berbew | 40224cddbffc248f471211c0958cb95a06c4498c7088edeeaa688c4760de02d4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40224cddbffc248f471211c0958cb95a06c4498c7088edeeaa688c4760de02d4.exe
Size

96KB
MD5

65db30275dfa66a380a43eb63d18af61
SHA1

746d10834ea7776cfa553081bf5e1d36b010bc5b
SHA256

40224cddbffc248f471211c0958cb95a06c4498c7088edeeaa688c4760de02d4
SHA512

ebd55d25abd15b9768bb36659eab0f874a4ea4271a31a64d0517e7c6d8659a7206bcda966806d99118ee0131b6bc55ec44f709aedf4aa1aae535ef47c526a1be
SSDEEP

1536:xAS1OqY36IknNNynDrUJtaCmnfl0mxiqTgX41qeto/YtMil2tO74S7V+5pUMv84o:iSCKIknNNynDrSUCmnfCm04AetXSKieF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcaped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opfebqpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbofbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpljbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojecok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banjkndi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgolnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moofkddo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajoplgod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgolnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjjlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmkaqnde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjohcdab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabcfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llidnjkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqqpjgio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abajahfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocnhhlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loeceeli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aihfhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omjfle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmalldhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbekejqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bifbjqcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaonodme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kldblmmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpnnakmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfbigo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqclpfgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nchomqph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojecok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojnfei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacgjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqjbqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppmlcpil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljiklonb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmopgdjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagmamlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjjlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpofhiod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khbibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpgmdhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnajk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kojdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpnjniid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obbeimaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiaphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpnnakmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lolaogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgkilok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpgoinaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofiholmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiojkffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgmoidqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moofkddo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbekejqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmpjlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	40224cddbffc248f471211c0958cb95a06c4498c7088edeeaa688c4760de02d4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjdkhmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjdqi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnhofj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppkonp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbpajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aidlmcdl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3108	Jlbefm32.exe
3164	Kaonodme.exe
3336	Kifepang.exe
3280	Kldblmmk.exe
2160	Kocnhhlo.exe
4012	Kihbeald.exe
4336	Klgoalkh.exe
2840	Kacgjc32.exe
1392	Khmogmal.exe
3612	Koggcg32.exe
2848	Kafcpc32.exe
2352	Khpllmoj.exe
2596	Kojdig32.exe
3084	Kahpebej.exe
3316	Khbibm32.exe
5012	Lolaogdd.exe
3528	Lefika32.exe
3952	Lplmhj32.exe
2412	Lpnjniid.exe
4436	Lhioblgo.exe
5060	Lcocpdfe.exe
4856	Ljiklonb.exe
4548	Loeceeli.exe
4760	Lcaped32.exe
4480	Llidnjkc.exe
3508	Mohpjejf.exe
4292	Mfbigo32.exe
4808	Mpgmdhai.exe
1012	Mojmpe32.exe
4744	Mbhilp32.exe
4356	Mfdemopq.exe
2384	Mpjijhof.exe
3304	Mffbbomn.exe
4384	Moofkddo.exe
1224	Mjdkhmcd.exe
2844	Mqnceg32.exe
5104	Nqqpjgio.exe
936	Nbblbo32.exe
1436	Nqclpfgl.exe
1836	Nmjmeg32.exe
2972	Nmljjgkm.exe
2676	Nqhfkf32.exe
2564	Nqjbqe32.exe
2964	Nchomqph.exe
2728	Nfgkilok.exe
408	Oqlofeoa.exe
1176	Ofiholmi.exe
840	Ojecok32.exe
3324	Ocmhhplb.exe
1208	Obphcm32.exe
2836	Omemqfbc.exe
3364	Obbeimaj.exe
4724	Ofnajk32.exe
2044	Opfebqpd.exe
4192	Oiojkffd.exe
2984	Omjfle32.exe
1576	Ocdnhofj.exe
1880	Ojnfei32.exe
2284	Ppkonp32.exe
2960	Pbikjl32.exe
1376	Pmopgdjh.exe
3904	Ppmlcpil.exe
3912	Pjcpphib.exe
1744	Pmalldhe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Klgoalkh.exe	Kihbeald.exe
File created	C:\Windows\SysWOW64\Lefika32.exe	Lolaogdd.exe
File created	C:\Windows\SysWOW64\Moofkddo.exe	Mffbbomn.exe
File created	C:\Windows\SysWOW64\Gbgnlcdn.dll	Bbjmggnm.exe
File opened for modification	C:\Windows\SysWOW64\Ccfmcedp.exe	Cadpkm32.exe
File created	C:\Windows\SysWOW64\Dghodhbp.dll	Lcocpdfe.exe
File created	C:\Windows\SysWOW64\Ojecok32.exe	Ofiholmi.exe
File created	C:\Windows\SysWOW64\Hiodmnil.dll	Obbeimaj.exe
File created	C:\Windows\SysWOW64\Amaeca32.exe	Afhmggcf.exe
File created	C:\Windows\SysWOW64\Cqkkcooa.dll	Adiqjlcb.exe
File created	C:\Windows\SysWOW64\Cadpkm32.exe	Ckkhocgd.exe
File created	C:\Windows\SysWOW64\Kihbeald.exe	Kocnhhlo.exe
File opened for modification	C:\Windows\SysWOW64\Klgoalkh.exe	Kihbeald.exe
File created	C:\Windows\SysWOW64\Fmpaaacg.dll	Lefika32.exe
File opened for modification	C:\Windows\SysWOW64\Qiocbd32.exe	Qbekejqe.exe
File created	C:\Windows\SysWOW64\Cmkaqnde.exe	Ckmedbeb.exe
File opened for modification	C:\Windows\SysWOW64\Koggcg32.exe	Khmogmal.exe
File created	C:\Windows\SysWOW64\Apjllkfe.dll	Omemqfbc.exe
File created	C:\Windows\SysWOW64\Qpgoinaa.exe	Qimfmdjd.exe
File created	C:\Windows\SysWOW64\Pfljelhj.dll	Ajoplgod.exe
File opened for modification	C:\Windows\SysWOW64\Cmkaqnde.exe	Ckmedbeb.exe
File opened for modification	C:\Windows\SysWOW64\Kihbeald.exe	Kocnhhlo.exe
File created	C:\Windows\SysWOW64\Lhioblgo.exe	Lpnjniid.exe
File created	C:\Windows\SysWOW64\Jkmplmef.dll	Afepahei.exe
File opened for modification	C:\Windows\SysWOW64\Cpcglj32.exe	Ckfocc32.exe
File created	C:\Windows\SysWOW64\Mjdkhmcd.exe	Moofkddo.exe
File created	C:\Windows\SysWOW64\Nqjbqe32.exe	Nqhfkf32.exe
File created	C:\Windows\SysWOW64\Khpllmoj.exe	Kafcpc32.exe
File created	C:\Windows\SysWOW64\Mbaonk32.dll	Nbblbo32.exe
File opened for modification	C:\Windows\SysWOW64\Amaeca32.exe	Afhmggcf.exe
File created	C:\Windows\SysWOW64\Qmaahjld.dll	Dghodc32.exe
File created	C:\Windows\SysWOW64\Kafcpc32.exe	Koggcg32.exe
File created	C:\Windows\SysWOW64\Kojdig32.exe	Khpllmoj.exe
File created	C:\Windows\SysWOW64\Cdeimhkb.exe	Cagmamlo.exe
File created	C:\Windows\SysWOW64\Cmnnfn32.exe	Cdeimhkb.exe
File created	C:\Windows\SysWOW64\Mahfflab.dll	Kafcpc32.exe
File opened for modification	C:\Windows\SysWOW64\Bjohcdab.exe	Bdepfjie.exe
File opened for modification	C:\Windows\SysWOW64\Bffihe32.exe	Bbjmggnm.exe
File opened for modification	C:\Windows\SysWOW64\Dpofhiod.exe	Dmpjlm32.exe
File opened for modification	C:\Windows\SysWOW64\Kaonodme.exe	Jlbefm32.exe
File opened for modification	C:\Windows\SysWOW64\Oiojkffd.exe	Opfebqpd.exe
File created	C:\Windows\SysWOW64\Hgmqll32.dll	Pihmae32.exe
File opened for modification	C:\Windows\SysWOW64\Afepahei.exe	Abjdqi32.exe
File created	C:\Windows\SysWOW64\Mpappm32.dll	Omjfle32.exe
File created	C:\Windows\SysWOW64\Ojnfei32.exe	Ocdnhofj.exe
File opened for modification	C:\Windows\SysWOW64\Adiqjlcb.exe	Aidlmcdl.exe
File created	C:\Windows\SysWOW64\Nikpidbp.dll	Bdepfjie.exe
File created	C:\Windows\SysWOW64\Koggcg32.exe	Khmogmal.exe
File created	C:\Windows\SysWOW64\Mfbigo32.exe	Mohpjejf.exe
File opened for modification	C:\Windows\SysWOW64\Mffbbomn.exe	Mpjijhof.exe
File created	C:\Windows\SysWOW64\Npgohg32.dll	Obphcm32.exe
File opened for modification	C:\Windows\SysWOW64\Bifbjqcg.exe	Bpnnakmf.exe
File created	C:\Windows\SysWOW64\Omaffope.dll	Banjkndi.exe
File created	C:\Windows\SysWOW64\Dmpjlm32.exe	Dkanob32.exe
File created	C:\Windows\SysWOW64\Gkbhpocn.dll	Ojnfei32.exe
File opened for modification	C:\Windows\SysWOW64\Qbekejqe.exe	Qpgoinaa.exe
File created	C:\Windows\SysWOW64\Bbjmggnm.exe	Bjohcdab.exe
File created	C:\Windows\SysWOW64\Fmekjmdl.dll	Bffihe32.exe
File created	C:\Windows\SysWOW64\Dnfcmqed.dll	Khmogmal.exe
File created	C:\Windows\SysWOW64\Mogiim32.dll	Mohpjejf.exe
File opened for modification	C:\Windows\SysWOW64\Nbblbo32.exe	Nqqpjgio.exe
File created	C:\Windows\SysWOW64\Obbeimaj.exe	Omemqfbc.exe
File created	C:\Windows\SysWOW64\Cbofbf32.exe	Banjkndi.exe
File opened for modification	C:\Windows\SysWOW64\Ckfocc32.exe	Cbofbf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5536	5448	WerFault.exe	203

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqclpfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpnnakmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kldblmmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kacgjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbblbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmhhplb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omemqfbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijjgdlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpofhiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40224cddbffc248f471211c0958cb95a06c4498c7088edeeaa688c4760de02d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojnfei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amdbiahp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abajahfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojecok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidlmcdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhbbegj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljiklonb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cadpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmedbeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaonodme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khmogmal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcpphib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpndmlm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koggcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omjfle32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjdqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmikdq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckfocc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjjlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmkaqnde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmpjlm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dghodc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kafcpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmljjgkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohpjejf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qafkca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgoalkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefika32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcgghde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckkhocgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kihbeald.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opfebqpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbpajk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhmggcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdeimhkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhioblgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojmpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmopgdjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpgoinaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkanob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loeceeli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjijhof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjdkhmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obphcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnajk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amaeca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfapmfkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffbbomn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjohcdab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjkndi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kojdig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqnceg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqhfkf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kldblmmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khpllmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldfolkf.dll"	Kahpebej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmjmeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omjfle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljiklonb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opfebqpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pihmae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefcin32.dll"	Bpnnakmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbepfcn.dll"	Bifbjqcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagmamlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbjmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Loeceeli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mohpjejf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhbnjij.dll"	Mffbbomn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkjjl32.dll"	Mqnceg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqjbqe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocmhhplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aiaphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmekjmdl.dll"	Bffihe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfjoh32.dll"	Cabcfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnfib32.dll"	Moofkddo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cooepb32.dll"	Pbndekfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aiaphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpofhiod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kldblmmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcchndln.dll"	Kldblmmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfbigo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekcocg32.dll"	Nqjbqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojecok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbblbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omemqfbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obbeimaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgnlcdn.dll"	Bbjmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmpjlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcgfjiai.dll"	Lplmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjpiapan.dll"	Nmjmeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lefika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcabfdic.dll"	Pijjgdlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffihe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Banjkndi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adiqjlcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amdbiahp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbofbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaonodme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffdnh32.dll"	Kaonodme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddleaoo.dll"	Mjdkhmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdepfjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcaped32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpjijhof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfnmc32.dll"	Aiaphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckkhocgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpljbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koggcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgeclkie.dll"	Ckkhocgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igdnkeof.dll"	Cadpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagmamlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfdemopq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqlofeoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejddedj.dll"	Qpgoinaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgolnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klgoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjdkhmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qiocbd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3108	2664	40224cddbffc248f471211c0958cb95a06c4498c7088edeeaa688c4760de02d4.exe	82
PID 2664 wrote to memory of 3108	2664	40224cddbffc248f471211c0958cb95a06c4498c7088edeeaa688c4760de02d4.exe	82
PID 2664 wrote to memory of 3108	2664	40224cddbffc248f471211c0958cb95a06c4498c7088edeeaa688c4760de02d4.exe	82
PID 3108 wrote to memory of 3164	3108	Jlbefm32.exe	83
PID 3108 wrote to memory of 3164	3108	Jlbefm32.exe	83
PID 3108 wrote to memory of 3164	3108	Jlbefm32.exe	83
PID 3164 wrote to memory of 3336	3164	Kaonodme.exe	84
PID 3164 wrote to memory of 3336	3164	Kaonodme.exe	84
PID 3164 wrote to memory of 3336	3164	Kaonodme.exe	84
PID 3336 wrote to memory of 3280	3336	Kifepang.exe	85
PID 3336 wrote to memory of 3280	3336	Kifepang.exe	85
PID 3336 wrote to memory of 3280	3336	Kifepang.exe	85
PID 3280 wrote to memory of 2160	3280	Kldblmmk.exe	86
PID 3280 wrote to memory of 2160	3280	Kldblmmk.exe	86
PID 3280 wrote to memory of 2160	3280	Kldblmmk.exe	86
PID 2160 wrote to memory of 4012	2160	Kocnhhlo.exe	87
PID 2160 wrote to memory of 4012	2160	Kocnhhlo.exe	87
PID 2160 wrote to memory of 4012	2160	Kocnhhlo.exe	87
PID 4012 wrote to memory of 4336	4012	Kihbeald.exe	88
PID 4012 wrote to memory of 4336	4012	Kihbeald.exe	88
PID 4012 wrote to memory of 4336	4012	Kihbeald.exe	88
PID 4336 wrote to memory of 2840	4336	Klgoalkh.exe	89
PID 4336 wrote to memory of 2840	4336	Klgoalkh.exe	89
PID 4336 wrote to memory of 2840	4336	Klgoalkh.exe	89
PID 2840 wrote to memory of 1392	2840	Kacgjc32.exe	90
PID 2840 wrote to memory of 1392	2840	Kacgjc32.exe	90
PID 2840 wrote to memory of 1392	2840	Kacgjc32.exe	90
PID 1392 wrote to memory of 3612	1392	Khmogmal.exe	91
PID 1392 wrote to memory of 3612	1392	Khmogmal.exe	91
PID 1392 wrote to memory of 3612	1392	Khmogmal.exe	91
PID 3612 wrote to memory of 2848	3612	Koggcg32.exe	92
PID 3612 wrote to memory of 2848	3612	Koggcg32.exe	92
PID 3612 wrote to memory of 2848	3612	Koggcg32.exe	92
PID 2848 wrote to memory of 2352	2848	Kafcpc32.exe	93
PID 2848 wrote to memory of 2352	2848	Kafcpc32.exe	93
PID 2848 wrote to memory of 2352	2848	Kafcpc32.exe	93
PID 2352 wrote to memory of 2596	2352	Khpllmoj.exe	94
PID 2352 wrote to memory of 2596	2352	Khpllmoj.exe	94
PID 2352 wrote to memory of 2596	2352	Khpllmoj.exe	94
PID 2596 wrote to memory of 3084	2596	Kojdig32.exe	95
PID 2596 wrote to memory of 3084	2596	Kojdig32.exe	95
PID 2596 wrote to memory of 3084	2596	Kojdig32.exe	95
PID 3084 wrote to memory of 3316	3084	Kahpebej.exe	96
PID 3084 wrote to memory of 3316	3084	Kahpebej.exe	96
PID 3084 wrote to memory of 3316	3084	Kahpebej.exe	96
PID 3316 wrote to memory of 5012	3316	Khbibm32.exe	97
PID 3316 wrote to memory of 5012	3316	Khbibm32.exe	97
PID 3316 wrote to memory of 5012	3316	Khbibm32.exe	97
PID 5012 wrote to memory of 3528	5012	Lolaogdd.exe	98
PID 5012 wrote to memory of 3528	5012	Lolaogdd.exe	98
PID 5012 wrote to memory of 3528	5012	Lolaogdd.exe	98
PID 3528 wrote to memory of 3952	3528	Lefika32.exe	99
PID 3528 wrote to memory of 3952	3528	Lefika32.exe	99
PID 3528 wrote to memory of 3952	3528	Lefika32.exe	99
PID 3952 wrote to memory of 2412	3952	Lplmhj32.exe	100
PID 3952 wrote to memory of 2412	3952	Lplmhj32.exe	100
PID 3952 wrote to memory of 2412	3952	Lplmhj32.exe	100
PID 2412 wrote to memory of 4436	2412	Lpnjniid.exe	101
PID 2412 wrote to memory of 4436	2412	Lpnjniid.exe	101
PID 2412 wrote to memory of 4436	2412	Lpnjniid.exe	101
PID 4436 wrote to memory of 5060	4436	Lhioblgo.exe	102
PID 4436 wrote to memory of 5060	4436	Lhioblgo.exe	102
PID 4436 wrote to memory of 5060	4436	Lhioblgo.exe	102
PID 5060 wrote to memory of 4856	5060	Lcocpdfe.exe	103

C:\Users\Admin\AppData\Local\Temp\40224cddbffc248f471211c0958cb95a06c4498c7088edeeaa688c4760de02d4.exe
"C:\Users\Admin\AppData\Local\Temp\40224cddbffc248f471211c0958cb95a06c4498c7088edeeaa688c4760de02d4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\Jlbefm32.exe
  C:\Windows\system32\Jlbefm32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\Kaonodme.exe
    C:\Windows\system32\Kaonodme.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\SysWOW64\Kifepang.exe
      C:\Windows\system32\Kifepang.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Windows\SysWOW64\Kldblmmk.exe
        
        C:\Windows\system32\Kldblmmk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Windows\SysWOW64\Kocnhhlo.exe
        
        C:\Windows\system32\Kocnhhlo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Kihbeald.exe
        
        C:\Windows\system32\Kihbeald.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Klgoalkh.exe
        
        C:\Windows\system32\Klgoalkh.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Kacgjc32.exe
        
        C:\Windows\system32\Kacgjc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Khmogmal.exe
        
        C:\Windows\system32\Khmogmal.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Koggcg32.exe
        
        C:\Windows\system32\Koggcg32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Kafcpc32.exe
        
        C:\Windows\system32\Kafcpc32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Khpllmoj.exe
        
        C:\Windows\system32\Khpllmoj.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Kojdig32.exe
        
        C:\Windows\system32\Kojdig32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Kahpebej.exe
        
        C:\Windows\system32\Kahpebej.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Khbibm32.exe
        
        C:\Windows\system32\Khbibm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Lolaogdd.exe
        
        C:\Windows\system32\Lolaogdd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Lefika32.exe
        
        C:\Windows\system32\Lefika32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Lplmhj32.exe
        
        C:\Windows\system32\Lplmhj32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Lpnjniid.exe
        
        C:\Windows\system32\Lpnjniid.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Lhioblgo.exe
        
        C:\Windows\system32\Lhioblgo.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Lcocpdfe.exe
        
        C:\Windows\system32\Lcocpdfe.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ljiklonb.exe
        
        C:\Windows\system32\Ljiklonb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Loeceeli.exe
        
        C:\Windows\system32\Loeceeli.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Lcaped32.exe
        
        C:\Windows\system32\Lcaped32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Llidnjkc.exe
        
        C:\Windows\system32\Llidnjkc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Mohpjejf.exe
        
        C:\Windows\system32\Mohpjejf.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Mfbigo32.exe
        
        C:\Windows\system32\Mfbigo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Mpgmdhai.exe
        
        C:\Windows\system32\Mpgmdhai.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\Mojmpe32.exe
        
        C:\Windows\system32\Mojmpe32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\Mbhilp32.exe
        
        C:\Windows\system32\Mbhilp32.exe
        31⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Mfdemopq.exe
        
        C:\Windows\system32\Mfdemopq.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Mpjijhof.exe
        
        C:\Windows\system32\Mpjijhof.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Mffbbomn.exe
        
        C:\Windows\system32\Mffbbomn.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Moofkddo.exe
        
        C:\Windows\system32\Moofkddo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Mjdkhmcd.exe
        
        C:\Windows\system32\Mjdkhmcd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Mqnceg32.exe
        
        C:\Windows\system32\Mqnceg32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Nqqpjgio.exe
        
        C:\Windows\system32\Nqqpjgio.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Nbblbo32.exe
        
        C:\Windows\system32\Nbblbo32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Nqclpfgl.exe
        
        C:\Windows\system32\Nqclpfgl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Nmjmeg32.exe
        
        C:\Windows\system32\Nmjmeg32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Nmljjgkm.exe
        
        C:\Windows\system32\Nmljjgkm.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\Nqhfkf32.exe
        
        C:\Windows\system32\Nqhfkf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Nqjbqe32.exe
        
        C:\Windows\system32\Nqjbqe32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Nchomqph.exe
        
        C:\Windows\system32\Nchomqph.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\Nfgkilok.exe
        
        C:\Windows\system32\Nfgkilok.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Oqlofeoa.exe
        
        C:\Windows\system32\Oqlofeoa.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Ofiholmi.exe
        
        C:\Windows\system32\Ofiholmi.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\Ojecok32.exe
        
        C:\Windows\system32\Ojecok32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Ocmhhplb.exe
        
        C:\Windows\system32\Ocmhhplb.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Obphcm32.exe
        
        C:\Windows\system32\Obphcm32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Omemqfbc.exe
        
        C:\Windows\system32\Omemqfbc.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Obbeimaj.exe
        
        C:\Windows\system32\Obbeimaj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Ofnajk32.exe
        
        C:\Windows\system32\Ofnajk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Opfebqpd.exe
        
        C:\Windows\system32\Opfebqpd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Oiojkffd.exe
        
        C:\Windows\system32\Oiojkffd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Omjfle32.exe
        
        C:\Windows\system32\Omjfle32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ocdnhofj.exe
        
        C:\Windows\system32\Ocdnhofj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Ojnfei32.exe
        
        C:\Windows\system32\Ojnfei32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\Ppkonp32.exe
        
        C:\Windows\system32\Ppkonp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Pbikjl32.exe
        
        C:\Windows\system32\Pbikjl32.exe
        61⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Pmopgdjh.exe
        
        C:\Windows\system32\Pmopgdjh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Ppmlcpil.exe
        
        C:\Windows\system32\Ppmlcpil.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\Pjcpphib.exe
        
        C:\Windows\system32\Pjcpphib.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Pmalldhe.exe
        
        C:\Windows\system32\Pmalldhe.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Pbndekfm.exe
        
        C:\Windows\system32\Pbndekfm.exe
        66⤵
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Pihmae32.exe
        
        C:\Windows\system32\Pihmae32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Pbpajk32.exe
        
        C:\Windows\system32\Pbpajk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Pijjgdlg.exe
        
        C:\Windows\system32\Pijjgdlg.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Pcpndmlm.exe
        
        C:\Windows\system32\Pcpndmlm.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Qimfmdjd.exe
        
        C:\Windows\system32\Qimfmdjd.exe
        71⤵
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Qpgoinaa.exe
        
        C:\Windows\system32\Qpgoinaa.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Qbekejqe.exe
        
        C:\Windows\system32\Qbekejqe.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Qiocbd32.exe
        
        C:\Windows\system32\Qiocbd32.exe
        74⤵
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Qafkca32.exe
        
        C:\Windows\system32\Qafkca32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\SysWOW64\Ajoplgod.exe
        
        C:\Windows\system32\Ajoplgod.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Aiaphc32.exe
        
        C:\Windows\system32\Aiaphc32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Abjdqi32.exe
        
        C:\Windows\system32\Abjdqi32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\Afepahei.exe
        
        C:\Windows\system32\Afepahei.exe
        79⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Aidlmcdl.exe
        
        C:\Windows\system32\Aidlmcdl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Adiqjlcb.exe
        
        C:\Windows\system32\Adiqjlcb.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Afhmggcf.exe
        
        C:\Windows\system32\Afhmggcf.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Amaeca32.exe
        
        C:\Windows\system32\Amaeca32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Afjjlg32.exe
        
        C:\Windows\system32\Afjjlg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Aihfhb32.exe
        
        C:\Windows\system32\Aihfhb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3424
        
        C:\Windows\SysWOW64\Amdbiahp.exe
        
        C:\Windows\system32\Amdbiahp.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Abajahfg.exe
        
        C:\Windows\system32\Abajahfg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Ajhbbegj.exe
        
        C:\Windows\system32\Ajhbbegj.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Abcgghde.exe
        
        C:\Windows\system32\Abcgghde.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\Bmikdq32.exe
        
        C:\Windows\system32\Bmikdq32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Bfapmfkk.exe
        
        C:\Windows\system32\Bfapmfkk.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Bdepfjie.exe
        
        C:\Windows\system32\Bdepfjie.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Bjohcdab.exe
        
        C:\Windows\system32\Bjohcdab.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Bbjmggnm.exe
        
        C:\Windows\system32\Bbjmggnm.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Bffihe32.exe
        
        C:\Windows\system32\Bffihe32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Bpnnakmf.exe
        
        C:\Windows\system32\Bpnnakmf.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Bifbjqcg.exe
        
        C:\Windows\system32\Bifbjqcg.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Banjkndi.exe
        
        C:\Windows\system32\Banjkndi.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Cbofbf32.exe
        
        C:\Windows\system32\Cbofbf32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Ckfocc32.exe
        
        C:\Windows\system32\Ckfocc32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\Cpcglj32.exe
        
        C:\Windows\system32\Cpcglj32.exe
        101⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Cgmoidqn.exe
        
        C:\Windows\system32\Cgmoidqn.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2996
        
        C:\Windows\SysWOW64\Cmggeohk.exe
        
        C:\Windows\system32\Cmggeohk.exe
        103⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\Cabcfm32.exe
        
        C:\Windows\system32\Cabcfm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Cgolnd32.exe
        
        C:\Windows\system32\Cgolnd32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Ckkhocgd.exe
        
        C:\Windows\system32\Ckkhocgd.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Cadpkm32.exe
        
        C:\Windows\system32\Cadpkm32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Ccfmcedp.exe
        
        C:\Windows\system32\Ccfmcedp.exe
        108⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\Ckmedbeb.exe
        
        C:\Windows\system32\Ckmedbeb.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Cmkaqnde.exe
        
        C:\Windows\system32\Cmkaqnde.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Cagmamlo.exe
        
        C:\Windows\system32\Cagmamlo.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Cdeimhkb.exe
        
        C:\Windows\system32\Cdeimhkb.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Cmnnfn32.exe
        
        C:\Windows\system32\Cmnnfn32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Cpljbi32.exe
        
        C:\Windows\system32\Cpljbi32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Dkanob32.exe
        
        C:\Windows\system32\Dkanob32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Dmpjlm32.exe
        
        C:\Windows\system32\Dmpjlm32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Dpofhiod.exe
        
        C:\Windows\system32\Dpofhiod.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Dghodc32.exe
        
        C:\Windows\system32\Dghodc32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Dnbgamnm.exe
        
        C:\Windows\system32\Dnbgamnm.exe
        119⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 412
        120⤵
        Program crash
        
        PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5448 -ip 5448
1⤵
PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bifbjqcg.exe

Filesize
96KB

MD5
7039941d35a4bd839efb7b4a78599c2a

SHA1
0688ce98fcb51f24ef45cb3168e495df39374b3e

SHA256
ae6b880053deeb1c2e98b305d24bc0a9185606ab5cf49026791737ee7316e776

SHA512
03ad4a501da712b086cfa81ca57297bf74aba50f4fc8f3c82f5f7b9dca03cd2d1b762766a8df942778ca4ad99f0c3c766b2768f315262c75aa5a3ca07a40befe

Download Submit
C:\Windows\SysWOW64\Ccfmcedp.exe

Filesize
96KB

MD5
27d5569543a015f814ce5bae8b8eb76f

SHA1
4204bad303796dc4c43148e478d243af5526aeb0

SHA256
ad310bbf393f1dc61e35f14c8889919f96669c91f9eca5b134398197c4b0ec61

SHA512
a32c8982dad2dfb7e5fbf0be961992cc784984479c7e57b104537b1e8d08a24e29d3bc71dca19a04ef3a8fe44b8083766a62c3f7dfdb646dae6d540471f86a75

Download Submit
C:\Windows\SysWOW64\Cmggeohk.exe

Filesize
96KB

MD5
7a552164d1555f4d566fd342f925dd7b

SHA1
c2e444cec5023b6f6d39d6b8096df4beefd778f4

SHA256
59c92ec57210772511815ad3365df0037ce1beee7fb723d240305c6202953f6a

SHA512
0dd82a984cf10ce92f85c84701c94cd1796113fca18a99a5f6b79896c57e6958a13765dcb91b926c32b4b004a96d891bffb7510e2ffc7d106974a8b732142b11

Download Submit
C:\Windows\SysWOW64\Dghodc32.exe

Filesize
96KB

MD5
9038dec400883d84ff1c8c2fc6ef4584

SHA1
b678757d5cc6f19ad8b8a4ed1b390728455b3249

SHA256
77634cf9362a7bcbf8a87ea300d44a6cfb7d07a514390217079dbfc93c860c3d

SHA512
321c7ab4810c627226cbc8e9e2d3c3cab9c80dcfadea2d4fea403fb6f1ab63e19d4d74a22ddceb8a14b6dd37f8872a94dcc2a455eb93441a7a22df49d50dd0da

Download Submit
C:\Windows\SysWOW64\Dkanob32.exe

Filesize
96KB

MD5
ba4854e651c8c2f0f1e17c23deb10364

SHA1
031e27fad2ba51b540ccafcd0e9d60b0345d788d

SHA256
f3592422eb7922fd770ccdf0340b07467911480f8ccac1da878c9cb804b3b944

SHA512
636ff18a202d513c0ca354bd422de0df53fbd31fd403a3bac1f77a6904002d88d14c10a48ec69764c26d30b0a5e12d2650e33df0fedf63a6bc04849a0acf42b6

Download Submit
C:\Windows\SysWOW64\Fcchndln.dll

Filesize
7KB

MD5
e2cf7ff269e353845accb1f3da7c5240

SHA1
e937b645b66e72690ff05a97742f9e34b4ca3094

SHA256
0fe378834f1bdbf025bafcf34d816a25e6ef493c395d294cb060755daeb1d78e

SHA512
33caea96cd8c2116913fa88e2d41703282b0ff10cda0c78260fb95766e0d41fce23c7cb37f4cb27fcaa49f15f576e709d0249d201b7181a76347d2d445ec3cfc

Download Submit
C:\Windows\SysWOW64\Jlbefm32.exe

Filesize
96KB

MD5
9da2e4e1711efd90391de21970a04467

SHA1
dc1967e1c1b38e3b6ae98b77b7514be16cba64b8

SHA256
3a5e619bdea98269d774f7ef26b61443aff5ac200938f0c88d2c4f732f2a1133

SHA512
e30acc001c05e3a3b9984a71c8a696787799cbb1369025a693fe46027d7870075816a90574bbc3d45ad3a20f030161f434a9959834e56fe4922d504f729f8d59

Download Submit
C:\Windows\SysWOW64\Kacgjc32.exe

Filesize
96KB

MD5
9a7c598d8a0dc806dd2ef786a671d340

SHA1
2bc22cd661a7e2dc79e444024f3024287e625119

SHA256
2f0ccbf1d6d2d8de629a94ba7ea6253f9b049d12e4b98f29ce835e0aee120423

SHA512
8913527ff34787d07d69c354c31a05324488f2e01386a2bbd4f8d951908fb531a37a090fcd184da1b6c5553fd3a74a9166f3e764f1bec177cc3bc58975d82c9f

Download Submit
C:\Windows\SysWOW64\Kafcpc32.exe

Filesize
96KB

MD5
e1a5436a4c1ac92a4b7ed700c53142ec

SHA1
9c857c3f78270dc0e1ac62175496e4212ea0c4ba

SHA256
04bac5d7f92693f5891876beedd8f3acc9be1f320c31102fdc84106bd9db51ad

SHA512
f4d37a2f55a6beeb2454f84a384f9511535052b6c51ec827952024f0294e38b0259ff74ea250b9be3754e9d87066b53acd0e6e16eac27e908fe7c4f236664ca9

Download Submit
C:\Windows\SysWOW64\Kahpebej.exe

Filesize
96KB

MD5
4428eaf8a1e027883f870991399d8581

SHA1
7d5b2ba57c0812f758c89cbc7817724896364372

SHA256
b76421e9d26d15931f33b5bebd643a597ce2cf877a1c0a520d7bc710dfd458b8

SHA512
2e6ba9a82ca4246b4a2367a007d9bd0579adcdf8eb8e424fbea4ea26b106996a09ad2ac1b6ca661c79e74c6c6eceda69841f64b9cebe8602a254c0a5a536c3c0

Download Submit
C:\Windows\SysWOW64\Kaonodme.exe

Filesize
96KB

MD5
0304d568a30d1aad53c71f743f1eb594

SHA1
05a2a65bb1e835cf180c6364b87c3285ccd483a9

SHA256
163dc304d097604e577e6f15d282eed822ce21df9e1ff0f24f80fc3c5184413c

SHA512
5efa3bd796645bcd460e7a592cca33f2e34b1ea8d3f117190b6a82ac70c23dc192ca8506a149c3d7968281cbf095cc27c518ac702c72dca253d25dd5835a2c42

Download Submit
C:\Windows\SysWOW64\Khbibm32.exe

Filesize
96KB

MD5
80dc381739ad09ccace6a00ae7d2bbf0

SHA1
95b09d716d71be86fa78f764da8f87371bd6bf54

SHA256
71257b5a9e05b86e5c19708fc3b7fd9fae5710ee38572eaf99581543d9cd8d2e

SHA512
a5570057c4bf445bb90e2b419a40d298d11a26ff0fc5d04e6f66b6c901b5dfb08589a179885809ccd2268469f40191b323031fee134cb95f6beab849590840f6

Download Submit
C:\Windows\SysWOW64\Khmogmal.exe

Filesize
96KB

MD5
86c60da2dfa714d4ad3638d87e2e6eea

SHA1
cc29744ee2fd9d9e6f19cf7fb4e0b6d1a4af8d6d

SHA256
58cf65f76651d5aeb2248ca6f077a6c1e1a5cb39f5c078463e12fba194cdd181

SHA512
01ad96ac1876df16835cdb3b71c1380fc867dfe4b7b16ad3197d893e659f9939db0cd57a2f0662464c30b6c76d6bd64bf0c6ffdb61bbef911a60ac64c1771ef3

Download Submit
C:\Windows\SysWOW64\Khpllmoj.exe

Filesize
96KB

MD5
622f815c4d8af0c30c91b4f64495a5c0

SHA1
3929fdbc4927f90fc28116d661bd31bfa8d407e3

SHA256
80d13042b6ca66d3d93017d155755cd5696a644e976c61679b688ed0c3e1eefa

SHA512
6da84ca5ffd2393a156b030eadee6c73f49e8f524ccae1a89da89ac9a2cecf9331888eab43af1d287631f61a77315b730bf79ed8001269df3a54727cf530dfb8

Download Submit
C:\Windows\SysWOW64\Kifepang.exe

Filesize
96KB

MD5
6b2e9ee8ef849b33faf09083e7941cb3

SHA1
de66e0273570a3159d244cd2f033f8e5a5d8f80a

SHA256
9bc1e582f2d04fb7f66f7583b9aada64ce35635e82781da6008058e3e018c8eb

SHA512
e896f5e5c6d322b2317b9f491a114ea665b3ac60a1b715a5e8394bd69724bd0ab1d64af8c839266a49126c0d8ba0d52292f61b04eb032aea80d4737da00c7b19

Download Submit
C:\Windows\SysWOW64\Kihbeald.exe

Filesize
96KB

MD5
e4753a5fb0daf5a7915a8ea03b614c63

SHA1
a903e3236e7cfe7cec43d81aeebbec27e2140a00

SHA256
0a5d8702f7b6b87af1e40a87e826dec9d971d9aeb3985789161d5489bb4d2149

SHA512
c993229a9525f49b14b5c2fd2e724d87a333ee980849e2f2aba5f497775b570e6a31eb1a612c54293f29d5988a90eda4d5aca6b25f7fb8a6cfdbb50861d902b1

Download Submit
C:\Windows\SysWOW64\Kldblmmk.exe

Filesize
96KB

MD5
8aec65a9419cf9bb1a50ebe97b810d5d

SHA1
1c34105721b52f9c9158d0fbd197bc2c9bab2132

SHA256
51027c3253a3ba9e956b57ecb6c73237188892fb631df80978024c0a378ac48b

SHA512
966288c84f6da41052a33dd8eee36debb544e32b38bdc1efc901ba3c1092d0c4e11721e3b76db81cd9dae17b6fc34abbfaadafeca4047c4c062590d7dd0f165b

Download Submit
C:\Windows\SysWOW64\Klgoalkh.exe

Filesize
96KB

MD5
8096582c6316eb4b73739c365b325efa

SHA1
4beabb22011e8f6aacfac7f411bd0719eff1b9c3

SHA256
435a903b7963af0c4ca64fe1ed17c499d59e27c246e05f088278180ab4289376

SHA512
ba61808349737ecfc3fe6fc7ee9c0f6f56bd74059a7cbefbe5bf5887266034200f4ecfdc36fcf3bad8b59d33ac98a4da2ccbae36e7711709094226f3b2e8a04d

Download Submit
C:\Windows\SysWOW64\Kocnhhlo.exe

Filesize
96KB

MD5
cd94601fcd03157c91e49e4ee5eeac7e

SHA1
d534a426b5fea5d9cde3839b62f2726217f72504

SHA256
4f2a988c6d4d1a7fe39e92957766577740c7b27b9a10ab9f0a1e7393ca88a532

SHA512
29823f47d0647d346c570dabcf961196bfc5dcca9fdc6de0d84faca4f311336da8a9d6847d97758dfcc6e926014ec63498b1a77f6e404cec45d9ff7f77968449

Download Submit
C:\Windows\SysWOW64\Koggcg32.exe

Filesize
96KB

MD5
454a083915454855a8c1b14ccfdff8d7

SHA1
7b226ae5a51ea42b274a1de00021ec7de492c439

SHA256
f08af26f091b15a794a170a7390492df0d64a37858dcf0a81bc3a81cea8a5eca

SHA512
566d61c5950036de7b6cb9aea79053a78fe602cd1dca908042a7bcef248fb4e11bc67580558b77f81c3aecbb1eb0d71dd17a24c6b3f7b474375f0b45c819470f

Download Submit
C:\Windows\SysWOW64\Kojdig32.exe

Filesize
96KB

MD5
8da8b1939cfa0fa0a3e25d80cdf7d292

SHA1
48c2317e912e5d2043ecea5c59904465be188b1d

SHA256
d53a2baeb0666fb9fcd6d3eb9b0e4d3b8b98ea2ca9638ffdc666444d8be115b2

SHA512
8dcf367abb7972c4b67b42b093a368a6eaccdafcf73a26b6532009377951ac006d9e9e6f911ae1b5d2007a2ee69e24c14b1ee6898d55fac134e1c9af5f2998b3

Download Submit
C:\Windows\SysWOW64\Lcaped32.exe

Filesize
96KB

MD5
711c1fc78210e011cc897462be5b294b

SHA1
817755e79b9069c7324d79840589a66f2faf33be

SHA256
37099d9264960466bf4e960b5d1f2277650a263cee43ee1daf1eeb0e0bf5010f

SHA512
5d5696fd41dec87ad7226e456982e4a33ef21191cc32e72cadc9544aefc621ca9ea74b80f67e58787a6ddf213d07056958e599eb3ed0519b02e8a0371c30d3d0

Download Submit
C:\Windows\SysWOW64\Lcocpdfe.exe

Filesize
96KB

MD5
d131a71f28ac7a5bad690bd3e8048a29

SHA1
184ab06d648626c64693626e4b16332074d850a6

SHA256
b882a13fb8add4eb418b6e116095c289df1a27e7ddf286911fad9fbba7420b87

SHA512
da7949b9f234b424b67d71beb172b2bb3c05d351b7e3a8787f7c201d5d6006aea85223cfca52dac5d247259b8264ca455234442835c816f674fc5ec588aa080d

Download Submit
C:\Windows\SysWOW64\Lefika32.exe

Filesize
96KB

MD5
b0aa517aa4f593168a8246cf59d14156

SHA1
325fa936dc3989b6d5d72c0d5a2e15d3497064b9

SHA256
984bf9d70a1488e1ce64a1ed308bea0ee33a5bc22782e4d9f973bd15c7a2a971

SHA512
733f9914639d46b2a5ddfa74038271f66e052b17cc120654560b0060c9d376c0b76143123e7c9efc61612133b4364b2c3525ed20cb686cf416c7f871bd71cd08

Download Submit
C:\Windows\SysWOW64\Lhioblgo.exe

Filesize
96KB

MD5
7407186d1710e68119ba139465923ef1

SHA1
4e10cb4054419ac078e85be65ee6fb844b048f72

SHA256
6f5941fd46906ee4d8ecb3902c668f58ff415fd3c608b927d7fb625a86e99d43

SHA512
12979d4fe1626e0b5a0fe83fd181a2711e8f809266f13b4aa1aa572f88485cac3b524251475694cb5991ea291d3ffe8681d00879bc89f40fc3695eaba9faf438

Download Submit
C:\Windows\SysWOW64\Ljiklonb.exe

Filesize
96KB

MD5
a7ae0f9342bca6b41a4b27490be46ba8

SHA1
798470cbacea953a8cb72749c589af920e8b685b

SHA256
d24b0af50a0f4da6c65f7d8fc49112990682bb70f08d78f3584fb983260876f4

SHA512
36bdd10e1dab87ef3549c6245066e6b63f8d714d2cef62baada067d1effa338362cc90377e8ff36c32031c4406551074ff843754a009e2aa27d7dba4bb719ab3

Download Submit
C:\Windows\SysWOW64\Llidnjkc.exe

Filesize
96KB

MD5
7155d958c9f060f2ac9a4456d7b4380e

SHA1
6fdf454aef8d22fea6082c74b98d55082eee6d59

SHA256
a2de6e516c78d4cac1652426c400b44e0d65cadc077d036e60968e90ac519457

SHA512
a72fb6a3640f545ef331cbfc743bf8fe057087a127c4dfddd3c893490e2b303995c34e3a4bf1bfda6ee61182bb1d011aa5d9061be2a9145269803c1daa09c1ae

Download Submit
C:\Windows\SysWOW64\Llidnjkc.exe

Filesize
96KB

MD5
50f3c3f275ce3d65859ce2669f1076ce

SHA1
392a82387ddf92b5e95406f168b7ef5c40d6d11e

SHA256
6983116f87b5ea0ea39edd2fb7201f325f8baab848b08bfc5f5045f5371ae805

SHA512
d58cd1b30f4955337ec7d39232c684928f02bd2727a4ef0581a2c2fca90504d4003c1f00dbeec4dabd8374d4e46041a2f34e71b166696fd535aa003750e36188

Download Submit
C:\Windows\SysWOW64\Loeceeli.exe

Filesize
96KB

MD5
6953aa574129710a1d41849764108209

SHA1
f9d75e6f948af8d2be08b4775462e5ea5c735195

SHA256
6bf89546fe85b8a659d51f6c6e85208ad7cccfcbf5c367e28d13609dcadbfed1

SHA512
833f1936ee2edbdbad161b521acb882906d49209e81ffb2eb0957c7b1e1cb6d39b0d05144ac3aae5ef84af890c8781975bab01a9fbf56bfdda38920f3e7a271a

Download Submit
C:\Windows\SysWOW64\Lolaogdd.exe

Filesize
96KB

MD5
bb0ccd4d314fe43a61309fa423655be2

SHA1
3aa8e0af90647e7bdc999bfdf0010bebb787d524

SHA256
0941ac36f987c114ee417267d471e41e98d7c447a34022c9bc378c0da0d8ca33

SHA512
a0f917cde77d92204eb4750821285ad6d310e9052be5ad1d7a0507baba7cdb9a8c297f2dc65774dce8db709400204ec402b3a8425f17560e8e315540f57a8678

Download Submit
C:\Windows\SysWOW64\Lplmhj32.exe

Filesize
96KB

MD5
b392dc5a8c3ad3b3a5f10274d06dc001

SHA1
ae0106837ce58951ce6edaab809040695387c5ad

SHA256
97953d80cb68bd0a828d16837b0f4ceb8b428918f8c5e6aeb0abb99e0e6771b1

SHA512
17f2d6b783e59e344638ca039d985348f302bed03bd5e63fc24ef6c6664ba066d821eb69988534bfee8f69856dd22fa96dd20aef92adba0f9d03885878a38b97

Download Submit
C:\Windows\SysWOW64\Lpnjniid.exe

Filesize
96KB

MD5
939ec81deb330269192b8a1e10863f31

SHA1
40a013a6c1cc5e62bec2a07007704d2ea536e115

SHA256
f7fb66d91416bd5a04d93a7435847288f8b0889f57f23d58e9f24f3d0c3324eb

SHA512
5c4c32228645d80b32b25b826d5ba03126c744c2b4588d761688ad47012edf60e7f673bcc3cd97ff7a187e8a936455e4db3b1f216c1b388b8fb974bee37e029f

Download Submit
C:\Windows\SysWOW64\Mbhilp32.exe

Filesize
96KB

MD5
3a4bbd23042137507d5e9214d4a5e784

SHA1
bbd97eab884c7374c60b3114b77a3ddd02210f7c

SHA256
f6ff2a245f4642765f2e9d760035cf3bad94cc19d7da336e8b3b69b68cc15331

SHA512
8e48ff69906b26bdfb2016338e22c3ceb84c86e3a2d3b3610154278eb6cf0fff0e0c3d0c7d3e4722ea74531b2f28e0048674eca730938de27168a76bd76fa1ae

Download Submit
C:\Windows\SysWOW64\Mfbigo32.exe

Filesize
96KB

MD5
d5938ec24f3c77a54418901db2dc1152

SHA1
4ba067af46a9669c5c8f986227be423293ef0dc2

SHA256
a5186c536c0ccdfd0db00817023ab9e62ef18685f8e795c4103c5de43ae2e079

SHA512
cb6430138b5e5b063354d6c164f0fd60b4d180aa04badbfb7cc32ecaca8565df4d26e30fe1b63cfb548b9f9d4e73bff42d511ff2116d367aaaac42f0f094d521

Download Submit
C:\Windows\SysWOW64\Mfdemopq.exe

Filesize
96KB

MD5
f65aff4089204a5d775a3cb117ed1b4c

SHA1
dbd469fa83af6c2a433b6c76b41502db7e5eca8b

SHA256
c3fba69ef35a6038e3b2c74e20b891ed4a4aa63ac562bf9b83bcbce68e77e67f

SHA512
598cc8baec0d771f77ff4ae103d278a2203c21ac4ada75b23c70b434f49a3353e5af9da51ec6e99cb4fea454578b6f703c376c60b81e29875bcc254035297b1d

Download Submit
C:\Windows\SysWOW64\Mohpjejf.exe

Filesize
96KB

MD5
0bb701c2446e7b5ff286e99d90bd1e34

SHA1
eb7b4d023b47e000b1c8be9073419ec97ffdce4c

SHA256
861f663e7522a93902ee6cc716f82900a797ef5e01983c32497d29f381370e15

SHA512
2948e5db0ac35192d4188f2326c2e4c7d76c59b0162357088c381a12b87c73e44e1a57afcd024d1f5264ec2de7c16efa714ac6e2da3e780309be63b06fdd2ff8

Download Submit
C:\Windows\SysWOW64\Mojmpe32.exe

Filesize
96KB

MD5
611fe5fa5db0a0c54605b4813263b18f

SHA1
46f226ab4e94035282371c4aade71bf090a65fe0

SHA256
a569001bf66eb3077cca9f56ae7bb8a485fc866320fc2d942d02d2c60589a7d9

SHA512
ad99458d721005c25fa03e5d8555c036fe1e3076084201d4d887a9b26f375ea087d2c1219d79e8081ce11d57a57c62f83d592afe1d38380dd2e0677e173c8c17

Download Submit
C:\Windows\SysWOW64\Mpgmdhai.exe

Filesize
96KB

MD5
6453152b68fce2a843818a7975d9dc38

SHA1
6b50c30fbce8e3001c2964fa008470694d838870

SHA256
333d764c339f97b46d9e0e0dc16b2e14a864154e2d7d9d93a9a25e28b80a9bb7

SHA512
e954c8edbc9d843bba45fadd47a3f3c8dbdd1bf96547fe574259fa8705c67933aa880a2f791778f0dbe493de0f0f607cf4d55baa38204463e574e7dd3fbe5874

Download Submit
C:\Windows\SysWOW64\Mpjijhof.exe

Filesize
96KB

MD5
bf019811221e3d07d4c80f832c046640

SHA1
82d5329a488a8727d49f3d3473fd6eaf70928453

SHA256
77ee47f4288a85cc76c02c088fc52d3ebb598095a0181cc78469d7fb3b8b2ed2

SHA512
a0e8e7f07eb3d699dc0e4641f298e63bc0cb8f34f75c85fb40b63053976cb655a17010247ce2ade88a55953fa594756192f9e99f117fc374f0d1600a2725bba0

Download Submit
C:\Windows\SysWOW64\Nmjmeg32.exe

Filesize
96KB

MD5
31a74e72a0fddff663872d775009edf0

SHA1
db65de9b1933893b210b4fb34c59f26c6a2b18fb

SHA256
c83d4f2aadc8acfb0b2753c2957214f5acc1273ba6199cae06870dc4dfbe5d2e

SHA512
01ff4ce7b03dbb941b72c18c7d2857d5dfdc42103943a2d71ea21f59fd7a47a00fbae9458de9538c8fd62af6468f1db0a7d76cb22988ebff6f20d6f71fec09a5

Download Submit
C:\Windows\SysWOW64\Nqjbqe32.exe

Filesize
96KB

MD5
d9c03ebcffffd4d47eaefb86c6e38ffb

SHA1
273941452ef06450eee5b8d9553e2ca47e241012

SHA256
e9bee9cd7cfcd4f8b3c39c577997d8b719f242d0b295d2377c4aff872324e46e

SHA512
b0568d000c5e1cfc5ad9f8497dcd6c9961594840a4dfb72c15831aa635b01d59200f3b2f021e06e652c31ca1222b917e97deb1a6d2b5bbf27bb0e05a33c3bbc4

Download Submit
C:\Windows\SysWOW64\Nqqpjgio.exe

Filesize
96KB

MD5
5adc407fd32cc02a048991228a0c362b

SHA1
d1a5ca44f4715932e364db5a544e778b984a1697

SHA256
153e786d625723ab5d76fe54f6ea591e341a0f0e06c5f083cebd51185222a969

SHA512
3a7744e834786274b54d99bf59ef2a97199ffbcfcea3522d304e04d29a35b279ba3a1a513ecacbdb2c9bc322d7de74447e3840059f4ac59ee88786fb6a598b4e

Download Submit
C:\Windows\SysWOW64\Ocmhhplb.exe

Filesize
96KB

MD5
5e11f5c361b7cfeccdee2b254fbe3d65

SHA1
ed548e6a8b95692084fa0be09973a4bc8eb4f05c

SHA256
d49bb14986698727e122dfe25be1c7e518458441f52c2bdf75670dcbc982b812

SHA512
aef53587d3040ba2036fb93fbfc43bafd644595211fbec06dc894826f6fb59b2b88f2b9d442b7add18e25436ec8160e4291bef58f977745656263ceafeaba7df

Download Submit
C:\Windows\SysWOW64\Opfebqpd.exe

Filesize
96KB

MD5
5935d43cfe9dda89da07ceab0415b849

SHA1
269277cfba6eebf3ba5d8b2de4d4128899763d45

SHA256
a27d088fad08cb3650f658a8fb4ea958da697159acee3745552acf149dc66ecf

SHA512
10d7ba9005ab0fdf6ee81314034953acde7523c83dc5af5384d1d40dbf6075c6e0035760d09969933d05e7130e148078c48a353f2d1ec1ab321ee41ef807166b

Download Submit
C:\Windows\SysWOW64\Oqlofeoa.exe

Filesize
96KB

MD5
53629c8da487d462d118f2ee6fde84f8

SHA1
7abd09572cc3e1556518cc45d867b2da93580ed6

SHA256
3adb7c43e3f8c15efeb7edd84c52be78a0d4110141d1691f782d4f2e0541e32a

SHA512
9b4d071b6792d76d3a8cb9b06669c857a78a155a997f536c284e7a1db839a796cd9b2cac002bdb810d2d02b341218ddaea91ec0cd5a7f636265097ca6bbdd9c4

Download Submit
C:\Windows\SysWOW64\Pcpndmlm.exe

Filesize
96KB

MD5
db9f06fc84704390691b3d6306b3b92e

SHA1
04ce52046315ca901d4608107b5e8eeb5033e7a9

SHA256
a00589388c721d564b0090898589de7aa386834f7a33610a76d126234617ac03

SHA512
cc74965fb2b53859b3c8115a35f181dc5ae20306e2cd73bfc537711d379deb8e5ec2697de780b13aaac27b4638ead799216c80f6af51a89070bc59fe4b71f343

Download Submit
C:\Windows\SysWOW64\Pjcpphib.exe

Filesize
96KB

MD5
e7fb4657b8ed051ea934edfd54fc1efe

SHA1
bf8dbef27aa4e4c139cedc54c0a76ad11f60a3a6

SHA256
1d35420149ed14f5c491eb2752b2e99d8bb23d3d6a06f8e4280ae774e89c75d1

SHA512
45130dbeca095fb2c5d7c11382f462f56b72d9f51cece9cd80f2f46e7f12441f9f70ba9068a64e21241fbfd08eb0fb39c6128634d9ab69ea0a0732ed48849749

Download Submit
C:\Windows\SysWOW64\Ppkonp32.exe

Filesize
96KB

MD5
2ec14c415d235c20fbb34cee19445f52

SHA1
f9f3385228c56b16854fa119c1d23af019cd49c3

SHA256
2156817ea726fbfa1aef597f98d0e5a83f8179ab79d7273a24ee4536dbc0506e

SHA512
75dd22fe382ecc4f84265f2a0215b9f0edc6f99640a9daffae8869ec1be35de930c12f7fed8af677d4d12b1d4dcbd73e29f6ae86b696ed7f4f47032fbefffdfc

Download Submit
C:\Windows\SysWOW64\Qbekejqe.exe

Filesize
96KB

MD5
4f2f7e52edbc5126f4a3eee74cc4569d

SHA1
9a2dba7456f73519c5633fba0909e8de1a719438

SHA256
55b5e23014b50f5b97110927d30a13e555e0c2817c01fa691315be9cc84acff7

SHA512
6ea450b8bc292465f23a8326fdd48b25f62433c4f0eba6390a45db8f330a129615d7561928a9961d15cbb7f90058d54823f438242f82e967dace108eec56414b

Download Submit
memory/220-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/224-591-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/324-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/840-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/936-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1012-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1176-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1208-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1224-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1376-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1392-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1436-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1500-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1744-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1836-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1880-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1896-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2044-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2384-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2412-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2564-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2596-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2844-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2848-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2964-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2984-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3084-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3108-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3108-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3164-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3164-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3176-555-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3276-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3280-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3280-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3304-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3316-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3324-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3336-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3336-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3364-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3404-500-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3424-573-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-570-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3508-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3528-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-530-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3612-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3628-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3840-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3904-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3912-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3952-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4012-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4012-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4040-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4112-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4192-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4292-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4336-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4336-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4356-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4380-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4384-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4480-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4528-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4548-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4624-594-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4652-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4724-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4744-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4760-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4808-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5012-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5036-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5060-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5104-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads