berbew | 296758c4ecb4e6974146f33e3d0ea546b6721735f852b6d3f244d0917c57e28b

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 12:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

296758c4ecb4e6974146f33e3d0ea546b6721735f852b6d3f244d0917c57e28bN.exe
Size

448KB
MD5

c9ef9e141b28495959f212b4094ed060
SHA1

702e26580ce70282df4af02f429ec80ecd41d360
SHA256

296758c4ecb4e6974146f33e3d0ea546b6721735f852b6d3f244d0917c57e28b
SHA512

b7eb3d2c898aa20048667d41efe3f095f8096dfc164d4d02bbfb1ceb2af2f1bc07ed2dcd02e62c160183c092798eb393e5295c96cf74fbdd402b6a4596f60f25
SSDEEP

6144:KnYzKk2NBF7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBsR4/0ePGSzxC:6YzgF7aOlxzr3cOK3TajRfXFMKNxC

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1168	Jimekgff.exe
1640	Jlkagbej.exe
4924	Jbeidl32.exe
1588	Jbhfjljd.exe
2952	Jlpkba32.exe
2816	Jfeopj32.exe
400	Jidklf32.exe
2664	Jpnchp32.exe
3516	Jlednamo.exe
2232	Kfjhkjle.exe
2568	Klgqcqkl.exe
404	Kdnidn32.exe
4664	Kpeiioac.exe
4204	Kimnbd32.exe
4568	Kbfbkj32.exe
4304	Kmkfhc32.exe
2456	Kdeoemeg.exe
2640	Kefkme32.exe
2412	Kmncnb32.exe
1688	Kplpjn32.exe
1732	Kdgljmcd.exe
2964	Lbjlfi32.exe
1568	Ldjhpl32.exe
1156	Lfhdlh32.exe
1108	Lepncd32.exe
1352	Lgokmgjm.exe
2380	Lphoelqn.exe
5056	Mlopkm32.exe
4168	Mibpda32.exe
4016	Mplhql32.exe
3704	Miemjaci.exe
708	Mgimcebb.exe
1768	Mpablkhc.exe
4036	Miifeq32.exe
3928	Ndokbi32.exe
2112	Ngmgne32.exe
2608	Npfkgjdn.exe
3356	Ngpccdlj.exe
4088	Nlmllkja.exe
60	Nphhmj32.exe
2648	Ncfdie32.exe
2168	Neeqea32.exe
2472	Nnlhfn32.exe
1036	Ngdmod32.exe
972	Nlaegk32.exe
2356	Ndhmhh32.exe
1748	Nggjdc32.exe
2868	Olcbmj32.exe
992	Ogifjcdp.exe
2280	Oflgep32.exe
1872	Olfobjbg.exe
1604	Opakbi32.exe
3132	Ogkcpbam.exe
5052	Ojjolnaq.exe
1516	Odocigqg.exe
2184	Ognpebpj.exe
4376	Onhhamgg.exe
4448	Odapnf32.exe
1968	Ocdqjceo.exe
4196	Onjegled.exe
4656	Olmeci32.exe
3652	Ocgmpccl.exe
4428	Pnlaml32.exe
1088	Pqknig32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Miifeq32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Jlpkba32.exe	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Dakipgan.dll	Kefkme32.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Kpeiioac.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	Kefkme32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Eeanii32.dll	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Jlednamo.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Lphoelqn.exe	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Jlkagbej.exe	Jimekgff.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Kmkfhc32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Lphoelqn.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Jlednamo.exe	Jpnchp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5748	5348	WerFault.exe	228

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkagbej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfeopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	296758c4ecb4e6974146f33e3d0ea546b6721735f852b6d3f244d0917c57e28bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jimekgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	296758c4ecb4e6974146f33e3d0ea546b6721735f852b6d3f244d0917c57e28bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbedgde.dll"	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Odocigqg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1168	4480	296758c4ecb4e6974146f33e3d0ea546b6721735f852b6d3f244d0917c57e28bN.exe	84
PID 4480 wrote to memory of 1168	4480	296758c4ecb4e6974146f33e3d0ea546b6721735f852b6d3f244d0917c57e28bN.exe	84
PID 4480 wrote to memory of 1168	4480	296758c4ecb4e6974146f33e3d0ea546b6721735f852b6d3f244d0917c57e28bN.exe	84
PID 1168 wrote to memory of 1640	1168	Jimekgff.exe	85
PID 1168 wrote to memory of 1640	1168	Jimekgff.exe	85
PID 1168 wrote to memory of 1640	1168	Jimekgff.exe	85
PID 1640 wrote to memory of 4924	1640	Jlkagbej.exe	86
PID 1640 wrote to memory of 4924	1640	Jlkagbej.exe	86
PID 1640 wrote to memory of 4924	1640	Jlkagbej.exe	86
PID 4924 wrote to memory of 1588	4924	Jbeidl32.exe	87
PID 4924 wrote to memory of 1588	4924	Jbeidl32.exe	87
PID 4924 wrote to memory of 1588	4924	Jbeidl32.exe	87
PID 1588 wrote to memory of 2952	1588	Jbhfjljd.exe	88
PID 1588 wrote to memory of 2952	1588	Jbhfjljd.exe	88
PID 1588 wrote to memory of 2952	1588	Jbhfjljd.exe	88
PID 2952 wrote to memory of 2816	2952	Jlpkba32.exe	89
PID 2952 wrote to memory of 2816	2952	Jlpkba32.exe	89
PID 2952 wrote to memory of 2816	2952	Jlpkba32.exe	89
PID 2816 wrote to memory of 400	2816	Jfeopj32.exe	90
PID 2816 wrote to memory of 400	2816	Jfeopj32.exe	90
PID 2816 wrote to memory of 400	2816	Jfeopj32.exe	90
PID 400 wrote to memory of 2664	400	Jidklf32.exe	92
PID 400 wrote to memory of 2664	400	Jidklf32.exe	92
PID 400 wrote to memory of 2664	400	Jidklf32.exe	92
PID 2664 wrote to memory of 3516	2664	Jpnchp32.exe	93
PID 2664 wrote to memory of 3516	2664	Jpnchp32.exe	93
PID 2664 wrote to memory of 3516	2664	Jpnchp32.exe	93
PID 3516 wrote to memory of 2232	3516	Jlednamo.exe	94
PID 3516 wrote to memory of 2232	3516	Jlednamo.exe	94
PID 3516 wrote to memory of 2232	3516	Jlednamo.exe	94
PID 2232 wrote to memory of 2568	2232	Kfjhkjle.exe	96
PID 2232 wrote to memory of 2568	2232	Kfjhkjle.exe	96
PID 2232 wrote to memory of 2568	2232	Kfjhkjle.exe	96
PID 2568 wrote to memory of 404	2568	Klgqcqkl.exe	97
PID 2568 wrote to memory of 404	2568	Klgqcqkl.exe	97
PID 2568 wrote to memory of 404	2568	Klgqcqkl.exe	97
PID 404 wrote to memory of 4664	404	Kdnidn32.exe	98
PID 404 wrote to memory of 4664	404	Kdnidn32.exe	98
PID 404 wrote to memory of 4664	404	Kdnidn32.exe	98
PID 4664 wrote to memory of 4204	4664	Kpeiioac.exe	100
PID 4664 wrote to memory of 4204	4664	Kpeiioac.exe	100
PID 4664 wrote to memory of 4204	4664	Kpeiioac.exe	100
PID 4204 wrote to memory of 4568	4204	Kimnbd32.exe	101
PID 4204 wrote to memory of 4568	4204	Kimnbd32.exe	101
PID 4204 wrote to memory of 4568	4204	Kimnbd32.exe	101
PID 4568 wrote to memory of 4304	4568	Kbfbkj32.exe	102
PID 4568 wrote to memory of 4304	4568	Kbfbkj32.exe	102
PID 4568 wrote to memory of 4304	4568	Kbfbkj32.exe	102
PID 4304 wrote to memory of 2456	4304	Kmkfhc32.exe	103
PID 4304 wrote to memory of 2456	4304	Kmkfhc32.exe	103
PID 4304 wrote to memory of 2456	4304	Kmkfhc32.exe	103
PID 2456 wrote to memory of 2640	2456	Kdeoemeg.exe	104
PID 2456 wrote to memory of 2640	2456	Kdeoemeg.exe	104
PID 2456 wrote to memory of 2640	2456	Kdeoemeg.exe	104
PID 2640 wrote to memory of 2412	2640	Kefkme32.exe	105
PID 2640 wrote to memory of 2412	2640	Kefkme32.exe	105
PID 2640 wrote to memory of 2412	2640	Kefkme32.exe	105
PID 2412 wrote to memory of 1688	2412	Kmncnb32.exe	106
PID 2412 wrote to memory of 1688	2412	Kmncnb32.exe	106
PID 2412 wrote to memory of 1688	2412	Kmncnb32.exe	106
PID 1688 wrote to memory of 1732	1688	Kplpjn32.exe	107
PID 1688 wrote to memory of 1732	1688	Kplpjn32.exe	107
PID 1688 wrote to memory of 1732	1688	Kplpjn32.exe	107
PID 1732 wrote to memory of 2964	1732	Kdgljmcd.exe	108

C:\Users\Admin\AppData\Local\Temp\296758c4ecb4e6974146f33e3d0ea546b6721735f852b6d3f244d0917c57e28bN.exe
"C:\Users\Admin\AppData\Local\Temp\296758c4ecb4e6974146f33e3d0ea546b6721735f852b6d3f244d0917c57e28bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\Jimekgff.exe
  C:\Windows\system32\Jimekgff.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\Jlkagbej.exe
    C:\Windows\system32\Jlkagbej.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\SysWOW64\Jbeidl32.exe
      C:\Windows\system32\Jbeidl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        33⤵
        Executes dropped EXE
        
        PID:708
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        45⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        48⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        63⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        66⤵
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        71⤵
        Drops file in System32 directory
        
        PID:696
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        72⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        73⤵
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4192
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        82⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        84⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        89⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        94⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        97⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        103⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        104⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        118⤵
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3224
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        127⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        133⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        134⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        136⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        137⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        138⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 416
        139⤵
        Program crash
        
        PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5348 -ip 5348
1⤵
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
64KB

MD5
aa9385759102ef7e0426a5caf18d3d42

SHA1
69c644cac04d07721202b03b21f494f080774604

SHA256
1363665930a586be9c260c7655866d21e5ab01af986c8ff8c3dd964610529ec5

SHA512
f4771ddabd5224b3e0f77501a9da94604e6cd70500bf4dce6e9dc35ef07dd087bd89fbd12bb7fac33c240ead755a01a7042126169c92734fec08e66e752b2e69

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
448KB

MD5
1ab93b2e3be7973386bb1c441794dbd4

SHA1
24ca67631615797289e041fc4a3cd9ecd164871c

SHA256
55cdde4e691fffce9098b8d72fb472acec302240a2f0a16142ac06e45ac0ad40

SHA512
7c2f7d543831a60fe83ddc4b9843c84745f2de52659a5afe43d52979498363382aa454d45bdd7081e3e17a83162b4d2d60373ccf380b46249b6dd7f09581ed40

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
448KB

MD5
32fd5a769b6ed66b60348420964814f0

SHA1
51df95d6449ab6c5b4b9fe09c60498bac8bba359

SHA256
1b478c51265c5fc5ba7eee05b99e88479d9b44bb55518a58d29b6e5134398790

SHA512
7e0510ba5a443d19989806646c6c77d9487be72497372e37eb37bae4c315793548a428e9375f5f045dc6fddda9a5189093fb909982a6638a5eb6b133fdcde357

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
448KB

MD5
c2be6fcd8a3d66380155c6b966658cb8

SHA1
6c3a6b689635223bfb421454105bed4646fd241c

SHA256
5711d0ff27598ab1d729d02e16bba43723ae86baae2a8e02302aaf265a0958ea

SHA512
f4c9b03b500d71e3472e375d3240bd22fff873d26aa8641d7e3a7003d9858a836c4728a144cd2a6785fc7a2b0084fa2ef96232158e33bad97853363c3fbfd297

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
448KB

MD5
d0d8a138151cd6202b0816192a6e9e8c

SHA1
a210e639cb566c1dde103a5fd46286a3579a8602

SHA256
a4a718ac36a948ea287a311a103b9b4044dcae626dec09183c2bab1015c67d13

SHA512
1c1ae65ea3785af255b9090b387990d6b4220dfdb1596c6b4d9f7dde7fa0c39248b0cb5e9737bc5da3da4fe2d3a68ffb22809c10a276b4b38fe8ec51051bb25c

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
448KB

MD5
cef68194e84071afd438da760f477998

SHA1
b4199d4fcc575f66a119ff663228efa9a51c2001

SHA256
d6e210b02a95a2a9cc3ea808d07ba83977292c9a09bf75178c17ae73c9b0ce32

SHA512
5f5012066a0dc1c08870988cc5111621d1f1fd3e3b0f0457185577ef3cb6d65f3e5544a801ada681f113633c2e4caec003d4dacb7410ee36f579b7d3a51c75a1

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
448KB

MD5
348374370481ea62ca458a22b88e404d

SHA1
4d73882881eb866ce6d5e7ea6b820d327fd754d0

SHA256
322978eff02b2f5ae555cdd09c67fd596b1fe802441fd2cf7984c956999bc731

SHA512
4aa8ce182bab3e028a043d44810b236cf7a55d2d54f62a9aa68e7f3ff2ae5e996ca17494b467fb6c8b6e3fc2526fe04b0d4e56ee13b4494974c6880672cf464d

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
448KB

MD5
dc4f13934b7854661cd5ad6df7510d83

SHA1
e95d0cce2dd725f5e570e3f6648a77f1da64c2c9

SHA256
815cf4f85062e8966fc938a4f71dfe163492106fdc975ac868a56c3dcc4ab648

SHA512
6f4d37fda3d45fca6785d55c7d4fabd6e073bdf237288972f00254b51040092179caa63ccc40da66760d15e7cecdc368bc78db3512decc00a167129e974d431f

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
448KB

MD5
fe8277bfddbd3460d11d7787ec3da82c

SHA1
fec71f2976c1505c775617cefbe0358ee9f97ef1

SHA256
5e38745cda2405e17f9c8e14bd05a57d509edaf8f7dfba00a7ac7bbb13ef1fa8

SHA512
c3b11619ff038bd7d4ed74136b0c34df35bb022cd96186b44ad98ab9f65b006af05fad2cebc968d5f99ea10e12b2d46ce3c5e0e562528c8ad14b53824ab7ced1

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
448KB

MD5
60a12814bb10a3fd73a3ca4a1c886590

SHA1
f35627a987bb40f2dcae3019f18d6de66c123b97

SHA256
f62d19f019a37a32b7121556a8533b81765039317f76e9852330724160e23a44

SHA512
8add0d3f7ada36485cabe2069370ca7f85e826e365b58fdd6af8856cbf847452a03189b2788e6d4e8d2255b5eea9e23ba333b5985da2aaa4774bc226cda58202

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
448KB

MD5
7a7252dbf471c17525b916acc689be6d

SHA1
bf5f8b2d0e80bb13b0a0112ef58da3ea470eabeb

SHA256
cd77f0c74dd7dcede036f5fb3a0be709450ca34c016ffba75a130b77703b941a

SHA512
c2fda7f51170883eac9a0d4bfd5e96a446d9c94e6f04547f96a8e34030b33f9241a9a4093d3fd2b1e9a44ff625e773e7433b0bb81162ff1d780f0a7dd3e7fd92

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
448KB

MD5
58c956efe68ce560a1b6e19b8076c698

SHA1
73f1fb1c66bc36dfe60e49ff34fa00df99f0cfc9

SHA256
6d2a14dc58b9b853d2bb4149155482ac4fba1d9b067cc4e803602748998b580e

SHA512
5b05ae4fa0964e4b0806e63fa6dfb6bf0d30ed528ad466b852cab9d221e28ddd375f6eb3bd28ccc7f8a0d4af81d91e52e2f06a4bc85eb690777889bb29b77249

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
256KB

MD5
095d3a60ae05be1b7986450ebe5c9375

SHA1
74025d653ef8b771bdf8eb9bb7cd010b45d9d762

SHA256
43b2a0ad60c280dc97b56093313200ec9f54f61c930a0b5422f4f0be2200e96c

SHA512
7b3ff9d5cac442632af51b370e9ab5351ca43b054d471adb96e336ebb299f1c5d82c4c6476e84d23b54bc1cd94621cefd5598d633affe44613a089126a9b8cb4

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
448KB

MD5
45c5345897203747840124e52d97ef02

SHA1
33342597634478abab0b6b5e3a79f62245873e87

SHA256
6c56a6c2da76bb4614d8b30c991360899e03be5e45dd2a2377a383c265a94fca

SHA512
827bd6c0aa653f24a0c7643344a40551914ac3af656d0107565048f99e95f7317651ccd817e927fa9efd6e1d519d3d4c3c3216bef86266b5ef8a8450bbfde27d

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
448KB

MD5
80c9fb6c4104cf4ecdbfa7a878230805

SHA1
b8fc843f8f6af7847b35e0aa221e6413e199cb47

SHA256
7992a03d8b4b9b1023c2c485e2c237ad9d4b9f6f4088b07e426fab15c7dd84a5

SHA512
9498b94bcce491578c1f6edbc4e1a1cb3e38de3e0329e68efd5d484ccfa673db6b1ab29227b5762f1fdbb3aefd0e05630f0ebf5da25140dc236d6f8f09d45b76

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
448KB

MD5
3a265a578180d03ef9b1f4f62d26266d

SHA1
0b2ba4b0a5e7e670d4a15a4ff6733163227b33e0

SHA256
e49c04b801dbb5b053daf115cc8ecd7f0341da5d644785509119c2a65d1d5c38

SHA512
4bf59561d2e4b576f2b875923d3884c1c4742e9a1d00b55107ae6c63a98b788ad3d43d9810e866ac33119a95c18f5d75e29c000117b05874cf6c546122e85df5

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
448KB

MD5
682da1b587080f5a82ccd13717984c75

SHA1
a8f185e70f9ee55aded5e2e58e9dc6e22df67ed9

SHA256
2c097400ce5dc767d8417e160d8e505234200e2ae0419850187ca8f681c52336

SHA512
fef9397025b872811834ab7abd65d210859f7825e1e36c6383fc027c6bf15294bc7f7d2f1a0235ef7c3b17f08be0aa2c1ff7c14d23979ae046a2116a812356fa

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
448KB

MD5
f1bb088a8d9f72f460c639b890fd8ba2

SHA1
5ae98b63fbf227a3bf358485e0afb241e5442fb7

SHA256
f25e914ea87671b1c98917729c1bebde805459b6e23ca5ab6b4c12e6bb2e8a5d

SHA512
610070fe52e9438f92e9823b6e191b96ab6b135f79962acdf24b087753e76d724d373ef1481cc8248a90d0169192b38365df4299c66fcfee80fc548fbb52b596

Download Submit
C:\Windows\SysWOW64\Jjbedgde.dll

Filesize
7KB

MD5
5a62cc84219701752740fee5b628bb1d

SHA1
1b2f3586862fe272ee0e5d9387ebae289003431c

SHA256
357ab653aba890f7bf8578ec2392c1a6e59cea69974fa09176128dfdcd72d5b2

SHA512
cfcd113ef1e6320ea4f1ccf93f0981d487e3d1682e4579858cf37fbcb2af4b442a118543f6a324b96f6d8f7b60bef8f31d95d4891d8c999ffdcc162c54b93a21

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
448KB

MD5
c8f96177d0d1a4c65013c7b7b3f5cb53

SHA1
e519f7da283105c51d603905233d4e8619d6a60f

SHA256
727d955a09a3caaa12a00f35f468b6ef906a876887a12768d990a88c04a4076c

SHA512
0f5b980506a22d5f0ff6956dc9fb066321f113d47fe43f9bf71b69bfc754706ee7faa4ddac20fb26c9284ff6a9c91e765d17530a8d518d6edf002a32f5c883f7

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
448KB

MD5
f38b06179944b20494d83cad7c64f7a4

SHA1
03ce240cd7628274f0392dd15206369622770266

SHA256
bb44916496ae0f2ab9ea54351256eb1afed922d1165581a644f52f21205f1272

SHA512
659c48d9fbe8c3e1ba7a742859bd07f134c071a35a7a66c1f24b9a8e5a5cd2551498bbcc061f43477bd3a30a2ef42fc499834a69cf282446b315bce955719646

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
448KB

MD5
50c9320729469365ce5f933a20a068b7

SHA1
58f13fa7b0bffb7bb386f7f2530563813c1317af

SHA256
0d1a63ac99734ee08cd1fd2d4c98a9749eae741b423824a4897598a1193b171d

SHA512
351c5db16b32dcdb810fbe93462bd14026f339706c0335cffaefdce68b80723bf6643f5e1aa77466d5256f946a2929162b6c7d65e52bf6ebe0ced7f10a72488f

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
448KB

MD5
e8ee812c0c22a8e368bf7cfa8a6be95d

SHA1
c1d858155dcf0e8730e0a19cb815693457f5fc14

SHA256
f0df892ae7375b186f6e154dd2d660719375a4d95de2c830732a12b3edd3f024

SHA512
a69eab9426fa05865929e83e853a6a850ba2cd50c9792c0e56a769b211850111efcdd5c414ac22bd17b7bfcc1fadffb98ae46dba3a449da77b0406797df95f8e

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
448KB

MD5
1d01456386e46d2b2bd73cdc9d036705

SHA1
1a780d695a5d2f2634fa61843c9759b51e695bf1

SHA256
22c274d33d8abe53839c6764f1781fef5b29a2d6d36df7c2eaa005843d5ec86d

SHA512
e3a978920ca85c0cf53dc186182b96c1cf72daa9400c1871a1769bc603999624c2a62de0f7462103f9c2b0b6f0dad7827fe674da50db2d88fbab1549855a68e7

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
448KB

MD5
7646ff4065a5a33dfe068dea0962e7b2

SHA1
d2cae7a377c5631ddbd9c84e623046274cd2ec62

SHA256
8200cc303d15ec0275efdd3356151f3b24eac138cd05d670178c81a78dfb0e1e

SHA512
4e32a52d3156b2aeead1838b3a6e997786e4da7fb63461ed614adc78d57caf99266a351441b5b1e40d3f3e641881f7d4dfbcf213c97f2df20b7dd61c9f2f149d

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
448KB

MD5
5708c31aff6218b9ac96e2b2af52acf3

SHA1
5efe53b87f7384c761abdc7b955807b86b52cea8

SHA256
ba9f21ffa0f4aa9f524f704dee075f9feb60e30bd39a9f8e8e3de5dd7e1f86cb

SHA512
50815d632ac393f59519b6f54d2461b239ebead8947499366a11c697f305d42c9676a5d69db4e57d8c5740f25fc69065927820a1309413c84d345c4ee17742fb

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
448KB

MD5
e5806168f89c19a9ff8f382306379444

SHA1
10e7a11c1b7afd8a1e4c5cb2ba3bfcb4ad88a588

SHA256
f728140a87e838bfce8dcefc8e7ab5caebecb6d3a510944c4700c38bf0fdaf1a

SHA512
6907a17427becf59d962079f640d03a3f9ccf35afc1eb980286778b63a4c50a949b324134646616406b665efec2fdcc68dc1a3c96ca2418fa0a1fd5d870b056d

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
448KB

MD5
b6cf3ade79e20af64ca74aed3424447d

SHA1
0fc13ccda697d44c67f9b3ca63b53ab1c35c016d

SHA256
0a43bbb4b5d4a80dea6d9f199ce0a20a16756ee41395f1e7669d066b0f00b82b

SHA512
b902f62dffdab077986965db0fe1840806c3bb5ec05641050a4c3e4c429507adb96ce8f3cb64c364dc68c2688a768da579b571095d24a65aa7ccaf4cea009db1

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
448KB

MD5
03a0c58826fa3f236e89653e9202ce38

SHA1
40a4d4da8f76d4154bbf348b35b89a833b3bb766

SHA256
19f15792959f6072de33712e12ce44d44ff7f2c96f23943706ef95d9abb282bb

SHA512
1fa498ae85a8a416502934e654c6afdfce55a84f85df6cf9b6b6121ae5621f040ab10718a96264bf7e6ca7f5830fd209cdec559a8be1ecbf35776fc78ec994ca

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
448KB

MD5
0176223940ef3ca8d05174c128029f5e

SHA1
16b51fcff927b021f385af456fbe6a3010dbde0e

SHA256
54f2516802bd2bc8d7065efcf2126b61b6ce935cf6532ae79b79da449eb9dccb

SHA512
de1a24650958b85b50b0af68b07924a6d4e4e34740f86989f7a8b70047e30593bb6d3f027fa37313007ab93be585062c2a352b5758ddb1f1ded28ff396151c73

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
448KB

MD5
c52ad1204ecff439cde5a4e0c3cc3086

SHA1
f98420f42f8f0d323a5051091e850aaeb7957773

SHA256
9df2fa21d84f24918c4a21c782300c06e4f0884e68fcd77e18fd06d53e0d0131

SHA512
8f85c9ba6cf40722ee68743453d163a4b9728e74cd35ac081e1c06eb721db5a5bc260b415d36ace3a9c2f75c101508939ce6e8246b02ccb4bb7adfb9fd530b0f

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
448KB

MD5
6c9541770392ce6ef8723c6cf5d6ab42

SHA1
0c41b38df64f40c6d28269545d26b0836bfd541b

SHA256
775ec7be6e209ff25c6f4e3fd0d1e0e90521ca8bd6fb00ede130d007257b8d3a

SHA512
ecec7af2e8d8bfe683f9ac9561aa084f5bedb203dd67b599ab53ff380309f6dd4b92fd7ec0acca850ae45cd51df4dfffc6bde3764fb33e72c07bbe089c0345b3

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
448KB

MD5
60dfd81f47df7ef2b5419284a001cd11

SHA1
6a30ea3054a18275836479238e10c868416a4bdf

SHA256
eac01ca48882de24d5f58a69d55c28cd2a2c086083c43438f31177e5847784cd

SHA512
8b707ae9f8c90fe864266dcfee467591675105fcbe9ad81818b403c08a54d91d0561bfe4724d6a33962e015b1320c34da92b2fbb7c113337bd6f35b277d88b32

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
448KB

MD5
f8f507d46358fdf1e8d9c65cf38ae646

SHA1
767fe00da387b097ca099816eff6a03feb9b8466

SHA256
54f682c1ae71a30c2a352247173ab74af5a2b8a1c3d1fe320621e3b342fde621

SHA512
7f8d9f64a63d3690408062073e950458a2dd935f1116e2f481c2d2b728ee84ab0fc69eec700af3b1058d9d26f345c2013491ab2d146506ba0a56219bb3656652

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
448KB

MD5
97f885213ff79e8a3de46b8bc43b9170

SHA1
361517bf6fa88f3934271fa4f33f6b670e4e29eb

SHA256
de7a0a79ba05277b547db3c3c14e84058f5674a2dcc73845b496fb202fba832f

SHA512
7982845ff68346233d9942715a92f3653ffe9fc7c77829531e5bc97dd67c16b1e7ac7ca2cbe6e56c8c2def73cd57e91df8444c5b072bad95024fa5d0f1ec8c05

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
448KB

MD5
186d1fed6bb0c6c8940ffa5e2ebf1fab

SHA1
f1be5523360df07653b494c85e5132f9786589a1

SHA256
488c2c5972b9be9d870e6bd04b027b455077dfae76fe808dfce1e4d093accb77

SHA512
ce0b6dc071efa372ce34ff3fe6024c41312062a8386f7ccccd57383e9ee0ab69284a77da18c63b594fde3f6ba8358471efe86d35e1c7efc3eda13dd85a71a54c

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
448KB

MD5
035e395addfb00a688c0734ccb8abff4

SHA1
2a5c967523565f22e6ffec66cb9c7bb6ac9813ef

SHA256
ab1b8045d0e0e8eb6d2b6fe3d12b431fc04cda88acf8b2a437d7cfbbf25b98b4

SHA512
da386b74814855a7a79cefc6816de43dea8b0afaa7af91f97786fdc455868fbba709a85f9f8598ffdb7170efaee79f3bcd09abb99927e9dfaa886abfa865766b

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
448KB

MD5
145c42b240943e7c242b741743827c6d

SHA1
54624a81c5f30bc1fdd192a164c01df0f5b7ed5e

SHA256
08649ff570a135ace76c3886f8db5cdb5b58ce939ab14584e15867018ae18e27

SHA512
6c4135edb292642ae55238abfedc69d0d61d22bc60656b1817d2a886241092e27a1425782d69bcbab8602d778e5b6f40a05b20b401a5d53f2a25a45aaa0730ec

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
448KB

MD5
860d5f7e48a13e37d6fb738970beeb05

SHA1
9143e0311c79b7994353c7c0b735ed1fc2483d48

SHA256
d83cb128e13614b7eb37a0455154293598d36b4d017e3aea2e4d7b25f80eb1b6

SHA512
60a28164a8928559581b04644be1f22b2d3201b3389bb144e8248d88c8d219f38d9b011570f0a68cf91c2079919287e1dccad6eca0076b131a4bfe26239bdfeb

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
448KB

MD5
662185cebc16b7110626de4587b86907

SHA1
96c2826a2507080ce19d728aac53d30e0487616c

SHA256
139f6f816f9efe2ad6a6ca90626e588d01b45796a8c4b36bef6d784221e2e051

SHA512
d3947949aa4adf7612701b3518f152dc77ae26df4e9112acfe324812c873fc330982b0c8f08bd8c9d1dd99cf347315bf686e9b40f00c3f3b5d089cd7f179b6b6

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
448KB

MD5
df91e522dc7be5421a2f7cc724bd0640

SHA1
10d62560018721853ceee43e2ab5ada4714f23e2

SHA256
c786991f371b80fd09058fc8a6e27f34790f87b1499d3aea30924b870c0be3bd

SHA512
eb1a21a6c5567618b76c5375ce608aa8c1dc87ebaa9977fdd268e472a963d0e17295b9bd47771beb02ccf109c24aee0411dca1c4c857a285cfd277a151f8e4b6

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
448KB

MD5
379399e1b3dc7c3b3cec75a5e771a870

SHA1
f65b72bb27e058f01c54c65760891f1fc63391ec

SHA256
f15437ceb22ac4cfd2a84f529af2211faeb9fabd255a1c61728b9c67f5d87a2e

SHA512
8788bcc33b581f0eaf153c1109983f33a56cf2873394b41df7642d45392a1373347cfbe3935e2733b9de0c37d42d51cfde06cded73caab04c471729c514888f3

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
448KB

MD5
9e1e4a143b8ac3bdda3bb91c0030158a

SHA1
fcd03e4826a86829a47ec97fb0c4e1a22e6aa342

SHA256
8acb03599d250e288cfb7fe33c7eaf8e1a108c2e7ba51c6910128c170f5d093e

SHA512
0b165e8762cdb3e9c1e9b330594b9725f0c05de884182e597601be144107346d1ca4a79aa0f76203bf28df443e64409bf135dd5ee46fceecd3bc927d079535a5

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
448KB

MD5
ef3f47578376173ae4305a6aecfaafc2

SHA1
64aeb737b297c83e8f47482c055bd3af4102767f

SHA256
f53e3c9d6e235058d2f9675b6214dd3c735ff4e92a8a6a116c4f02267be0dee3

SHA512
a4cf0ddf1df705a993cad4b8338b35262e40f7f8ae424ac92a4f1e5e1de80fc8464ed0edf52f1d6dd5f25b908510c76ee00082d6ba7b145d52dbb3697a5a5053

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
448KB

MD5
f1ee2f13fbf973c527c999d94ff8e7a9

SHA1
eb26bbb368f549e9717d421212068624762bd41c

SHA256
fd1d7f1647558e45301706028ccdc190fd8c775db300c2f614490d1a1d294ae9

SHA512
77d5d54d856b85a2d00b3dea5b729a43fac12f2ce591c75b2a394d931cf161d6ab36e7da7df17aa0d4d95b3c533e21f413c66fe981877154f71afefd342ba69e

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
448KB

MD5
74bf75e47f9fd15152dc2f0848fd313b

SHA1
6e3338b6c41944c8aea610babcac0cd1557422af

SHA256
78fb1938cc46aa32e19c6bace380aaf5ba425187465dd07e977d4cd9d1f73038

SHA512
9103718ef183580ae076c74bd2708831aee9810e5d84fa2f07e2e52f7b7e394a3bb0ee4a1445d2b350ee6a267f2ce20f997f79568ef0524948eca132fc0328de

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
448KB

MD5
1ceaeb835fda969eb40c51c895413f1e

SHA1
6405d3b846eaf6e9ac7ff2dbe3d4db34580853a1

SHA256
22e19ca3b43e1c80cea7dc9a267addac3eb523bd0e53bc95a0838a0997bacf5f

SHA512
3bd75bdd3d88d80e6955d5594c1f187fe17b833cbe779e097b1e497555a4c043dddf82b7aa0615f08085f975953aaa5750109a38263af0624bfa0090f812adcb

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
448KB

MD5
4ee7f4f232da93b08d4b30055842e22e

SHA1
c6849822ddb05fb8a7a9cb9538d7a998f501f2de

SHA256
a69476a1bd4a474bf47425a6937af9fa5da838a47d4bfe0e06340674eb94112b

SHA512
4aff014ec253e213cbbc4fd31ffa0f5b0669777f9322777d7b57611bd82c4004c16b64ca6a30c86340dec4664e0404463cfec0e058e72fd6dfc11ca7b1ba13e6

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
448KB

MD5
55fe0dcb5219f22d80b72da869eb3c27

SHA1
477e40124dcbb2838824461cfb5b573b47ae52f8

SHA256
14f27e0c992f9612d23d0902fcb5e7aa04db38269da6bb7048b8b7dc661783cd

SHA512
7322b1cdaf1bd312890f3060251c3999b0d2e036b7185f7a1ab100c726ef5810630065e6d503c16dc2581e1a3ea7589591cc20481ff358b1c71a9c22af3b8674

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
448KB

MD5
3c83df92dd1432dfa14c049b40700f6d

SHA1
5062d03b557de7883276b7ba71bcdc66bb8d685c

SHA256
8bba5628d9c5fa5ca9c8646413bb2951cd56edbe97dc5602ee6b32617482c7fb

SHA512
00c833cded7ce2863c1ac74fccf29d6abb20b3263765221bda81ffef40b8d11b2246f46047634359f34e4323fcca9b97a48af00cf51c93cdcf3264bd694aaf64

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
64KB

MD5
0fc99509ec856de4ecbd32825f3d6a2f

SHA1
6030abbcef6119e1037c0f27e60be106d4dadaaf

SHA256
9d5b1a5eca2a949d0fa85f455a5a27b8865441a3ac5cdfde677e51cd80222d6e

SHA512
fc2a4e6c4212b2453c7f166cfc31c5d160a2cde8f585fa7890bd204b3a20a192738cee20d1dcb190a399d7a8334d328701afa927d61c0e47fc5158743a0f6202

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
448KB

MD5
7aef5e89bc6ffe38f2ae6c546532fade

SHA1
b0ad7224efed4439543363eb4e3f47314a0f3735

SHA256
6e27ee10c848c67ba7300aaebaa6ecda81ada0deb4370e31587827766e24b21d

SHA512
6f73331b6a4d19d30608a1d588103cdcd94c741be24f1dc826b19ef04bd1ecf413e224ce2b6f8373c72851c368644b22a364f0a610c1f15a71d0d94b420018b7

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
448KB

MD5
1eda52f62e20392b42e7fbd3767269fd

SHA1
a2c63653677c0fbb9bde27a70382f4a5c8cc0ae8

SHA256
a765ffe06304dd09b1d837d82b0e161c14f52a0a2388022161d40f404a756b85

SHA512
ae2cb6073dfa4e2225331a8172015b7c614f794a4433f13377a89dee748c3f12e8adebbc72822f7a21052584c9dc9d9c4f0dcd0736d7c6522374647baabc2e53

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
448KB

MD5
075998a508e0c4e57cdc7d6b6515d5a8

SHA1
b2f7857e6692c8e0d30283a70faa31b74aae4285

SHA256
594a53a4cff75254e61047d9ec95e46600002e90f27158e661f659258be40aa9

SHA512
247c68d7517fca8a869ba2f50768fa8158e8dfce69bdf15f1c94c777aae16540b5a872e1ba0e2a1324885d8c2e60df4c1b87d9047404ba76e65b7f565da5fcfc

Download Submit
memory/60-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/400-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/400-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/436-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/708-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/788-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/972-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/992-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1036-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1088-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1108-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1156-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1168-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1168-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1516-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-187-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1588-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1588-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1604-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1732-171-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1768-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1872-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1968-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2112-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2168-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2280-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2356-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2412-170-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2472-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2608-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2640-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2804-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3132-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3184-495-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3356-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3368-461-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3704-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3880-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3928-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4016-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4036-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4168-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4192-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4196-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4304-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4448-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4656-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4664-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4836-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4932-516-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5020-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-521-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5148-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5196-533-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5236-539-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5284-546-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5340-553-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5384-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5424-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5468-575-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5512-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5556-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5600-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads