysWOW64\Ojplbq32.exe

Filesize
196KB

MD5
dc514d41ccb99e593bd7cd7dbfe02002

SHA1
8074fdecc7d5f35861a51d0eca8d3c01d8f3f412

SHA256
d5697f4ea8dbbb783eeef9197c2659b5a5e4bc1660d74eb8d9ccfc2118ab08e6

SHA512
c340b834f08d90e2bee62da962779fe9bf0fb50db67466465b27d89ec4be0e6cb58e5c5d76f336dbf298039e2f922b3799f2f831b6454151ca9b7b433c4a8754

Download Submit
C:\Windows\SysWOW64\Oqjeok32.exe

Filesize
196KB

MD5
15df7eaa3e316cb07f6ae17a2a0544a0

SHA1
c6f1332b8c8403719ae4b558a35f783f921c828b

SHA256
febd1b970d53e5af824eef9adad6927d35741d2939b07395d455730913528e93

SHA512
120d3e51f7224e3d58fb09ec2d67672978cabe696c823cc3855d85a8e7ba6928f75b7408d42bcc70fb7a376138e907b91cde8d5aebadf165889ae97aee114863

Download Submit
C:\Windows\SysWOW64\Pjqein32.exe

Filesize
196KB

MD5
f35be08dd05f7316f043596a74080bc8

SHA1
adfdf513f1c0b866e264c0aec55fa1189c5dd6fd

SHA256
8f8eb7d705ee6583f9270666f8f996b1b5f50bec64f4fe6af9d5e34866012d2a

SHA512
e46a9c6043a97f7fdd6e416e14498681fa9c990b3da49220bc0a0fda6bfeb34e5c055ba5b69ac56490fc66798ec12c2e1d8479b69a4c04c8b4208b4770b027ca

Download Submit
C:\Windows\SysWOW64\Qqogqg32.exe

Filesize
196KB

MD5
600e9bf08976d3251b0d61e140e06c42

SHA1
fa9d9c61bade710994d6e4fc9f78cac030baecbf

SHA256
a3682bc24c48ee10ca98abd72af3be720c72596dc2849e2d40d8e98cd151b2ac

SHA512
8b72c5929cf84c004417beb9c3f2aee3f595feb68ac1bdd5d9114207a1c87641ce520e0114c4ef70650a8835b9b8e7194a15c4ef944fcee92b5d5998e0e066be

Download Submit
memory/224-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-983-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5148-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5192-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5284-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5968-903-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads