berbew | 5a14ece22b513726f39c8e5ee24fda53fbc4643f4bc531cecaebc2d451a6ee7f

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a14ece22b513726f39c8e5ee24fda53fbc4643f4bc531cecaebc2d451a6ee7fN.exe
Size

67KB
MD5

cf0872f57eb015a2379ed2476a02b6d0
SHA1

9cb10ceb9c247aadde689c19548fe4be81f034a8
SHA256

5a14ece22b513726f39c8e5ee24fda53fbc4643f4bc531cecaebc2d451a6ee7f
SHA512

c8cb0a9f864d8f02245d6c724894fa56e507bc7208868d9c46dfbb7ec21a74434483a74fe71c769bef9b869d54ec273a7aedfc5f5272a3a467a1839872b7b576
SSDEEP

1536:9KyxM6JBGvTy99aefoKLGUrsJifTduD4oTxw:9hMgceAKKUrsJibdMTxw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1164	Kpgfooop.exe
2308	Kedoge32.exe
2192	Kipkhdeq.exe
2540	Kdeoemeg.exe
2224	Kfckahdj.exe
2580	Kibgmdcn.exe
2828	Klqcioba.exe
1020	Lbjlfi32.exe
1924	Leihbeib.exe
1420	Llcpoo32.exe
2352	Ldjhpl32.exe
3308	Lfhdlh32.exe
2868	Lmbmibhb.exe
5012	Lpqiemge.exe
376	Lenamdem.exe
3868	Lmdina32.exe
1936	Lpcfkm32.exe
3208	Lgmngglp.exe
3212	Likjcbkc.exe
1016	Lpebpm32.exe
4928	Lebkhc32.exe
4532	Lphoelqn.exe
3476	Mbfkbhpa.exe
3472	Mipcob32.exe
1176	Mpjlklok.exe
5028	Mchhggno.exe
1660	Mibpda32.exe
2584	Mlampmdo.exe
4520	Mdhdajea.exe
3596	Meiaib32.exe
512	Mmpijp32.exe
1520	Mpoefk32.exe
1204	Mcmabg32.exe
3384	Melnob32.exe
4416	Mlefklpj.exe
1476	Mdmnlj32.exe
1976	Mgkjhe32.exe
2984	Mnebeogl.exe
3456	Ncbknfed.exe
1128	Ngmgne32.exe
1248	Nilcjp32.exe
4764	Nljofl32.exe
3828	Ncdgcf32.exe
1544	Ngpccdlj.exe
2200	Nnjlpo32.exe
4472	Nphhmj32.exe
4400	Ncfdie32.exe
1908	Njqmepik.exe
3680	Nloiakho.exe
4300	Ncianepl.exe
2304	Nfgmjqop.exe
4428	Nlaegk32.exe
4136	Ndhmhh32.exe
968	Nggjdc32.exe
1644	Njefqo32.exe
1532	Olcbmj32.exe
1632	Oponmilc.exe
1088	Ogifjcdp.exe
4848	Ojgbfocc.exe
2636	Oncofm32.exe
4176	Opakbi32.exe
4500	Ocpgod32.exe
880	Olhlhjpd.exe
5072	Opdghh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Kfckahdj.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lenamdem.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ojhnmh32.dll	5a14ece22b513726f39c8e5ee24fda53fbc4643f4bc531cecaebc2d451a6ee7fN.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kedoge32.exe	Kpgfooop.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5944	5676	WerFault.exe	220

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5a14ece22b513726f39c8e5ee24fda53fbc4643f4bc531cecaebc2d451a6ee7fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll"	Kfckahdj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1164	3612	5a14ece22b513726f39c8e5ee24fda53fbc4643f4bc531cecaebc2d451a6ee7fN.exe	83
PID 3612 wrote to memory of 1164	3612	5a14ece22b513726f39c8e5ee24fda53fbc4643f4bc531cecaebc2d451a6ee7fN.exe	83
PID 3612 wrote to memory of 1164	3612	5a14ece22b513726f39c8e5ee24fda53fbc4643f4bc531cecaebc2d451a6ee7fN.exe	83
PID 1164 wrote to memory of 2308	1164	Kpgfooop.exe	84
PID 1164 wrote to memory of 2308	1164	Kpgfooop.exe	84
PID 1164 wrote to memory of 2308	1164	Kpgfooop.exe	84
PID 2308 wrote to memory of 2192	2308	Kedoge32.exe	85
PID 2308 wrote to memory of 2192	2308	Kedoge32.exe	85
PID 2308 wrote to memory of 2192	2308	Kedoge32.exe	85
PID 2192 wrote to memory of 2540	2192	Kipkhdeq.exe	86
PID 2192 wrote to memory of 2540	2192	Kipkhdeq.exe	86
PID 2192 wrote to memory of 2540	2192	Kipkhdeq.exe	86
PID 2540 wrote to memory of 2224	2540	Kdeoemeg.exe	87
PID 2540 wrote to memory of 2224	2540	Kdeoemeg.exe	87
PID 2540 wrote to memory of 2224	2540	Kdeoemeg.exe	87
PID 2224 wrote to memory of 2580	2224	Kfckahdj.exe	88
PID 2224 wrote to memory of 2580	2224	Kfckahdj.exe	88
PID 2224 wrote to memory of 2580	2224	Kfckahdj.exe	88
PID 2580 wrote to memory of 2828	2580	Kibgmdcn.exe	90
PID 2580 wrote to memory of 2828	2580	Kibgmdcn.exe	90
PID 2580 wrote to memory of 2828	2580	Kibgmdcn.exe	90
PID 2828 wrote to memory of 1020	2828	Klqcioba.exe	91
PID 2828 wrote to memory of 1020	2828	Klqcioba.exe	91
PID 2828 wrote to memory of 1020	2828	Klqcioba.exe	91
PID 1020 wrote to memory of 1924	1020	Lbjlfi32.exe	92
PID 1020 wrote to memory of 1924	1020	Lbjlfi32.exe	92
PID 1020 wrote to memory of 1924	1020	Lbjlfi32.exe	92
PID 1924 wrote to memory of 1420	1924	Leihbeib.exe	93
PID 1924 wrote to memory of 1420	1924	Leihbeib.exe	93
PID 1924 wrote to memory of 1420	1924	Leihbeib.exe	93
PID 1420 wrote to memory of 2352	1420	Llcpoo32.exe	95
PID 1420 wrote to memory of 2352	1420	Llcpoo32.exe	95
PID 1420 wrote to memory of 2352	1420	Llcpoo32.exe	95
PID 2352 wrote to memory of 3308	2352	Ldjhpl32.exe	96
PID 2352 wrote to memory of 3308	2352	Ldjhpl32.exe	96
PID 2352 wrote to memory of 3308	2352	Ldjhpl32.exe	96
PID 3308 wrote to memory of 2868	3308	Lfhdlh32.exe	97
PID 3308 wrote to memory of 2868	3308	Lfhdlh32.exe	97
PID 3308 wrote to memory of 2868	3308	Lfhdlh32.exe	97
PID 2868 wrote to memory of 5012	2868	Lmbmibhb.exe	98
PID 2868 wrote to memory of 5012	2868	Lmbmibhb.exe	98
PID 2868 wrote to memory of 5012	2868	Lmbmibhb.exe	98
PID 5012 wrote to memory of 376	5012	Lpqiemge.exe	99
PID 5012 wrote to memory of 376	5012	Lpqiemge.exe	99
PID 5012 wrote to memory of 376	5012	Lpqiemge.exe	99
PID 376 wrote to memory of 3868	376	Lenamdem.exe	100
PID 376 wrote to memory of 3868	376	Lenamdem.exe	100
PID 376 wrote to memory of 3868	376	Lenamdem.exe	100
PID 3868 wrote to memory of 1936	3868	Lmdina32.exe	102
PID 3868 wrote to memory of 1936	3868	Lmdina32.exe	102
PID 3868 wrote to memory of 1936	3868	Lmdina32.exe	102
PID 1936 wrote to memory of 3208	1936	Lpcfkm32.exe	103
PID 1936 wrote to memory of 3208	1936	Lpcfkm32.exe	103
PID 1936 wrote to memory of 3208	1936	Lpcfkm32.exe	103
PID 3208 wrote to memory of 3212	3208	Lgmngglp.exe	104
PID 3208 wrote to memory of 3212	3208	Lgmngglp.exe	104
PID 3208 wrote to memory of 3212	3208	Lgmngglp.exe	104
PID 3212 wrote to memory of 1016	3212	Likjcbkc.exe	105
PID 3212 wrote to memory of 1016	3212	Likjcbkc.exe	105
PID 3212 wrote to memory of 1016	3212	Likjcbkc.exe	105
PID 1016 wrote to memory of 4928	1016	Lpebpm32.exe	106
PID 1016 wrote to memory of 4928	1016	Lpebpm32.exe	106
PID 1016 wrote to memory of 4928	1016	Lpebpm32.exe	106
PID 4928 wrote to memory of 4532	4928	Lebkhc32.exe	107

C:\Users\Admin\AppData\Local\Temp\5a14ece22b513726f39c8e5ee24fda53fbc4643f4bc531cecaebc2d451a6ee7fN.exe
"C:\Users\Admin\AppData\Local\Temp\5a14ece22b513726f39c8e5ee24fda53fbc4643f4bc531cecaebc2d451a6ee7fN.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\SysWOW64\Kpgfooop.exe
  C:\Windows\system32\Kpgfooop.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\Kedoge32.exe
    C:\Windows\system32\Kedoge32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\Kipkhdeq.exe
      C:\Windows\system32\Kipkhdeq.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        29⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        46⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        52⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        67⤵
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        70⤵
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        73⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        75⤵
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4344
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        82⤵
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        83⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3156
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        95⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        96⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        99⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        106⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        109⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        115⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        118⤵
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        119⤵
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        127⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        130⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        132⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        135⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 212
        137⤵
        Program crash
        
        PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5676 -ip 5676
1⤵
PID:5800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
67KB

MD5
e10d96d167ba9c1fe7f207aefcee8278

SHA1
4dc05d3fd6d6c8a828c24dd6fac4a6e12cdf90a7

SHA256
185d44a9e40f235f08a89da5cb335c2bb8f03392f9d8be5750ac14ced1febbff

SHA512
c40e2eec3138c96cd0e23aa61249430bfb379f5f9808f67f98c68a9fe9e9242a913d14834df901266203cfd9b8ff0659c6ae5c750d9ad02f59dabfaad1f5196d

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
67KB

MD5
3fefc753c2e1e587895a02b72821758a

SHA1
28f6f353aa2b7836232dbad4f679f1fca7d0f95e

SHA256
0e3c4baf579556b391124d06ea6d6b72731e20ce5a0d6ce8b7765814e8da0577

SHA512
76b499ab29b34bf968149342168e69e1f429edc9a02f910e42672207c6a8dc448b9fdd395bf6c3999b849ca25acd4093e842b320d06671844321b38f47ea6b51

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
67KB

MD5
7ad21634d2ab67eebdff6f1020768c71

SHA1
021db8b5906856ee278dbd6476cf15549cfd9602

SHA256
38cc95693aaebce29944f4bf9602bc8f89adbf3f7a5ac635efe12bf47f3bd2b6

SHA512
7efda536a34041f350ea99057c805709e0838a2c298d053c290b3c21411c0615747cb82dc2cbcd31cb25bfd4c97ba68baab68037b1158ad1582ce9562885eaa0

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
67KB

MD5
ac68f924b2bcd98bb79a6eb0037ae5c6

SHA1
308c60569d9dbd8a8df650eb3a3520a17294db9a

SHA256
526681daaa0a3159e4499e8932165578bf2384315fc86c636da3cbea50c2ce71

SHA512
5f15f79b48588d39e747a92e36b440f6c3233b3e943bdc894ae8f8827fa4f1dbbda3ff85230614c1688c4f0e4dd20d63d956127968277299d6a0228d29e5ea6a

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
67KB

MD5
c66b25bd722156c1ecaedaec0ef903c3

SHA1
fb7ba4037fd424da7cdbb045a9f8427b5240f268

SHA256
07816bfa9ccc47bef67021a8a40e3dfa76ee7476db28cb65fa29a7259b069abb

SHA512
f612a5a74fa40700a3c11f7506fd999d81e4873ce196755d32d68468f4e70460933e186e21479f7f9362171592a333ed3709a22d56e6ac9f81759977487197fe

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
67KB

MD5
e7d77efd4307a1285eb0dea2891d04f1

SHA1
9900a72f74ec1232cf94733abef75b2e0af4616f

SHA256
f96a5ba82878293ca03c2467045aba8da6a2010e76a8a9858ddb1495dd7b7fa2

SHA512
e31103fbc8c9ebedaf62169abece4e12ceb1c2438ed6197669e508fd7253942a163090261ab7a4cef8d0370a37d4ec53af211f8652e9a463912650d53f6ada58

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
67KB

MD5
083e25734d0f20eeb1a2d6609b9caf81

SHA1
7901ce77d2332e09578c90e4a9c471a1906d4596

SHA256
2d1f249517de6085eefa645b57def44d10b5fa137638a47ac2915b153b944286

SHA512
6638b57f43c6e5c2b93744c40e45d144b36cadc4796d2abe93ea2c1241b0f51c7d1571510bdca20e37fc11e6c4a43cec05de96bab40e3ba76e5553c8ea6f7cff

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
67KB

MD5
fdef1d90ffe8382a42caf5c63ef4f3b3

SHA1
7c8330d2a41338bd352b8d609a4a7ca585595173

SHA256
23d6face18b17d1f6ad7da1ac329d21592dc7745f24055587f1d34dfcb4e1f5b

SHA512
acd9558c70da9d2163aaa25e3a8990bad9ab28f38fdc05bacb088d59565bb4889d69a22d74903874c10a546648e9b67af95e064a0d09d104b4ef752e083f18f5

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
67KB

MD5
5926a633dec81656bc56e5d6d9d440d0

SHA1
e2980ab26d176665948daadf4ef59338e9872865

SHA256
50f1024ee14209388e74809489fd0f4aef5ee8604ad0c9c594a37c168ac3b8c5

SHA512
0066464d1291397c1f8d6816549b683f57ebd07f5b5d32012d570cf54a8308f253257e103a488071cafa1429999b50a32e074df80c9f61d36e6e910809da90c8

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
67KB

MD5
b9954e6acb5473447a7fb9c97ff4bbcb

SHA1
d56e94ca5b718414b9c6e48407a834f1979da34f

SHA256
353f2ca873d60aa1e6a73360eee62a0a1c721dbcc5a936667f3ded5237d6c8c8

SHA512
11d07eb257a3bc869b68dc68c4c451242bfda864ad110ef8997ede7f4dd04d185dc2a75ec70462c15237af555705475806955ce64903ea6b732de141196731ea

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
67KB

MD5
aa2cbece4639a3879107e6738aa1a957

SHA1
917a2258a305b57570acda4c8ea57bd87b3a3ee9

SHA256
6bf4cef2efc3b213dbccc52fc4a7c5bc622990bc0233a98cfede411bac304616

SHA512
dfe805e56b81615e3b46205687fe916f00ba1533efc911846b1d0897ea9ad75c97e8456f3806806c1a755d99feeb67cbc6f1cf379e1ed566a781d2cec37ed7a7

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
67KB

MD5
fa8724ca0e51cde92bf090933ce12d34

SHA1
1c256ac5b0dbafba740762b281fb54664943a3cc

SHA256
c96061aa2411503803318f146fdeb0f86120115475a4d45b701b254d31cdbfb4

SHA512
8c355449ebc660afa7c091dd8652da7bb0f49268ade1b327032a1214b8af6b06e0f92073ea0f5d6337cbcdc30b83e293e16db7ac17e680e6a2444da97f327281

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
67KB

MD5
732d0fdb015cf34361ebe216766fbead

SHA1
e08bd511fbebfd12aa292891930cea299fa9daea

SHA256
4078a3a5ec9d9c6baa1bf037393cb4e9630ddfe31e72874ebf8b9dccfee5e426

SHA512
ac919f559cd7c70dc8bbaf915714a00d9aaf42c094a95f939834ac805127ff8588c519d23018a8a1771f3e911e304f0a5ee75b5559756441cc6f9a9e82796e06

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
67KB

MD5
d73c802374c451786cd914f7c3e34623

SHA1
7d784d38ebb660b21deceb7b16b43c4a616d64c0

SHA256
60ba382ef1f23c3e744abd8070e9c01405365a45d6689e8ec5e190f8af06ccc4

SHA512
649d243ee95998a0b154d961c0b4bebf59bd77ca8b47ee930357d2882896e8b2de2b8686c20bd3f5b06ea6d7a9059d08c4600d4d76222a2582dd77b6313031af

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
67KB

MD5
1a1ab24e777d470955647d735d293511

SHA1
34d1dad6e4dddcca17197eb96e44ead35b1120c8

SHA256
83a3cac4a7a3522a5c8f2b922d15cc9227efb601e7f0808271ab69344215deca

SHA512
86fde9d7b071bffc9fddbc7f7e43f7456f57754ac5b1fda608d6054f05bde108e91e83c6bd62b20beea91e4450f1bb7daed25725f762fd06d4a77236dd103247

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
67KB

MD5
db9ad9abf25033af6fced5e06e7232b0

SHA1
478d0b444bf51fd79dc00c1de1721db62e8768c6

SHA256
e395971948f00099378f08732276030bb36a71ead044b2ea77eb44994a3608ff

SHA512
9b4d51d06f97743d2f7b8ca4a3de2f147fabbe67d1825e9f25c68483ccfd8babe65a1509d725a9e005c66638b4e2966ec98984d41d01a0c524b927feba07cd8f

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
67KB

MD5
73257882846a4338ab8abb41d2a4d94c

SHA1
2e7efff07058331a5c94d869063e047b61c87182

SHA256
ae2452ecfd3c989f6c30de9f196ada546de5b8b6dd75bbe3813c58ebd6741b1d

SHA512
cbe693123f5ca82b0b0120dc680f18bf5b1cb1f1908d945dbb236d0384f4009b957a0575260080604e79ecd1d533628a2a74cf6c07a8c8125251392a6d257445

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
67KB

MD5
8f3c915cad40797ebfb94a39a5b4ca10

SHA1
d709e2e65189f142dd700b86e5b1e79fbe9e3cec

SHA256
49daae5ade929c8f67459a4fd2ccdea790ae3894164546a29538b251ec5c5a4e

SHA512
cbbacd336fe81977ffda566f20f471ed8e253da51d4e87d2ef201cf0e9bb83e35bc5554fed7d692784349752a67629202f1d4dacc8d88d5295fb7a70f622cfd3

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
67KB

MD5
8b6dba691b5ab0253e2ad5c61c888dff

SHA1
10a52fcd0f410739f87ae01efe0fd6294b6384d3

SHA256
86229e4b8dc050f7355f62570b3d32fc792d62b046d0db40b42f86d5fece3792

SHA512
49249f06e4b0c72a02936b83c9d562dc55f5b46b26226cccaddd4b348c7aec75988e012d1fff8e6be57b0ec1db1dc716d4dd14939b6628c7ca94f8b0573f4980

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
67KB

MD5
b493e0d030c4bba25425716f6dd81aa1

SHA1
abef157c021507f87510f85b806d68e8d60cee71

SHA256
916142484b7aaee3fd6fa3d97dbe37d5d9b8144e4cf67b63979ce57569b147a5

SHA512
02b8540030c79486ea45bc7361c52def30a38d5ad4c32de43cad9fc860e4a00aa048d78a96caa9157c4bc5bfd6d1244e962da015384053fb8050966287a21a15

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
67KB

MD5
70538d2d55588994de8ec271c82c7e97

SHA1
44ab64cf2cd05469cbfffb6d2f0fdd918b562be0

SHA256
5e130a4d19864823a06f88c3591994b14c1147a84969f47a4e6448b5b67ce4b0

SHA512
8b41fc56502672d787fad9a05a2fd26c0f5a9d518be6cdc095be68e3dd6c8b590f45dbba737b215e1e5e20755237056f599f2632db5c8ce2458d6a1017f7462b

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
67KB

MD5
ed48071150d649959457826430d9c202

SHA1
7181a843dfecfcbf0e3578f8cdfdd9589815ab62

SHA256
e283390c253fc42785fbe641e80e895c84de328852ecf3258cd12e580ebf13e6

SHA512
3a7790be623374e86930cdf172e178e307ec2d409dbbdf1419fd32ff29aa9403650ac5a18a1e4f9bd91dd69b15579a50ffb3179ad44510b6e3c7f51d972d48db

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
67KB

MD5
6fbf3bdb3ac552c05457570efbd3820a

SHA1
183a74d7fa866fd3680f328bc45cc2cadb615ec7

SHA256
da2665f7c2e9ceb4e12b32d5e31a52551997c57318e35497f529f13f098eb310

SHA512
845c10e32f518aedfbc63a6657e3807baaf5b89e387cc98d0c93ea3af6ddff11892d674bbba3957e498be4c0ccd329e76737c409bbb1ae542f69b3a5f26cb3d0

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
67KB

MD5
4c3c5b6e18c056b053d68bf555e03347

SHA1
289460d23d1d0820f691a2c114839c0042108d0b

SHA256
e41bc56f8c98ba26ed8fb2db990f9987d97626c8e74fae155bc612155608f990

SHA512
68c3ec0fe9c4ad4604a0b88a0f9d2c404609068301efaad1e579d93dffd2fade337e2edef5235ade1165d46436460262d339769b7562f09f765828d28a312d79

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
67KB

MD5
e4009d8c1adc7af415f5cf5cf54fe2e3

SHA1
c2d31e531d6cbd51b34ec4b5f97996d1f6dca455

SHA256
d8b2a07689f96266a38e8c62ab08db233394610436bf3dfecc3ca49a6066a9d7

SHA512
db1a0264d1be1710f9d0b59d2605f5819cd2d0c1730a9f4f053d7052c4a22f36c7965715fd52755348e64fd3fb027d941064f2a892114b971136bd7fcb039749

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
67KB

MD5
be00341269d58f56c75878e515644e8d

SHA1
99a94419e46da5d723c70392ac425d4188349ee6

SHA256
a5ace39f7877db05e00d437940aa79716b8b0be8842bdcf5b551dcd357c82a5e

SHA512
8f2deeaa474b6e7a315d09725096b054f2d1123704f61ac0f4062d1ede5c0a39e8e89312dc6bff7e36fa5d10a84c057c508b57c3b268f406d907d2be07c6fd42

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
67KB

MD5
b332ab07fc6459b40e331a144c21bcd4

SHA1
24969c9e1a076a5b1028e1d6fa9d0a76119798d7

SHA256
3480cae36dce831b71a5d9b4be277a83709f851df1c4394530e926e42712a1b7

SHA512
8474455d32087c6f5a020d4f8ead0f8a050abad98ac9a532a03beb31d57a3c59a426e8a8a03909908ab17e4c8f5d3e4348a2b5a882a4e70f84e1c3db754053bb

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
67KB

MD5
b239984f13fcd2a9b7957930f62e0f8e

SHA1
b21a23f4e1247cc77284d80c03f9774493cc0e0e

SHA256
552669332ac9404b1306aeb2cc919252c11e6ccaacedf850654b4b974f52c012

SHA512
4af4f3285b72a04059995b1139e41998217926b853f1adb22f7e417bf484a8662c8c775b9d1289b70b5e97f04e7fef906c47867464f6014d0911bf08e187b767

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
67KB

MD5
fbc259e7d5cbdfa6885b1e33678888b5

SHA1
0a06ea19ddb7b1ccc45803c1b1602bb718e1d095

SHA256
24ae3ed8c5852a50e00e644375badffd91b3e2ad0d1566e4bf8b68febd0229b6

SHA512
93531b7654b7f4c60347aabe41bb1628651df699d98bc0d6ae393774a8ec16a5b1b9e1ab55ffb1abbfe6b832dd4b95918fc6a98e470e2530a529799e10e886e5

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
67KB

MD5
70554633c1e768c993fdbc030fff42b4

SHA1
a8a65155813f6c99c2e31e5f273ff7842b24d224

SHA256
8b05bebc8fb99c79f4f2d88a7d7180bbcf771481e0ee822c774e8bea7eca9f36

SHA512
1b7455280e7e9dc633785a8f9f8aee5bbc5e78f22277596e207bbb1e9639940e373b5eb3c596246c586822d2aba23b4371f9eb2745dc7aa651bef0336681c5d6

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
67KB

MD5
cf4ece6a1db913f5e82a16ea07c6e51a

SHA1
629cbd47221fa32ebf333016feda56237afb4191

SHA256
328e6d0857eafef47c2f040972147828faedfa1f136309dbbfbddeb4c038cc92

SHA512
8af7519b089ba4b8c32b1096be39f4dca5ac5f4a8f039de3c1c4328fd14102c759fc2472f8b92609b731b714096975d1a5d125c0ac23cd4f5ba0bb03b2a3a02e

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
67KB

MD5
319ac8c9e3355f6a797aac04e9ee9ab1

SHA1
9c7c3af411289495b2c1f8c54e3a771e95b4128b

SHA256
6a9cfc33887da41856dd1d55426c79b1f03ad29bf3b5215f64936577b2ffd38f

SHA512
5f15b7cd2a0859d41eedd2f45fc0aa6dfa97a9824d22c1c6b8df2950988b1b72303f7782ee2f1167e7595854966439bc450d793172dbe400a0726f5fc7a96676

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
67KB

MD5
4a03a833ed1126140dfa17c34ac95ded

SHA1
4f2431aa04edaee6e0d8e188406dde2c69b9025c

SHA256
ae394701ce490e696c10ab87e3d96ebef2926dfde8929c2cfed8359e16084d08

SHA512
e33dc7eeaa4a8999986526c1628ab6db71fda61f44c2bdc44a075bb2a59d0b7b17a9efa6eae11306c7e1ac793dbc726cd6b809dc8840319d2a4efac8cdcee03b

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
67KB

MD5
935ab55a62e59dea6f213368e23ef8fc

SHA1
c2cb8b361b745676b1391e46c65f103a6afda1c8

SHA256
1205fbc8d6cc8fe8227e0f813c361c461dfecef2423ab3673c88e2a1bbeba8e0

SHA512
82d22f6dc01fc31d9f9503ca4aaba01cce8f64e5eef790cfa3c4e013f5155880698eb6e1fc9ebe85444b6aa6c4e42a68c965c21d18534b5f32c04e4e07b9dcd4

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
67KB

MD5
3c0a680988302ef44d7430c74eca6964

SHA1
fa9c1d9eb08b742e5de4fd10a2250f440136adc6

SHA256
06af05002db535b0f6693d10a873cd63e1b27722992e8432689aea5ece9bea90

SHA512
79824a887b23ed4233a4b2bc291a221906288f79999573abef027c63e9af31e0ed88cf3b1f29cf8a06538e402ed7d657b82cfd0a5b1e1fa78903ee9c7f4915c7

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
67KB

MD5
8207c33cb7a515a828698fc2aadad6e0

SHA1
de862cf4bc0c510611025cad1f082b71a3cb60e7

SHA256
8a72319de01f977a608badf83d65d1280be87e49026e8b8683b9f069923e0409

SHA512
561a100467e85dfc144c31bd6a311c18e87babe971e2922ec65c0a3d1c6d49cc4845a24e5bb0032322078905640864787a2486c6c86af98bc627c4869dab1cde

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
67KB

MD5
49046b149b9533d8fdd484fe06025182

SHA1
6ea7df3635ada86534a2f447d1cb9999540d55ea

SHA256
42a8fd928bcc415a9973d1490d4594643252ed7cd24d0f075e6c021bcc34f5f0

SHA512
f2969df08a79cfbceba797c0d5dd97db34789f42acfc5210fc25d2f6e4dde35d44060823922f0b96fd3f820751dd2f1b83d95026ca91677032c2e48260761572

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
67KB

MD5
65f8eba3287ae34fb8f71838d1c153aa

SHA1
dec747c414d79f97a66ab253460d3452d496fc99

SHA256
ed398abe6974d5de45ee06d101bd99ca00db016dc4703a5d8144eaff19f4b539

SHA512
b42ca476d1d3e1f01b85456eec9d5b2f25629487fd95e3d6f291ad6b57106f224c2b821882a40bc240d2888000efa9e45ec5a2ece133c89685c8da4f5c9b6532

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
67KB

MD5
ba5168d61c13df30ae574b1ba0c58544

SHA1
bd7873f57defc86092e204903a18803707fc0025

SHA256
ac98ef79bf9f483592d271efa73cf658407f3cb317ab7aba4f8db8c6258232f1

SHA512
88e702272ef829c03825e34e7a9c6c6ac7022ab7f7bdb6e9fc0c96eea26aef56b17debc5b56b6f3106637769dffe579d07faf8b8b7fe99fc983073d7d9733c14

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
67KB

MD5
e77dd7474d861226b0cb8d129f5b9896

SHA1
a1bcee5f589c5bdf0a4f5ed8d5335d04c5ef2ed2

SHA256
87606b3e1c33019cf2412c19adc6970ad03ba1093db9d2ae1087c0192acf8d95

SHA512
c52f18f04ce7de32f26d7749596673e64ae9cfcf31801a41b8f11cfec4be58746a3ab709d8473c8c5d759d32b029a12735800fd7f3cc9ea34ef2b41e0b7a4afb

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
67KB

MD5
a7a9242ab1468216bca48ae079cce05e

SHA1
ba5db36ce07c7c5e603e00a6840f1c60ceefc90b

SHA256
9bf539706f43b4cbe8319f787f794686603b276526ee2c14fd711e9e11372cc2

SHA512
eb4c8c61ceec9983d706b12201eb8088b6f535dad9c65ec3ff4cfa455a06ce76834388601a1ac4184c11b73c302c1d00a5d3f95728cc3083a1bbce098514b66b

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
67KB

MD5
c105224cf44e7a2caf6717e07229b8ad

SHA1
7d580e2f1667e3baba1cb0cddece56a6b5f043c6

SHA256
d6dc1d1cb963dc2a315fd6cfcd3611eca378439e95c72f1100fae778610141fc

SHA512
cbc973891c32a6fd0f962b48b9e2953479905da1ad42130e56c26cd2f1a4956a9d005de17a463687d90dc3ee11a65007db95ace9dcad86f75e110084a0b5ec60

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
67KB

MD5
f267bb52a4c28b487fd2ae5d0edb60dd

SHA1
323fe5ff36c0dc34a2b6025bcc84bd3b7a36e690

SHA256
f93dde4d96f74c0969f486ccbcd5b427118b84b0cf0acbb3d1cd16e8c8b8e449

SHA512
31c108be6ac1baaaf762f59cc117fb079ab6ec65fc5b803be41228e89c00f23cef3be169c83be8cdf1b233cd731b18056ecf0eacc5261c82f63df5c9f26aad14

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
67KB

MD5
b19ca63ea3cd6fb9d380b5dcc7bcb7ee

SHA1
815e41a0d0051e889b4b5d082692f6cd53524c23

SHA256
c1ffe73a6a67b89bf347d22d7bf42209ec54d8cd7ca2c584a68eae0cc046d847

SHA512
c629ce091f7d975d1dd537b587276d79788713340c535fc8829a5ab433afd72ab832cd43ad856b1ed2b561d87ad4de4fb5c18d972768320cda4e0a6c85bf6cc6

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
67KB

MD5
3dcf1bd76b13c4c4b66ac81a3f8132b2

SHA1
e6bf41bcf416287b1507ced9561aaf12b9edbbf6

SHA256
8083fe797d5bf90f34abfb660bd4b62240764d9d59139267a445e74ca3e889b8

SHA512
c336f6fec1768d333638945d0c96a9a99b13a40c611d96428ee2686ee436e756482fba07c4cf744647c900ee652636f8a3295882f7db54975fc039ab5c3a70ff

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
67KB

MD5
4ddf03397943c2f7e4e5b2c78dc40a5e

SHA1
08269b0f1ae797d7a8eac721c0be1058c350717c

SHA256
9d09bf6c3372ded0b9c98d12d744006f5ce761ed83f5ea76f21a124bc9d1ecf9

SHA512
2975d39437a7212a4a94669d43a60ccf841602ab56174ba1dcfb247c71758faa1b2f9df8ac5b2c1955b4abc4a9556e97ab8ef9951da2bf6dd87113302f7582f8

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
67KB

MD5
ef64f05325d0f90be5bccd1ee9551059

SHA1
5707eaf924b56a30aa8b8f3f685e1de8b08b020c

SHA256
b169c2eeaf8854cf22d4655158295327211c5b146c955c7ff7458bbd8ef9bcfd

SHA512
7085ccf420196bdf3d12a0c95be8f83a68ed09d0ccb7e9d4807bf8182c8bfaeb6c8667e5f9e2ee09c4a4451405f9caee37b68d598b54d8daa0fb6daab010b7de

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
67KB

MD5
f87e26facae5e1d7071a626b220ad341

SHA1
ee788464498e52b763bdb07eff785f7091811858

SHA256
80767f9be77054274b75009871c59465f520edd069c821d8f8f16ecf079a8a69

SHA512
59119baa7209a5d34019ddb2a78dd85d4169429da39056ce5bcfcc34f10047f5cb8b9b7aa5d3c3088007535aea4781bdec724699e90ca91442656854e1ac16f8

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
67KB

MD5
4e8d1f220dfaf8fdbafa029aca862de1

SHA1
30b288796dfa4c7b982166e01f32da63891e0b6c

SHA256
3600fb5f59621c3b004a884536a626fd63c79a6568f7a58baef0fef182230faa

SHA512
24d269235ebb86deb155ee48153b3c3fe7832491ecf5b7d5be8f69d86bbf8e3c96f114c3d1787e6039f2b2ecece28e4eaff01f469d9e740b3dcc9fa2da48d36d

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
67KB

MD5
bb2b9f731d07d930dc00d56944db91bd

SHA1
590579bf3835a77327358e7b0f1f8734adb863ed

SHA256
8a9d6d215bc12fdf02687b9956792fb38efb74d85f2c618f7f12c3c6fcf627f7

SHA512
afd6e91aa5f3bf4e5ac83440a8af2539390141939c976cde89c4c29d90c30a778cb02747ac8fcf3b01f8e29076f1d528244964c97a610f623b8d237efbdcacb8

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
67KB

MD5
adfd07a3ad3569c4afe4f49f1400738c

SHA1
aed5737f3f645b219d26fd19af197c3d2d522c6a

SHA256
47a3f0ac1f64747c45de211c9a4f3c3642f0ae9d97b1d25d02be2a1209075718

SHA512
71e41e8335838e6562b64b2521795eaa42507653dfb0a0d8c8b70905c567c781c8e9c6fc72f073ab6e3ab0581fce0264f345c0292c3cf3fa12d891670cdef2ae

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
67KB

MD5
fc97f0b22985a2c05b878f1914f99acb

SHA1
c8f2324ea7dedf8b9d69ad34dcd736d425c4a954

SHA256
5b1c9694248668813ff92a4ec6296a6b265dd8886053a4b4a85482c1b5704a0e

SHA512
3dde874eb9cc99287b9b0391cc6d1cef3b314cbeb628898e1babcf3f438e3d6ec4845b5ec2dfee6a02077b52b2a8c2943171ff2c2467a2d58a4308282becc2dd

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
67KB

MD5
941d327c3ac748f827b98f629a8b3c24

SHA1
f503b72145f04e2f964a7f18f39940d99904e286

SHA256
1023be41b58dc33867a719efa2587214db8c523c9ec53a68277c8b0a0bed878c

SHA512
559f8b0e4a55ba409f3fc6eef7fe40c26393d129f5e118243a08d9462b526d26254bfd2e5bf0931e59b123b5c4bc13d435c85ac71c86db546010f2336b4aca4d

Download Submit
memory/376-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/376-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/512-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/512-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1016-258-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1016-171-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1128-403-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1128-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1164-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1164-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1176-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1176-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1204-354-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1204-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1248-341-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1248-410-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1420-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1420-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1476-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1476-375-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1520-347-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1520-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1544-362-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1660-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1660-312-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1908-390-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1924-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1924-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1936-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1976-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1976-382-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2192-107-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2192-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2200-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2224-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2224-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2304-411-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2308-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2308-20-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2352-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2352-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2540-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2540-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2580-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2580-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2584-319-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2584-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2828-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2828-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2868-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2868-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2984-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2984-389-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3208-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3208-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3212-162-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3212-249-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3308-99-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3308-187-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3384-361-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3384-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3456-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3456-396-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3472-291-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3472-206-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3476-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3476-284-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3596-333-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3596-259-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3612-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3612-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3680-397-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3828-355-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3828-424-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3868-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3868-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4300-404-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4400-383-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4416-368-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4416-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4428-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4472-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4520-250-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4520-326-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4532-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4532-276-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4764-417-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4764-348-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4928-267-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4928-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5012-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5012-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5028-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5028-305-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads