berbew | 72033661a2bd39006eb8029f78f3742cf838c6828a73a4392cdf9833567bcb81

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72033661a2bd39006eb8029f78f3742cf838c6828a73a4392cdf9833567bcb81N.exe
Size

77KB
MD5

73204a94fe4c04fb447ff1ecdb169f60
SHA1

b3eddbf14702acf55a528457e6136b823e57d2f2
SHA256

72033661a2bd39006eb8029f78f3742cf838c6828a73a4392cdf9833567bcb81
SHA512

3d916f557fec379c91711d7e15b8e2ffc78c0b13f84754ee183c032e11c01555d1c7705801f9f977a97bac20c8fa4bc25495852f8c1cec3a4d6e4610d685c1f4
SSDEEP

1536:eM9QXjKsgoDjhAzC1uoQ5a+xMchIzL32LtDWwfi+TjRC/:eJjKsgK+GQkETUcxWwf1TjY

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blgddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bikeni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgdmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlgjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bliajd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iloajfml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	72033661a2bd39006eb8029f78f3742cf838c6828a73a4392cdf9833567bcb81N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afqifo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pomncfge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moalil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bblcfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdngpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moalil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apngjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blknpdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afceko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dllffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icfmci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cboibm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cekhihig.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2468	Infhebbh.exe
4908	Iccpniqp.exe
4204	Ilkhog32.exe
5004	Ijmhkchl.exe
1508	Ibdplaho.exe
916	Icfmci32.exe
4496	Inkaqb32.exe
2912	Ieeimlep.exe
2400	Iloajfml.exe
3336	Jbijgp32.exe
4776	Jhfbog32.exe
1164	Jnpjlajn.exe
5044	Jejbhk32.exe
2212	Jldkeeig.exe
736	Jnbgaa32.exe
5104	Jhkljfok.exe
3128	Jjihfbno.exe
2100	Jdalog32.exe
1976	Jogqlpde.exe
1696	Jeaiij32.exe
452	Jjnaaa32.exe
428	Kahinkaf.exe
3340	Khabke32.exe
316	Kkpnga32.exe
5000	Kajfdk32.exe
1384	Kkbkmqed.exe
4452	Kbjbnnfg.exe
2636	Khfkfedn.exe
2768	Kblpcndd.exe
4148	Klddlckd.exe
3012	Lkiamp32.exe
3320	Lacijjgi.exe
644	Lbebilli.exe
4444	Lolcnman.exe
1600	Loopdmpk.exe
2548	Lhgdmb32.exe
4144	Moalil32.exe
1716	Mdpagc32.exe
1888	Mlgjhp32.exe
2924	Mepnaf32.exe
4440	Mhnjna32.exe
1132	Mafofggd.exe
4088	Mddkbbfg.exe
3376	Mkocol32.exe
400	Mdghhb32.exe
3936	Nkapelka.exe
2320	Nakhaf32.exe
3476	Nlqloo32.exe
4256	Ndlacapp.exe
412	Nkeipk32.exe
4872	Nhjjip32.exe
3188	Nconfh32.exe
2656	Nhlfoodc.exe
1520	Nlgbon32.exe
4804	Nbdkhe32.exe
1896	Okmpqjad.exe
5052	Obfhmd32.exe
1704	Ollljmhg.exe
2420	Obidcdfo.exe
5040	Odgqopeb.exe
1512	Oloipmfd.exe
732	Oomelheh.exe
4380	Ofgmib32.exe
1248	Ofijnbkb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gmoikj32.dll	Mepnaf32.exe
File opened for modification	C:\Windows\SysWOW64\Mddkbbfg.exe	Mafofggd.exe
File opened for modification	C:\Windows\SysWOW64\Okmpqjad.exe	Nbdkhe32.exe
File created	C:\Windows\SysWOW64\Pdngpo32.exe	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Aknmjgje.dll	Abpcja32.exe
File opened for modification	C:\Windows\SysWOW64\Cboibm32.exe	Cpqlfa32.exe
File created	C:\Windows\SysWOW64\Oapijm32.dll	Iccpniqp.exe
File created	C:\Windows\SysWOW64\Kajfdk32.exe	Kkpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Odgqopeb.exe	Obidcdfo.exe
File opened for modification	C:\Windows\SysWOW64\Piaiqlak.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Bliajd32.exe	Bikeni32.exe
File opened for modification	C:\Windows\SysWOW64\Bliajd32.exe	Bikeni32.exe
File created	C:\Windows\SysWOW64\Jnbgaa32.exe	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Hfqgoo32.dll	Qkfkng32.exe
File opened for modification	C:\Windows\SysWOW64\Cibkohef.exe	Cdebfago.exe
File created	C:\Windows\SysWOW64\Midbjmkg.dll	Cdebfago.exe
File created	C:\Windows\SysWOW64\Fbelak32.dll	Ciknefmk.exe
File created	C:\Windows\SysWOW64\Jejbhk32.exe	Jnpjlajn.exe
File created	C:\Windows\SysWOW64\Bbalaoda.exe	Blgddd32.exe
File created	C:\Windows\SysWOW64\Cboibm32.exe	Cpqlfa32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdcf32.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Mafofggd.exe	Mhnjna32.exe
File opened for modification	C:\Windows\SysWOW64\Ofgmib32.exe	Oomelheh.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Kahinkaf.exe	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Iloajfml.exe	Ieeimlep.exe
File created	C:\Windows\SysWOW64\Ohhbfe32.dll	Mkocol32.exe
File created	C:\Windows\SysWOW64\Apngjd32.exe	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Gdfmgqph.dll	Bfoegm32.exe
File created	C:\Windows\SysWOW64\Eopbppjf.dll	Ilkhog32.exe
File opened for modification	C:\Windows\SysWOW64\Apngjd32.exe	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Bfoegm32.exe	Bliajd32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcja32.exe	Qkfkng32.exe
File opened for modification	C:\Windows\SysWOW64\Apimodmh.exe	Afqifo32.exe
File opened for modification	C:\Windows\SysWOW64\Icfmci32.exe	Ibdplaho.exe
File opened for modification	C:\Windows\SysWOW64\Lkiamp32.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Mlgjhp32.exe	Mdpagc32.exe
File opened for modification	C:\Windows\SysWOW64\Obpkcc32.exe	Ooangh32.exe
File created	C:\Windows\SysWOW64\Gkhikf32.dll	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Pmhkflnj.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Jkiigchm.dll	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pbimjb32.exe	Piaiqlak.exe
File opened for modification	C:\Windows\SysWOW64\Jjnaaa32.exe	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Mnjellfo.dll	Beoimjce.exe
File opened for modification	C:\Windows\SysWOW64\Clpgkcdj.exe	Cibkohef.exe
File created	C:\Windows\SysWOW64\Dpkgac32.dll	Dgdgijhp.exe
File created	C:\Windows\SysWOW64\Pehjfm32.exe	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Khfkfedn.exe	Kbjbnnfg.exe
File opened for modification	C:\Windows\SysWOW64\Bfabmmhe.exe	Blknpdho.exe
File created	C:\Windows\SysWOW64\Blnjecfl.exe	Bipnihgi.exe
File opened for modification	C:\Windows\SysWOW64\Cekhihig.exe	Cehlcikj.exe
File opened for modification	C:\Windows\SysWOW64\Dbcbnlcl.exe	Clijablo.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Kkbkmqed.exe
File opened for modification	C:\Windows\SysWOW64\Pdngpo32.exe	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Djbehfpe.dll	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Jaepkejo.dll	Cpcila32.exe
File opened for modification	C:\Windows\SysWOW64\Dipgpf32.exe	Dbfoclai.exe
File created	C:\Windows\SysWOW64\Mjicah32.dll	Lhgdmb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjihfbno.exe	Jhkljfok.exe
File opened for modification	C:\Windows\SysWOW64\Jeaiij32.exe	Jogqlpde.exe
File opened for modification	C:\Windows\SysWOW64\Loopdmpk.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Codncb32.dll	Nlgbon32.exe
File created	C:\Windows\SysWOW64\Ooangh32.exe	Ofijnbkb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5740	5836	WerFault.exe	220

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apimodmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabmmhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clpgkcdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iloajfml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oloipmfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdngpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgqie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcogo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgdmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beoimjce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldgoeog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibdplaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nakhaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afqifo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blknpdho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bikeni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibkohef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jogqlpde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blnjecfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cboibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpjlajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddkbbfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllffa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iccpniqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbgaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afeban32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfoclai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollljmhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apngjd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaeamb32.dll"	Ijmhkchl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedkhf32.dll"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlgjhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bochcckb.dll"	Jldkeeig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlgjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll"	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfiefp32.dll"	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedfbe32.dll"	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeeibmnq.dll"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iilpao32.dll"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqkiecpd.dll"	Afqifo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaggn32.dll"	Bmimdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khabke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqcco32.dll"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefjdppe.dll"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conkjj32.dll"	Nhlfoodc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcdeb32.dll"	Blgddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dllffa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinffi32.dll"	72033661a2bd39006eb8029f78f3742cf838c6828a73a4392cdf9833567bcb81N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiaeig32.dll"	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnggfhnm.dll"	Ndlacapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bipnihgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bipnihgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dllffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bikeni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blknpdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhikf32.dll"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenlmopg.dll"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piifjomf.dll"	Blknpdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnakk32.dll"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balodg32.dll"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdleo32.dll"	Ndidna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blgddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bliajd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdlch32.dll"	Loopdmpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnggcqk.dll"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkfkng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 2468	4112	72033661a2bd39006eb8029f78f3742cf838c6828a73a4392cdf9833567bcb81N.exe	89
PID 4112 wrote to memory of 2468	4112	72033661a2bd39006eb8029f78f3742cf838c6828a73a4392cdf9833567bcb81N.exe	89
PID 4112 wrote to memory of 2468	4112	72033661a2bd39006eb8029f78f3742cf838c6828a73a4392cdf9833567bcb81N.exe	89
PID 2468 wrote to memory of 4908	2468	Infhebbh.exe	90
PID 2468 wrote to memory of 4908	2468	Infhebbh.exe	90
PID 2468 wrote to memory of 4908	2468	Infhebbh.exe	90
PID 4908 wrote to memory of 4204	4908	Iccpniqp.exe	91
PID 4908 wrote to memory of 4204	4908	Iccpniqp.exe	91
PID 4908 wrote to memory of 4204	4908	Iccpniqp.exe	91
PID 4204 wrote to memory of 5004	4204	Ilkhog32.exe	92
PID 4204 wrote to memory of 5004	4204	Ilkhog32.exe	92
PID 4204 wrote to memory of 5004	4204	Ilkhog32.exe	92
PID 5004 wrote to memory of 1508	5004	Ijmhkchl.exe	93
PID 5004 wrote to memory of 1508	5004	Ijmhkchl.exe	93
PID 5004 wrote to memory of 1508	5004	Ijmhkchl.exe	93
PID 1508 wrote to memory of 916	1508	Ibdplaho.exe	94
PID 1508 wrote to memory of 916	1508	Ibdplaho.exe	94
PID 1508 wrote to memory of 916	1508	Ibdplaho.exe	94
PID 916 wrote to memory of 4496	916	Icfmci32.exe	95
PID 916 wrote to memory of 4496	916	Icfmci32.exe	95
PID 916 wrote to memory of 4496	916	Icfmci32.exe	95
PID 4496 wrote to memory of 2912	4496	Inkaqb32.exe	96
PID 4496 wrote to memory of 2912	4496	Inkaqb32.exe	96
PID 4496 wrote to memory of 2912	4496	Inkaqb32.exe	96
PID 2912 wrote to memory of 2400	2912	Ieeimlep.exe	97
PID 2912 wrote to memory of 2400	2912	Ieeimlep.exe	97
PID 2912 wrote to memory of 2400	2912	Ieeimlep.exe	97
PID 2400 wrote to memory of 3336	2400	Iloajfml.exe	98
PID 2400 wrote to memory of 3336	2400	Iloajfml.exe	98
PID 2400 wrote to memory of 3336	2400	Iloajfml.exe	98
PID 3336 wrote to memory of 4776	3336	Jbijgp32.exe	99
PID 3336 wrote to memory of 4776	3336	Jbijgp32.exe	99
PID 3336 wrote to memory of 4776	3336	Jbijgp32.exe	99
PID 4776 wrote to memory of 1164	4776	Jhfbog32.exe	100
PID 4776 wrote to memory of 1164	4776	Jhfbog32.exe	100
PID 4776 wrote to memory of 1164	4776	Jhfbog32.exe	100
PID 1164 wrote to memory of 5044	1164	Jnpjlajn.exe	101
PID 1164 wrote to memory of 5044	1164	Jnpjlajn.exe	101
PID 1164 wrote to memory of 5044	1164	Jnpjlajn.exe	101
PID 5044 wrote to memory of 2212	5044	Jejbhk32.exe	102
PID 5044 wrote to memory of 2212	5044	Jejbhk32.exe	102
PID 5044 wrote to memory of 2212	5044	Jejbhk32.exe	102
PID 2212 wrote to memory of 736	2212	Jldkeeig.exe	103
PID 2212 wrote to memory of 736	2212	Jldkeeig.exe	103
PID 2212 wrote to memory of 736	2212	Jldkeeig.exe	103
PID 736 wrote to memory of 5104	736	Jnbgaa32.exe	104
PID 736 wrote to memory of 5104	736	Jnbgaa32.exe	104
PID 736 wrote to memory of 5104	736	Jnbgaa32.exe	104
PID 5104 wrote to memory of 3128	5104	Jhkljfok.exe	105
PID 5104 wrote to memory of 3128	5104	Jhkljfok.exe	105
PID 5104 wrote to memory of 3128	5104	Jhkljfok.exe	105
PID 3128 wrote to memory of 2100	3128	Jjihfbno.exe	106
PID 3128 wrote to memory of 2100	3128	Jjihfbno.exe	106
PID 3128 wrote to memory of 2100	3128	Jjihfbno.exe	106
PID 2100 wrote to memory of 1976	2100	Jdalog32.exe	107
PID 2100 wrote to memory of 1976	2100	Jdalog32.exe	107
PID 2100 wrote to memory of 1976	2100	Jdalog32.exe	107
PID 1976 wrote to memory of 1696	1976	Jogqlpde.exe	108
PID 1976 wrote to memory of 1696	1976	Jogqlpde.exe	108
PID 1976 wrote to memory of 1696	1976	Jogqlpde.exe	108
PID 1696 wrote to memory of 452	1696	Jeaiij32.exe	109
PID 1696 wrote to memory of 452	1696	Jeaiij32.exe	109
PID 1696 wrote to memory of 452	1696	Jeaiij32.exe	109
PID 452 wrote to memory of 428	452	Jjnaaa32.exe	110

C:\Users\Admin\AppData\Local\Temp\72033661a2bd39006eb8029f78f3742cf838c6828a73a4392cdf9833567bcb81N.exe
"C:\Users\Admin\AppData\Local\Temp\72033661a2bd39006eb8029f78f3742cf838c6828a73a4392cdf9833567bcb81N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\SysWOW64\Infhebbh.exe
  C:\Windows\system32\Infhebbh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\Iccpniqp.exe
    C:\Windows\system32\Iccpniqp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\SysWOW64\Ilkhog32.exe
      C:\Windows\system32\Ilkhog32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        26⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        34⤵
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        50⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        52⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        53⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        58⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        62⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        65⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        75⤵
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3488
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3284
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        90⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        97⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        99⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Bikeni32.exe
        
        C:\Windows\system32\Bikeni32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        103⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        105⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        110⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Cibkohef.exe
        
        C:\Windows\system32\Cibkohef.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Cpqlfa32.exe
        
        C:\Windows\system32\Cpqlfa32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        117⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        121⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        128⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 400
        131⤵
        Program crash
        
        PID:5740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3036,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5836 -ip 5836
1⤵
PID:6132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afeban32.exe

Filesize
77KB

MD5
b930d6cd85e6e92c2f681158164e8fb3

SHA1
60b246974b837889b61fe89a757a020ec6b418c4

SHA256
ac89a303a5e62506345844cc5e86e222e16d90e0dab8bc8ad523e20a4d6663cf

SHA512
206812a153e62fc6c77aa70c91033466ec483753f69f28777973466f1c3ea1b0e884fe25745108c805861cf6b036393f97105295fa854e6520f722d9cbf007da

Download Submit
C:\Windows\SysWOW64\Afnlpohj.exe

Filesize
77KB

MD5
49b0355777c2510aed9c7d2650b16d3b

SHA1
0a080474b8a934e9341abe4ff6422bfd24dca4ab

SHA256
6fc8b637539ced847bd0c197a0ff035dd614ae95179d41ee61681d47cb345ec2

SHA512
8125264cb49d7573707d5e0eb74e36b5abc131920a3fb2dacab2a86459ece6b3b80fef49e54c466a2b60b79b376271d2b8688002e7d435e13f5c680f7262f816

Download Submit
C:\Windows\SysWOW64\Beaecjab.exe

Filesize
77KB

MD5
7b95367943deb45d11f7fed40ae1af06

SHA1
4e8246f8660a3ab0d0d695cf257a7ebc050eb0d8

SHA256
c0aaea97570d088ff066db03bd050775b7238f6fdfce7085b3439c8e70c7e80f

SHA512
fb101e4042dd61c5a8a80acd873ebd7b9ca4cddf235105475ab79ea88718812427e764b134f66df3ff402805b310bea3b1b463faf52e0cfae08f975b73769cdb

Download Submit
C:\Windows\SysWOW64\Bldgoeog.exe

Filesize
77KB

MD5
25e627592078dfb3320f91351488734c

SHA1
4d5e5c0c13c413fa25835da4e571c33fbd2eb25b

SHA256
65abde8216b0978dd979acb8a1b096308b3590cc589128fc872ff12169477f22

SHA512
8a978750dc03baef7b9d5917660fa7905e1aff2ce2f0cef488d071eac98ab43cb985aced808129506e218032392f96892dfb6eee51a67df4f693b7423fbfa23c

Download Submit
C:\Windows\SysWOW64\Ciknefmk.exe

Filesize
77KB

MD5
d7377a5e9a5126564771f9ad0bc6ea82

SHA1
3a4f66b4c67ee2f2adaef468d9fc168bcf69d699

SHA256
213b0dbf684e880004ddb36c5b26b3602afc119901f8ed9cd21f1564f6947763

SHA512
31393b71f7e201714c8f0edfbb0eb36b32cf2eda6ea8d462d3fd6e6dfdab609f3dbe1f444fcbb4faebc2733fe6a5c8c6689588eac42a23ef83a889aed2f50ce6

Download Submit
C:\Windows\SysWOW64\Cpqlfa32.exe

Filesize
77KB

MD5
d6050d7d5d51e2876c94647d0018c371

SHA1
52f5d40c1bd6a09c6fe443b167f540b192797e3f

SHA256
9ef519ce5581bc06b168a69188be70b20522e21ea929167cee8342a5c63dd963

SHA512
73bfa16ba99b5e66548aac86bd6cbdf1ba069e4398c031e4e75071ce9b3e4cc139457b49f3f037929305d5fbe133dbe79f70675ce79a32b99814c7ef728c6671

Download Submit
C:\Windows\SysWOW64\Dbcbnlcl.exe

Filesize
77KB

MD5
41cf138a616f9903a5315d979cd81a87

SHA1
b21b05a53843bf66ff88fb904618177aeddf559c

SHA256
02bb7959e2fe887a7b760cbec2ed2bac3452b087e1ec1e7e26e22d70796a6db9

SHA512
4db9633f08a02eb376a60dcf45efe7e35d8996525be24ed5aaf724e6b2d38399bbe52436995b349e8e9a9c95e96e1389fa64266c7f51b9d12787d53d5f7fc603

Download Submit
C:\Windows\SysWOW64\Dbfoclai.exe

Filesize
77KB

MD5
5be1caa86674b4f2d74fc59a8aaa637a

SHA1
780596da224c0a0d592c97bea3dc8ddc6fd8bd6f

SHA256
ad75a0da50485375ef5e5bffc2178269777a46b76a0817444c0a829aa2c3407b

SHA512
1d8daad5c515f68e3815a4db400afbd29c408ea3fe61d1d31ed5fdedfaa72a910950f9d703e2c92b0c39b68dcc0ab656a4f73ab2e1ee4b747255764a3ebc5766

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
77KB

MD5
fd0c945fe0a04de8fa6018f8aa340d6b

SHA1
28337908b29b555868560ce691b30c4281a93572

SHA256
2891203dbd4cc84110b85999f264199b80175f643e518b529a5088f1e4d5e475

SHA512
1169140b4b4f6d665cfb7c05d06dcaec5816c506ae81a8fbacaeae058a67d8886b7bacf7f5c95d3e3f753f9da41ddcae60159babe3093a23e0064fe73d51d042

Download Submit
C:\Windows\SysWOW64\Dgdgijhp.exe

Filesize
77KB

MD5
7420684d9fda2b8d4f67c228a80e874e

SHA1
b4d3070e6b926e2f81e9d4524f689a33112dc834

SHA256
2f4c6ae59416470dd3e3370df29be2444d8fac376091688b33d67ffa6512a32c

SHA512
1869813287e808cba96b44fd37708b91c3a3e781ff4490a234bfb3ff1b1fb4d08544d78f74e9e696b45475ed1d0ae3d577a0e5aedad4fdeaf6f5c20d620b4a6b

Download Submit
C:\Windows\SysWOW64\Ibdplaho.exe

Filesize
77KB

MD5
73edd85e2b1b311778e0b78b4f1164c2

SHA1
80baa1be197d3dc943dd6044fd96a0164cb90f2d

SHA256
7a2ccc86fc522463625e245702bced6229188800cba9878a53e6594d55b40b96

SHA512
f26b6980d4dc0820ce2abc0cc68a3a56e92d24bd21bba44e418248755da7afeb7b6a1844fdfbb32cc23f50ffa3626f50802d2916574f8a922a8fa42a235b6495

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
77KB

MD5
f85deae436c1c5f977e8019d94e1af23

SHA1
bed0094e42e420a6b45c5c9f8c1329eba29b4178

SHA256
287e4e559ec26ce011b6a9ba6544804f107e6af4649c2654912ccc39555f70f1

SHA512
1ab22b315f59ce8449bfa2d87c800cb2e5c5bb58c5a8d6c3673abe5687c78a807a51ae176cfeb7f3b99651285986ae568296d81cc4715409f51aa34c8b9c623b

Download Submit
C:\Windows\SysWOW64\Icfmci32.exe

Filesize
77KB

MD5
199c6fdf3d15d445b5262bf157f1d7a6

SHA1
94dc27a3438f5f01af44359dedd753483dbe4cef

SHA256
b3828522d21c8ed89b3de97a976528536a5ee6de4e9925ecb5f11ea335551abc

SHA512
dd1b413999684f2fa3bc84b25f1a643c4779a6f04c17431a80251360b0cde777ea051188ebe2a87a89dd5a175bd5eb548341105b367916e70d07f03cac93421c

Download Submit
C:\Windows\SysWOW64\Ieeimlep.exe

Filesize
77KB

MD5
f0d079267dcbeb1f68537e7c975fe0ce

SHA1
14a040db056cfaeab58bd14cfb8eb28c1ef062f7

SHA256
b9d5b078ec93cacd16b779a1c719e91c855ad90e50b9515fba8a86a82d987292

SHA512
02b67fc0b85e6b47902f156940a3c33caaf065f9f4c2024373962d27470d93fe5d6c039e099afbda51868b83bcba13dc3f01f8469c6bd99e283d788742457f3b

Download Submit
C:\Windows\SysWOW64\Ijmhkchl.exe

Filesize
77KB

MD5
fb54ced36723704cc7b273b6daa5a6b4

SHA1
013c1d2566a96abe556e3f5f72bde14e79538480

SHA256
aaeddc01071d06e69085e5a75b61624d0172ed8f9026a679b91aa896ccaa0f89

SHA512
90da8829fc033add5c799c26f689f2b6f1b65b6d1beca9bea0303def89db76bce3d9d25319ba3bad7ee63b1aa93d231b129200a3ddaac1e3051f3cae9fbcd4ab

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
77KB

MD5
056eec5ba3841e51f8efd4b9302f40ef

SHA1
69ed6a788f3a04a9cc50e774346c4f9d9b3e105c

SHA256
3ba11c433ba530fd5e7042c3b400c08c24ff32509401699469e542af9751f5d1

SHA512
654b841c411e4bf70c1d5e7bd14833f148cf49b350f0df526ea04041d40f34e38df209cec73ac9c61695b79f6a56f13affd9bc00f29c25acd7ae3d26f8515e5d

Download Submit
C:\Windows\SysWOW64\Iloajfml.exe

Filesize
77KB

MD5
eaee191f8821203a6300510131ccb422

SHA1
78ea1ac911981b2500a2a6054a91cf98801803e9

SHA256
3e2a8f6d83cfbc9da4c4ca71c4601057866af2e528710c0e25d7507587b51de6

SHA512
966d08ac653d262cc706ed28550b50ec5e55ecad434c4ddfe788f5eee5a610fdc55041499ceda0790525ecdd68ec5662853bf53200e5189be2d058452f0c1aa7

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
77KB

MD5
2dbdd2e553597705500fdd5fd89de16e

SHA1
ccf1e6478140168e7d86886e3b4bdfb6e3e7ab17

SHA256
edab4076e446ed1708396e0be0e6d5a6a329952c84fce17798a6ece41169159f

SHA512
07334e8d64a543914fa80afa166702c8b71fb38258be1dfa2befa74a5664c81c59d2f03789797792a42d5aea57b40f625eb3155940726868630526d4c146cd11

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
77KB

MD5
162eab797d577bcdd26881c7db40ab55

SHA1
2ddbbed8d53becc3145fdf3b9936cab44ee07b4a

SHA256
ff5408bd6332ca375fb64cc7f065675260d0d69684e698023a4a72bff7f93f78

SHA512
8192615f5747073496044d42a8f9095ec083761b884a728b08a964e7bfcc78d036ae8c35384198559d0e53033a26882485751d474ecfd40add5a17f2b6499bc4

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
77KB

MD5
7621cdc0523a8cecd9abacbf741f13af

SHA1
0d8af98fc7be92aa0a06aa77e82135d76f9018fb

SHA256
70511ce0c57f75cdd7da48fff5b7c42a50c4ffa4f7cda63443d47bcf0902cc1c

SHA512
31b48504ebec00523205c0ad0fa4c8bd7b3a04150a56b3c9b764d485a41e20743d092f5afb9ef5b80262d7470da0a479d8630d23bffc452a2986a1a778b91fc4

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
77KB

MD5
e44216f1b0c2d8f4e6c0446c01b859c5

SHA1
cf34b9c296fea80048821db9efc2d8fd3bee77d5

SHA256
5606ac885b26a4fd16a5ead65aa4c7c2e483edcc6eab0963257bb2c15445fddc

SHA512
17248bd17bc42687ece6b13abc2daa3d9304372be4b202ce4236765bc325aa13c4799634307d6b5fb1f715cc28e8a96ddd1050f3f87142660abe3a4666f4901c

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
77KB

MD5
62b6689ee2c91429c7bfd76fe41ac6dc

SHA1
7a96a08a03bffbfccd815b4b2fb958ebc63fe0a1

SHA256
a23824d735bd407e6a6092394951c132a89fb0119a6f0c092fa9ad436e9f99e8

SHA512
806340df1bb59e3665a808dc5e03b07e29598a79e9cacc4714c0ac326b732320cf62a7c8feb5ec5b85c4a3f80b2dd29bc414efa21409e10c66670aca311b19f5

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
77KB

MD5
fbf53c9cfd1de432131e801878aec3ba

SHA1
88565d7c2b87bbd4b5bf386ba6d5bf4855611778

SHA256
a28d2dbf6e9674bc8f2d0b9cd8aa7fee4b83d0c850d9b6fc74f722d182657bb1

SHA512
18032655284d71a636fa2270c48a87a6df5a6508cf6902cd2945f4808287bdcbf22cd75b17f2605f064cb4dcf5eae66c3c634065bafe4905404bacf13ccde78b

Download Submit
C:\Windows\SysWOW64\Jhfbog32.exe

Filesize
77KB

MD5
9e3c2efc5b7b01cf33f1882ceb42875f

SHA1
e454869ce52d3b55ab6e50aae64c55642d109b22

SHA256
e7e3b1a0ad3d1aa2341269d920b443e89308d60032e05f3c6ea3c32e5d4c02ee

SHA512
412a3debe3c4e71184a38656d9c6a1138930ae834b0e32638a6bbb458037534fe82ae64a1c07d79b0cea1440bed1b0a06b6a9655e09cd07f03b3db51d4ff5db0

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
77KB

MD5
1eec2a9922f29fa80289ab2b8007dc9c

SHA1
9db5d26010e13fe4447981524bba175f2a83bef8

SHA256
16861a0ad66d6f4459f52d7c6d172a3ccc20b29fe12381ff2b6bc7001b695837

SHA512
48819c0b597e7d8734611fdad4bfed91bd1f69c2943ac0d40f9b20cdbcc7dc2421f386b180230f5eda080479c29296b18e287930a4f6987c44c70cab1c1c3330

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
77KB

MD5
10bd9ee22eb1f8a638626f716ac7358c

SHA1
359e5ae919adf2e33195458845bd27c0d705549c

SHA256
aec66ad327ede54e93690c2570bcefa6f9421e833bab37da88330d9a89b4fd91

SHA512
8520013ec7aea8eb10ab66fda77a53ba8f915bc2b0c6a3629bc07f142f39c8eaae5f4ea04a964cf7c983b643b06837e2f17588072f4ad9132e1db364b10da856

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
77KB

MD5
f465de3bb2242bed114b1091c0f72dd1

SHA1
f408dbf56b036fa86c57aec471ec4c9fea1a85e1

SHA256
7fef7d736b49b35c2a1ee66f49f102b2eb6f55909f8efeb68f86e4e4b4e9e66b

SHA512
a3f211d8f4c2dc95cbbd572c7b9dac4e8c5ace082b159f71f922440894f676613c1ff4054b383f945c04b8c89f182d9229a2357bc5919a8da084aaea8f14c9ff

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
77KB

MD5
4b24585a4b298c64f67b383e7c074501

SHA1
7a4478b894f592675b7ebfa8f480a2ff4ad8517d

SHA256
05350bb3f692eea7cdb5814e170b144fb5dd361d2189d664328a4be2cacb1fb6

SHA512
10b1cc24c1614d40b05264db9e3cf7e218e93086e8223c50e7abedc230f133d0aa35e571cd7d5b196f8206abf440adff001e5ddd89b263e380d69cacd75c7ff2

Download Submit
C:\Windows\SysWOW64\Jnbgaa32.exe

Filesize
77KB

MD5
3b4db28611c91d34c5291198f4a7de0b

SHA1
d6d43a36960e4a3f375f364f872c7e18dad22fbb

SHA256
ae8c6c888adacb384e63f26b6887b26ad75b5a57e5e1a2d0fb0153482cec8b1a

SHA512
56326cd55a3afdea43cf544ce39dedef29e18d65b31dec8d2af8458f0adc1bbe520bbbc84c47e865990198f6e5934d1dfb78b0c522edeaf126be4614b9b217f5

Download Submit
C:\Windows\SysWOW64\Jnpjlajn.exe

Filesize
77KB

MD5
e35513a77366170242455be55dfa9cf1

SHA1
e6b121eb4627079ed2b326ac0f6ee3c7e1347055

SHA256
f71c5a6d2020b8334d9042531e145fbd80273331dd2706d03a4a2390f85ba85e

SHA512
61b1dc7f441c7ece44139838dd912a91cc61ed0f2e8499af2d045e0891730cc7dd7a314ab2729d3a9e2d9132fb7ad1e784b3af0af71a3c50129c88e94e8c280f

Download Submit
C:\Windows\SysWOW64\Jogqlpde.exe

Filesize
77KB

MD5
d3c76af6aed322592e7b3cbacdd64eb4

SHA1
3e6b7aaf218a4c2027d746e9df86c2640b4c0751

SHA256
dfa5fa06c7f24c4bcd84b47aed5ebe623fc3cc7485a8d8e48beb3dd3c6450e66

SHA512
3fa76b10b89f8cbafd4cc0a88e79267a08997e60ff2a1fb56e4899967e8fab7c34cc627cc750cd0c5ab964de45eb8f4e9d48ed714991d05f1379aa1d936b9290

Download Submit
C:\Windows\SysWOW64\Kahinkaf.exe

Filesize
77KB

MD5
507c4c9631e72c054a8417cd0ee8edd0

SHA1
bb31801eeb59c7ff83617dfdea4a58fba2f9546f

SHA256
854d89a81c53887a87d677ae9fc2fc737a0cdbce00167b36dd92f8e3ae29a9dd

SHA512
324dff5d710330da6294d34e7c4f82bef1f608298c92e9a8ed3c2e031ee7bbff5f1de9e88afc84b56af61d76b994d6b77537d73d3e4592dce6f27ab02c0ce8e7

Download Submit
C:\Windows\SysWOW64\Kajfdk32.exe

Filesize
77KB

MD5
4a92560439cce649667c4152c5ee43eb

SHA1
2fa24cd62a9fc6da5931b643e07609e6806b5536

SHA256
d24b74a798d02781a0df220c81fca01dad8f2bde65413bcd7f086d95b999923b

SHA512
dc3776b403e9e3435f8d2028fb9519ed305058a73d2968e2ad5a357654fe0b33a8c4a77aba5777f01bfeb5af1840f422415d1b6a12a687623045d5a8a9ccf96e

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
77KB

MD5
35a63029fa30b89b5dd979c0a43decee

SHA1
dd306a423b5e58f14bd6f82db22ab7d759e7b990

SHA256
f80875dc536db99ffea3fff03fefcbb26afe2b08080ce780f575e33b1488c125

SHA512
46f01d316053beefb4f9b927b5a55161491acf045fb6535d568bc3e4c2bac94e888213e8c386e291e3fbd81f8b0fda7cb54b95229e2774cf34c8664174dc3000

Download Submit
C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
77KB

MD5
0ced9cf8d71f4d6bd18829bd642f6e9e

SHA1
4065c741105b0d63b34acdfda5bc4ccfe8bfc5ac

SHA256
9a57f5ef0f90a81ea5320095972723668612ab303447de8f19085f68cc674962

SHA512
b106b009a1150b17936d73eb9212a7644e85a100af1c1bd2ae18aef08715b96d6d649750bd430dc606b54d4f90315091248050586a1496ed4908f32ce675006d

Download Submit
C:\Windows\SysWOW64\Khabke32.exe

Filesize
77KB

MD5
c94b4e66b1b682fa7d9477546e5bf909

SHA1
e8ce43c3f57cdb80c90b304bbaa65660288bde7c

SHA256
2315ffec61025197d2c298836d7ced9844c5a870e0bfdaf41092ae73b3e73cee

SHA512
f4ce90e60762a6ec82924826ccef12743cedea21ad293ef9e7792fdf8f39873418ea2c1747049e8830abbe95fb84cb179def72e382e6e759df1bf1fe5922cf5c

Download Submit
C:\Windows\SysWOW64\Khfkfedn.exe

Filesize
77KB

MD5
c2ff1603953b6cc851e5a7e9e94ed09f

SHA1
f84864018db7c7526437b09e91c974ec37f09607

SHA256
c2bc2bf012d47f20a68ea5a1a14243bd48ce6a4df770809f1859f26d49c3bc22

SHA512
794959ce59c0efd7fb00192a3b4348741f79b90a1175e0a74aa5e0188ac9312e3cedd144d739f210c03320c820804d25d5112ecdf1d36a747977e9fd2344c973

Download Submit
C:\Windows\SysWOW64\Kkbkmqed.exe

Filesize
77KB

MD5
aac9641bd3473bba23d52aed2320c152

SHA1
4286150802982892286eb4fd58f134ce548731a1

SHA256
8be0ad9a969df8a2d33958f9c2b62ec3953263f73c445635f20a9ae5e336bab0

SHA512
e2a7b3a4de40693526cd1819413bed133b213cc085a2d8438c7b26ca602f0cd822fe049d34aca6a599c37d0757a990baa932251623986682477deccc3ec9a46b

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
77KB

MD5
a13a0af2474ee95cd7fbad5fc88e3e89

SHA1
512ebbfd599a4e02fed13b77a7cfafc0f4739344

SHA256
21879a321dc82e1d2da84155ad195634844b99ad1a7d34b28484fa81555ec4dd

SHA512
d57d5dc0f1cd9b11ce6e96cc27aa3bacdda2ea26d88bd2336428e6dd59e2bb4ca6633419c4122a452f76d0e74b8464d7456b684d60e926984685f916816cda73

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
77KB

MD5
a22d5af9fccf2e577438afd489be46b3

SHA1
0c7555068a8fe94308e79372f8804e0c7bf522f4

SHA256
750c9f41ccbf00b020ea577c855a64e39b1b33fde76dca41c09e3e096a0cd789

SHA512
e5c2160faea9f95344c473c1bed78ae74ef9c13d28cf5afdfab790198ec9537aeb0e96d872e17fddc02c79f74e505ce42a9069e76e437f6b9307ebe9e4be648c

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
77KB

MD5
30b64045d503ecfde3dcaf89d021791f

SHA1
3c21616b72ce77d5d4421f1a1f3e5cc8df618f30

SHA256
c6220994935cc7974cef136ba40d09230d9376f8e7c6f9a70dfebec598e7b806

SHA512
e2ed93db8ef2724a32eb9a6f01d02a0ac871a741929dffdc1280ffee71b5ea2b97208ca452c88fa50e7ebaaaf241e2fe94ed1e3079603b67e56706c11c48a512

Download Submit
C:\Windows\SysWOW64\Lkiamp32.exe

Filesize
77KB

MD5
65c779a659cbf6c9dcad19f3d3e642f4

SHA1
da53e84172c4157344ee74328ae59948c8661d49

SHA256
9a1c49f168012c0ff17b7066032fb4bb82250df0714d0ea23c239cc8d1921492

SHA512
5f52e223985ce081151e18ea7e847f51b78695f9f5d8be4f3d1fac9d6d8391d6dcc3fcdb20d62b4e7799f61262df4894aaee561d7ee7bac9d40856371aedfc46

Download Submit
C:\Windows\SysWOW64\Mepnaf32.exe

Filesize
77KB

MD5
1275912e2affb3a62a5c0b73c9353464

SHA1
d8b85ca1c94afa744a56d1600ae8350ec0c2c841

SHA256
eed941d1ad86170b59983339eef82d2ddb23bddcf43ed85b4361f823bcc14267

SHA512
65a67fe2964b0872d90239db3c6b7bf74c3b78df9bb484be5c98c684b19ef364f180c8691343dc8faa81705c375b287937ef8df5492623af7d789f788d42cb3e

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
77KB

MD5
1709d619a641d3853b1637c9411f095e

SHA1
0ae1d71444059d7ee0875d81a991b8c8d7ce9d74

SHA256
1ca5f98d10dec44eee663b3c247efeeafc340226d1ad617969e0225b137b1e39

SHA512
150fd00cca69417fae3c34d31fa3ae582ad2cb22d24a86fa87fddd9a28c44a9ecd232261a7eda5d0770a6f8e0c591fe268a7b6d1162c8a25bce3b4c6221429b4

Download Submit
C:\Windows\SysWOW64\Moalil32.exe

Filesize
77KB

MD5
08176a81db67df076a7e824568472ec3

SHA1
e9f5c19572af90f756c9228f286ed388794dc703

SHA256
95ffaa588d4aa69d47da1a1b4e85e6f26897c5a617039967169b40c97683a218

SHA512
36fa9d77aa8dff23aab58ea7d064c2e97a982d981640a0e561e67b391cfd6e98982d84928e252bd7df5c0a8e867f061cb301d5acca27b1e212bad28f64220248

Download Submit
C:\Windows\SysWOW64\Nbdkhe32.exe

Filesize
77KB

MD5
d82bf55c0c7a88071dcfd177b1e6b6b5

SHA1
43daa792e20847daee71c973d432b627231b09ce

SHA256
1abf8e8e6c34a6123b50262e44c1558a6c4e3dd56070f6672d0db8cd35a0ef03

SHA512
78e046eae292faf5635cf9668b5d58e412446b64eddd6ca92cca47eab95d670c9d373328fe9492055471203392fbd62a7196bece12801d140b2ece370361603c

Download Submit
C:\Windows\SysWOW64\Nhjjip32.exe

Filesize
77KB

MD5
c24f055007d9c3ead977dd85a7e37684

SHA1
81440108da33735eae2d6f38b6f0eafe42dbfb22

SHA256
735759bae5435bc9566118a1044e820138dc06379b3a02e6645ae61ee6cd32cd

SHA512
5bd30d5a31a0a6c4c719505578e802dc7201e0dde8c3dcca92734f6e985c3e5365e464dee7b85083219ba20ed4eafcafdd3152841e356b53889c4f665e345904

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
77KB

MD5
b5ca22dfad68b7f8ce7529871196134a

SHA1
02c44fce00f96a0ceb964a3f8532baf27e1b9441

SHA256
dd26449daa88b0770dbf52d9923ea9a63ef07cf06f80e13aa5c05edf5536b04f

SHA512
0759c8297f1d2d37c74969bd7c11319ef4aff846dcc3f6a2522abe050a8b5f1529d8935dc4515d07f2347aba71e2fde08774ec5b11228e2cc31666fb7ed5ab62

Download Submit
C:\Windows\SysWOW64\Ollljmhg.exe

Filesize
77KB

MD5
cb4ea1cbb60aae6ae5fefa878970f4d1

SHA1
72db060276f048d0f868d900e1dd841b6c9347bc

SHA256
5b626b2326476c1aad66abce60be133bf1fff72c72ed8b17d1580e4619117489

SHA512
971dab833a04f5406baa31486613fbf0dd6c56e10aeb6acdeb7799c169d9cb07550ebe62da04ec0dc97d8782f0537c309a7fff13324880516ba0f2ba369be8b7

Download Submit
C:\Windows\SysWOW64\Pbimjb32.exe

Filesize
77KB

MD5
61b92f45ea08d57fd645d230bfa78ec1

SHA1
ee8667951ff8046e27e67d1b5af23739680862e5

SHA256
67ba3cec0ec60a18a0af5924a59a1b89be0183cd6e88eeb8ed9921c4c7d1835f

SHA512
1398c40d0f16ac1c55a6c74a7d25bc92b1ceef9e696d9ae212574e86c3d78873f3b6287760ed4301012a65e15629a940839df706d8c198a93f1f1abf89492f3b

Download Submit
C:\Windows\SysWOW64\Pkmhgh32.exe

Filesize
77KB

MD5
3387b764c72f6928d9a14db92d1dcf63

SHA1
4fb609bb9b0d750b82e758697b5596ca0d19bdd0

SHA256
1074704053d44d0bb505dcd0dadccc1a3407bd200283ec8f78766bb95cf1d145

SHA512
2dbeee17b4f468901a84eb843c002e76290ba5403a6e9ce7c0b19ac615c2eeb4e9afbb0fe0d887309f94e6e4b3a354be52a7c700303779cb4f2228718722c04f

Download Submit
memory/316-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/412-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/428-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/512-519-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/644-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/736-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1164-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1248-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1704-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1896-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2400-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2616-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-535-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3376-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3772-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4088-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4144-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4148-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4256-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-548-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5172-555-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5224-562-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5268-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5308-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5352-582-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5396-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads