berbew | d5f8a21e856759667135c5168ec0e08f2f64e5ceaff0600dd1c1239553ab9b23

Analysis

max time kernel
93s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5f8a21e856759667135c5168ec0e08f2f64e5ceaff0600dd1c1239553ab9b23.exe
Size

89KB
MD5

abb294487e1bee45bbd23d5b72c8c297
SHA1

60a1c143c7ae531f9c7049d0e735239bea4933d8
SHA256

d5f8a21e856759667135c5168ec0e08f2f64e5ceaff0600dd1c1239553ab9b23
SHA512

bdb1cb3a12bdbe93755775c7e42ad85233ed1bc08bdc45d5254fe0c86a9a7c2793bf01480fa58fe126e045445834cf2517e7d53a95a384442fbb9e70ee2fd980
SSDEEP

1536:Pud8QpUyrPHdwL3NwBxzQz2ksuo8Oc/lExkg8F8:PaU0HdwLdwBtQzFyc/lakgw8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imoneg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipknlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hflcbngh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iemppiab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifgbnlmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4456	Helfik32.exe
4980	Hmcojh32.exe
2364	Hcmgfbhd.exe
548	Hflcbngh.exe
888	Hcpclbfa.exe
3896	Hmhhehlb.exe
3388	Hfqlnm32.exe
3868	Hkmefd32.exe
1620	Hbgmcnhf.exe
3248	Immapg32.exe
3668	Ipknlb32.exe
704	Iehfdi32.exe
1004	Imoneg32.exe
5088	Ifgbnlmj.exe
372	Iifokh32.exe
516	Imakkfdg.exe
1984	Ippggbck.exe
4892	Ickchq32.exe
2760	Ibnccmbo.exe
4268	Iemppiab.exe
1732	Imfdff32.exe
1072	Jfoiokfb.exe
2820	Jmhale32.exe
3608	Jfaedkdp.exe
1648	Jmknaell.exe
5008	Jcefno32.exe
1832	Jianff32.exe
2940	Jplfcpin.exe
1636	Jfeopj32.exe
64	Jlbgha32.exe
4968	Jblpek32.exe
2504	Jifhaenk.exe
1128	Jpppnp32.exe
836	Kboljk32.exe
2584	Kiidgeki.exe
4484	Klgqcqkl.exe
2236	Kdnidn32.exe
1760	Klimip32.exe
468	Kbceejpf.exe
2516	Kmijbcpl.exe
4592	Kpgfooop.exe
3148	Kbfbkj32.exe
4972	Kmkfhc32.exe
4648	Kbhoqj32.exe
5108	Kmncnb32.exe
1384	Kdgljmcd.exe
4444	Llcpoo32.exe
3820	Lfhdlh32.exe
3252	Ligqhc32.exe
1656	Lfkaag32.exe
2196	Liimncmf.exe
4660	Llgjjnlj.exe
3968	Lepncd32.exe
5100	Lljfpnjg.exe
4608	Lebkhc32.exe
4508	Lllcen32.exe
4016	Mipcob32.exe
2252	Mmlpoqpg.exe
3116	Mgddhf32.exe
3140	Megdccmb.exe
4156	Mmnldp32.exe
4876	Mdhdajea.exe
2104	Meiaib32.exe
1932	Mmpijp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdnidn32.exe	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ifgbnlmj.exe	Imoneg32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Anmcpemd.dll	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Lepncd32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Oendmdab.dll	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Hcmgfbhd.exe	Hmcojh32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ndqgbjkm.dll	Jblpek32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Imoneg32.exe	Iehfdi32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Jpppnp32.exe	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ocdfloja.dll	Kboljk32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Adecfl32.dll	Imoneg32.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Gjdlbifk.dll	Jplfcpin.exe
File opened for modification	C:\Windows\SysWOW64\Kboljk32.exe	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Pldhcm32.dll	Hbgmcnhf.exe
File opened for modification	C:\Windows\SysWOW64\Kbfbkj32.exe	Kpgfooop.exe
File opened for modification	C:\Windows\SysWOW64\Hbgmcnhf.exe	Hkmefd32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Ippohl32.dll	Jianff32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Ieakglmn.dll	Hfqlnm32.exe
File created	C:\Windows\SysWOW64\Kcdgbkil.dll	Liimncmf.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Llcpoo32.exe	Kdgljmcd.exe
File opened for modification	C:\Windows\SysWOW64\Ligqhc32.exe	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Jfeopj32.exe	Jplfcpin.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Imfdff32.exe	Iemppiab.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3548	5696	WerFault.exe	237

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5f8a21e856759667135c5168ec0e08f2f64e5ceaff0600dd1c1239553ab9b23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmcojh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfqlnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehfdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaedkdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmhhehlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipknlb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcmgfbhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmhale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imoneg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ickchq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfeopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbgmcnhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll"	Klimip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bncfnnbj.dll"	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmcpemd.dll"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ippggbck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhkcaln.dll"	d5f8a21e856759667135c5168ec0e08f2f64e5ceaff0600dd1c1239553ab9b23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipknlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieakglmn.dll"	Hfqlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pldhcm32.dll"	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 4456	628	d5f8a21e856759667135c5168ec0e08f2f64e5ceaff0600dd1c1239553ab9b23.exe	86
PID 628 wrote to memory of 4456	628	d5f8a21e856759667135c5168ec0e08f2f64e5ceaff0600dd1c1239553ab9b23.exe	86
PID 628 wrote to memory of 4456	628	d5f8a21e856759667135c5168ec0e08f2f64e5ceaff0600dd1c1239553ab9b23.exe	86
PID 4456 wrote to memory of 4980	4456	Helfik32.exe	87
PID 4456 wrote to memory of 4980	4456	Helfik32.exe	87
PID 4456 wrote to memory of 4980	4456	Helfik32.exe	87
PID 4980 wrote to memory of 2364	4980	Hmcojh32.exe	88
PID 4980 wrote to memory of 2364	4980	Hmcojh32.exe	88
PID 4980 wrote to memory of 2364	4980	Hmcojh32.exe	88
PID 2364 wrote to memory of 548	2364	Hcmgfbhd.exe	89
PID 2364 wrote to memory of 548	2364	Hcmgfbhd.exe	89
PID 2364 wrote to memory of 548	2364	Hcmgfbhd.exe	89
PID 548 wrote to memory of 888	548	Hflcbngh.exe	90
PID 548 wrote to memory of 888	548	Hflcbngh.exe	90
PID 548 wrote to memory of 888	548	Hflcbngh.exe	90
PID 888 wrote to memory of 3896	888	Hcpclbfa.exe	91
PID 888 wrote to memory of 3896	888	Hcpclbfa.exe	91
PID 888 wrote to memory of 3896	888	Hcpclbfa.exe	91
PID 3896 wrote to memory of 3388	3896	Hmhhehlb.exe	92
PID 3896 wrote to memory of 3388	3896	Hmhhehlb.exe	92
PID 3896 wrote to memory of 3388	3896	Hmhhehlb.exe	92
PID 3388 wrote to memory of 3868	3388	Hfqlnm32.exe	93
PID 3388 wrote to memory of 3868	3388	Hfqlnm32.exe	93
PID 3388 wrote to memory of 3868	3388	Hfqlnm32.exe	93
PID 3868 wrote to memory of 1620	3868	Hkmefd32.exe	94
PID 3868 wrote to memory of 1620	3868	Hkmefd32.exe	94
PID 3868 wrote to memory of 1620	3868	Hkmefd32.exe	94
PID 1620 wrote to memory of 3248	1620	Hbgmcnhf.exe	95
PID 1620 wrote to memory of 3248	1620	Hbgmcnhf.exe	95
PID 1620 wrote to memory of 3248	1620	Hbgmcnhf.exe	95
PID 3248 wrote to memory of 3668	3248	Immapg32.exe	96
PID 3248 wrote to memory of 3668	3248	Immapg32.exe	96
PID 3248 wrote to memory of 3668	3248	Immapg32.exe	96
PID 3668 wrote to memory of 704	3668	Ipknlb32.exe	97
PID 3668 wrote to memory of 704	3668	Ipknlb32.exe	97
PID 3668 wrote to memory of 704	3668	Ipknlb32.exe	97
PID 704 wrote to memory of 1004	704	Iehfdi32.exe	98
PID 704 wrote to memory of 1004	704	Iehfdi32.exe	98
PID 704 wrote to memory of 1004	704	Iehfdi32.exe	98
PID 1004 wrote to memory of 5088	1004	Imoneg32.exe	99
PID 1004 wrote to memory of 5088	1004	Imoneg32.exe	99
PID 1004 wrote to memory of 5088	1004	Imoneg32.exe	99
PID 5088 wrote to memory of 372	5088	Ifgbnlmj.exe	100
PID 5088 wrote to memory of 372	5088	Ifgbnlmj.exe	100
PID 5088 wrote to memory of 372	5088	Ifgbnlmj.exe	100
PID 372 wrote to memory of 516	372	Iifokh32.exe	101
PID 372 wrote to memory of 516	372	Iifokh32.exe	101
PID 372 wrote to memory of 516	372	Iifokh32.exe	101
PID 516 wrote to memory of 1984	516	Imakkfdg.exe	102
PID 516 wrote to memory of 1984	516	Imakkfdg.exe	102
PID 516 wrote to memory of 1984	516	Imakkfdg.exe	102
PID 1984 wrote to memory of 4892	1984	Ippggbck.exe	103
PID 1984 wrote to memory of 4892	1984	Ippggbck.exe	103
PID 1984 wrote to memory of 4892	1984	Ippggbck.exe	103
PID 4892 wrote to memory of 2760	4892	Ickchq32.exe	104
PID 4892 wrote to memory of 2760	4892	Ickchq32.exe	104
PID 4892 wrote to memory of 2760	4892	Ickchq32.exe	104
PID 2760 wrote to memory of 4268	2760	Ibnccmbo.exe	105
PID 2760 wrote to memory of 4268	2760	Ibnccmbo.exe	105
PID 2760 wrote to memory of 4268	2760	Ibnccmbo.exe	105
PID 4268 wrote to memory of 1732	4268	Iemppiab.exe	106
PID 4268 wrote to memory of 1732	4268	Iemppiab.exe	106
PID 4268 wrote to memory of 1732	4268	Iemppiab.exe	106
PID 1732 wrote to memory of 1072	1732	Imfdff32.exe	107

C:\Users\Admin\AppData\Local\Temp\d5f8a21e856759667135c5168ec0e08f2f64e5ceaff0600dd1c1239553ab9b23.exe
"C:\Users\Admin\AppData\Local\Temp\d5f8a21e856759667135c5168ec0e08f2f64e5ceaff0600dd1c1239553ab9b23.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\Helfik32.exe
  C:\Windows\system32\Helfik32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\Hmcojh32.exe
    C:\Windows\system32\Hmcojh32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\SysWOW64\Hcmgfbhd.exe
      C:\Windows\system32\Hcmgfbhd.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:548
      - C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        26⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        27⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        43⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        44⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        53⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        55⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        57⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        67⤵
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2764
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        75⤵
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3004
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        80⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        81⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        82⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        83⤵
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        85⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        86⤵
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        87⤵
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4216
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        97⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        98⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        101⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5756
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        106⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        112⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        113⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        120⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        121⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        128⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        130⤵
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        131⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        132⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        139⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 216
        146⤵
        Program crash
        
        PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5696 -ip 5696
1⤵
PID:5588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
89KB

MD5
33ee5d38f2d4518f50ccff44e18b1851

SHA1
04660fecee903d16a4fc24cc22d5a0ebb0b9b703

SHA256
18a585350c0b02002873889dada9079149d34e862f67d6fc3c8c45ffc2e68365

SHA512
1b733dbab48618f9ef6be79cc7d8156534a9a2a6e6c002bee46f3305a4475471507dbb8dab8664ba6afcb450cbc4703cb7b8fad4a883f0dee7056da777a42301

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
89KB

MD5
b8b236a16327591558eca733c19feb23

SHA1
ca2d84deaf9b42ed2be14af8d3a5b747cc526a76

SHA256
be55134458082fd712a546b938711badea48e1cf9445c25dcda99600887290b1

SHA512
c932a788bcffa9505ab4f726a34e5c348099eedb338b79f18aa3b56ed93a744286badd35026b071e32ef2edd7052845fd4c6a68e14c123b443f5f18e564632a3

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
89KB

MD5
b7832729496ff5fa205e52d49d07b58f

SHA1
8e6e79d81d6b980fb4acaba829dfb321011bab06

SHA256
51e550955a2825fad88908315c5f2188052738284c9450656a7d0cb29ea0c636

SHA512
dfefaabf6c090646cf99ec3618a54e6d5fb68b357cf3c734fc6a53ad92491696b1b971e1637156666c7bd062b624298a86eb7f8a833657fd5089f0fa006fe64d

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
89KB

MD5
74d86d732dc9815580d052e1dfd6e9a5

SHA1
b40da6173038e9804cfec8b93a187d6b32ea84d8

SHA256
3d4eb288aeba0fe52d53f76ad3f679cf7d3435834f5826704cec4d3f83bafb76

SHA512
4bdb763580023a90360e366ee8eed760cbfd716a19ef5ec6008df68b65272bc674c2859d02e9f51f7d744db85b547e22d93f6e9181c24486d9233b8742203884

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
89KB

MD5
f82428ce1056c11b484885c0f3a203da

SHA1
4f463e857db1db2f436752f17ec77b7b024279ac

SHA256
e14b1e4c4bebe5cf6b34b532e19f9406d8c73e8d18d7cd82b16f845d46067962

SHA512
e80e9644761d5ab62e0fe99b935a56b369bd9c95e5a88d90bfd2dc67cdc646f9d7180dfd19618d4c626bcfeaa14616dc8e367e636b830cbe0ac931dac64d3fe7

Download Submit
C:\Windows\SysWOW64\Hcpclbfa.exe

Filesize
89KB

MD5
14137085b7f939b98d04ec002e25db32

SHA1
c9445a6d530f7a0e3d9e5720eb54793434f7901a

SHA256
5682572f8a4bf238753119e076727019cc671a0148bb7c74c2bec8a6fb002b80

SHA512
42eb6e2aa98171f52857117e405cb377ff44715a992efc1d1d7b092fd667239b4a9ce7d11af758c0fb295b70d64f2adf3e48a3bbe7e59216f69048de990b4134

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
89KB

MD5
71cceb3c1386506f5c7b8af4d3c6ac8b

SHA1
0a55d8a440db045c84bd02fb7aca087a5d650e6e

SHA256
c49d260f6678c61e8293a85f9d11325cf3b126c69ad2c7856c8584249b7cfe32

SHA512
3f0732d87e4151322ce0c5eea2e22db443534fa339213eef54a744bbef189f2cde09f7ab10cc69655d3f0c94493092bd741f2d062ead759547aa254319074847

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
89KB

MD5
6495f7f461cb6e75a5b99b7212888baf

SHA1
dd5ebe6c21853a979cf682731e4a471cf300634a

SHA256
8c4c237def9ff81bf2247b5646f7895bf57fd3df6f77dc17ead7ce5caea07cd2

SHA512
0454d8928ea9f3dbc62daee7c1d14748f6879978a7d7ea95599c9b0610ef3b48b8c80ff7b36c759c6eda1b0b9e46c93a7aaf56279e989db219bba0109ac6a71e

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
89KB

MD5
fbdbdb8a66b4ff1224f015cb1ca0240e

SHA1
1219085baa49faaa6d931df1a74327858656c0a3

SHA256
b6e9aa86d93728fbe5a69a77e0258aae8fefc1d777a16eb246fa56cc93112b11

SHA512
f9d890d33395919f1dea81dee336986984c3024925edd618ab288fbca892b1f74bcdfbd5c0a9c27fd38ca1984c1370a07a031f7572c3f1f033117eb03f29f38e

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
89KB

MD5
c0fd6429c9f4008946a31d983c1a0337

SHA1
2b3de654bf9b8f32162b8ee245cce8aef3a8bf2d

SHA256
27ac988dd54b8e788ec0e29f90a5b20682d195c3db961dec7a201d7ad0b91033

SHA512
fea9d2d4ee3d4ad91fd4ae42176517c4b84902f2bc981cc3935dbb1de27748f2704232e1347a927b851ded3a18e98a38de4bf380be9d9d65d6cce32db37372df

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
89KB

MD5
ac66deee002e0d4fbf2f52b7cc1f5a36

SHA1
149c12dcec93de55a22c11e94599cce7773f37c9

SHA256
0a4b58180302aa5d5157a1fef0aa3f9e59fff839340c1d7282aed4477bdabd42

SHA512
bff88f257cd05d00afaa148720bab03043203100637eb0400d04cd68f3c560019b4684a2af29638912dc445b95ca9b0d4d6525e8d28e9835cc553f4aa84180f1

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
89KB

MD5
df2a31dd22ae4e1eea1fe0b9a3ebb405

SHA1
a990960d1df2fd8d18b2e58d1f53c251517f90f8

SHA256
7e795b387a27368c5abbfcd12a3bb5251e27334bca1d286016e3fd0819f6b981

SHA512
8f1b46e334b241a5750216ae3fe5bddacf38fb2dfa03f5f638f4282ef2ffa0009fad80f1abbd0dbd998bbe6f4c122f45586a44a18f95f4813c0b5ca52fc30d00

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
89KB

MD5
998c0f188757a0289b7572a0466f1ca5

SHA1
905f7f73352cb91b4836f7920a7b9646399a36d5

SHA256
ca1e38e0d47582ba6f881bab49c3ae3b37d677a8384c246c19c0a41c9a92292f

SHA512
1dd086a90f5db938f34a3a097c4054a66487c15ac16b28d9db8ca0429606a17189e86a72aa33c084c011300a65e8067dc49a223fa0fd470b45f289e12607c029

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
89KB

MD5
c622012495ff259f8453c9379d3d15d4

SHA1
50901fa156dec482b4a00a6d9b0137aa5eea5511

SHA256
070f5a3e10d0b46fd38a50bd6d88dd47fa4508d492cdc7db4259925aeb26a6f7

SHA512
b172c5076acf31b23400e01658a3ed1a83fb72486798bee08cfa73be252c38e0444bcb02039d06a87790b53e4126cb78c1825836742b43348c38b8a86ea08526

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
89KB

MD5
346e5f98209d529d9815ab93be567c6d

SHA1
80feab5e1303a53aaaf7022f8f10db746b330943

SHA256
574ba3b8003d1fa644ae2fd9f10266278f25e655a5e11bdb6155bf25c8eeaa00

SHA512
463422b6a104c99af78568123da9ab6040a1e2ab74f06a5d5281e1925ddb1f6e7215feb778c4925eeab5271ce66ea3c08d142174a3988ffe3bc9c46192fef6d1

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
89KB

MD5
c39aa487515407862354a4c83f8f5454

SHA1
16fca712b4d0823bf99be6f635f2b08837c961e2

SHA256
5d7a587fc75311b6b5550fff2d75b81263690b1575e79120fa05061f4ee20e44

SHA512
e2b8831e13506c9645f3a1f6a4fde757ada329942f33bf52e8fb214d86654d61eb6218ed3b8702f06be773bc70e68c3a555156013c5bb06f8b1d7179ed3fe30f

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
89KB

MD5
f606178e614e9ec48d52a2146aee0342

SHA1
11b299743b4240f06ed3f89a98d7f5e269373eda

SHA256
ee2142ff5ff7f16dfed94e76167c458ef9f4bb40dd639d724437f9c5a5395a28

SHA512
e821a10599863e42e916d3a7b788dbbe3c931104f022c2fe05750dee89bc7c30ae1daf22bb1e335fd3f7c614951d2314c0b9994725dfbbe5c6e9a0ab6b100b54

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
89KB

MD5
1d286433862cab66f05a6f93e851b717

SHA1
3b46cea3eae7b84cc92eeeda817453a85a44f004

SHA256
dc8d1776d2250f28309048c12fd8c4996dd9a21a7097957c963029237d2b21ea

SHA512
6e6cf503eb6287a663acf49f30916b0bbce36405a555de172ff7610e0fae6fde34ae2c81f183f3a0334e318afe208c8519a364c90c462b3b3094b66296c44c88

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
89KB

MD5
bfd0e5ecca47da0547e665f39af85168

SHA1
50946cbcbdc2c4775ee085194cf940f62f24e88c

SHA256
8c8aab60909d1a0e794dbccc725a16396f5aa0f10d9fedbf447f5f90d45914bd

SHA512
07ad5a85a04e3da2f4132fd512808f20cd93a7e020c73faea1de24b628ae8f66ec03fbab2765bf4d3d0f534ff5acf8b783c89c175884cd645f8c56dada4e1a24

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
89KB

MD5
af029230409c0c46783131b1460528ee

SHA1
9bbcd99b07161706f6ad798bdf16b3bf174d7e8e

SHA256
97d75e08b5325e5a488a58b35bd23abd4fc4414770dc03d211f5cf162cf95c03

SHA512
dddb4ba5a419c26526f107952e975d41c50a7501032ddb469ce1e41b1db0cd559259038e56d3cb3eafc4f713f1a4fbfcb84911145935ff803319e11426c5315a

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
89KB

MD5
20976d3079d5a14f3f252ca04a726be4

SHA1
e9696cf84e045cad86bfdfaffe0cbdb9407c098f

SHA256
15cfdcb191eb7153e718e322dc7e3b257cd47aaca5320fa9a30fc5f74702a4e6

SHA512
c27c19dd233e270612ef5b94ff90a0400e3aa41b90b419b3b304bc409cae6348e3ee7474e8073d4ee2f4374bce9ce1144e509ee5f3305d1937a73d27e9b0d001

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
89KB

MD5
9b9ee66acb08bf9ba4c6f67c65820c6c

SHA1
6f4616a45c8bbaee99f5d39c955ecf3d5e789490

SHA256
602ed169a0c3fa6ddf7a779109d273cc6f895b10a006074054a51296d3353b18

SHA512
356beeaeaccd97f9c0b5b1919b1f58fda35aebfcc2603f9fbd429c9afb9aebd3665b62376f915d4ae59ebcb622ceed3a861bc83c27ab0f2ab3638b8dd9728ced

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
89KB

MD5
a2599c4846027a6c4e442c122b0d7344

SHA1
4f15db04798af966e25a2890fa0573fc5936d5f8

SHA256
6b83b4aac3540d6292242e7eaa642ade5afa7d6e9a6de67f3f04aef9773faeeb

SHA512
25d2bde471b982593ecd99b4700d64f4171b98f6fa3e8d93d03f03f0cc978824b4102d53b2cafbe7edc6e7df1caf11fd448551438b4be230b9d3c2461aeb9462

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
89KB

MD5
37f70c1a632808a4c55a23c3cc127ece

SHA1
0abfdcecaab2002a5403fd6ab436c04460de6978

SHA256
c92e114e3775f99f30097695cb937ab0411ef44ae397686699bc9ef0d105323a

SHA512
363fbe5cd6ed0060f333866e2174ead4897a5ae308b87f2cc7734c5a3ebdc84134edb0e4916403f4856e2b1f13fec5d4043da97743854c68933798a0f5141b47

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
89KB

MD5
b7a89b6f092610d98f339a8ebb0f3c42

SHA1
f7af856bd90a05ba7b524fb8c3dd061ea05f7114

SHA256
f99d7e71bb66ea861fe0280fed708a2267b54f076e61a8344856475d7d7826b8

SHA512
3e8c9d5ae0eef64c0b51616f8b1f24cece1c60939e40ea7e3b0b290fbc0e4075b4fc97fa915ebb099ab0f15dcd3f85e45ace356e0047de1a7e76d662f795c08d

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
89KB

MD5
bd043e7c3c9a64868981b084a3d6d7dd

SHA1
63ea0b0d702fba63727db75001334d1e80134e30

SHA256
98cda3aaa46dcff54b1182c659fac3e0429938dd86ec7ea2ecb9ff58bcfd0e3f

SHA512
39ba37825770d51be7ef30471a0a93371069998857af6a04b1cecc74b188ec6ba11eff195bae3a15d68abebd951bcd0c4de8f7147963e2155f81be7a9f7aef4f

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
89KB

MD5
5ea8814b77f41a88efa42dbefb9dff83

SHA1
7ae707aff0aec887d99242865f87b39443588d15

SHA256
f47cc57e7077b865b8e84f4cee5103525b1a309c3b1f8bac798b383defd9a3f1

SHA512
24b58334f3120c3ee690b7428381e155138adf11e57d613deedb62d23603fc684b9dc9d8414a203b8f16f6d1d6b323a4da4c5ac306ff9fcde634e44a17b507d9

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
89KB

MD5
8904a41a9e0abb5c0cb9c4d0cf5dfe4a

SHA1
456c016fba51221c43f5bdc7dbe5f7386079e5b4

SHA256
5d4fefbcb2a6d0dd221841ca1710bfff67184a0561d84e787046831b3946e202

SHA512
df666a2229c8c578927ded682363e0902e3e26cf0c94cad23ea26c84a05338d71f1ac8a0b8ad55f0804d1f380649d1e2eb9ca51c5409931290d87c5c613c2cfa

Download Submit
C:\Windows\SysWOW64\Jfoiokfb.exe

Filesize
89KB

MD5
a1f955fe8773e5e09cd3374ea4a0ddd8

SHA1
c95d2c639440767c4e91db3f3887700572327de6

SHA256
d37509cba29a50ee4b6eb088ca4762ffa4aa3529bf118f46601efc2918bce7be

SHA512
9a2d72590b93e550bb9525d2cbe8d1212ee43666cf37826182b692d972ea39d6113c6bc19cb56338ae25f2a9f5186562f2b35f8cfb284070697d116284acfc13

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
89KB

MD5
c6c25854e7fb773a2ada12ee541623de

SHA1
33c4a3d87a465dd58555f36473c9009e7a9887fa

SHA256
88576fd733c193a9253422901d620581e05d29fe6d8df3ad9efc33ded4b97e3a

SHA512
b354d2b562b871c4270a454fdc0e0bbf708109be02b0444a6291f218b6c28bdda97e9e5ec2a544fab9dfef5107baeb75ef0fba14a21a99552ed69709dd776697

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
89KB

MD5
f69902ae01c12c1da7a0475eac6ec3b1

SHA1
64fc78d1eb34d9f490f3e39b1f82e1609cfa9b01

SHA256
7ca8caf9568a79e4dfdcb94b2591eb3544c10f2f4ce0d87cd9bc7a1a03ea0b21

SHA512
df11bf02cb48191065efa449afa7be40784d30eb545aa8956ea83c4ef4af724465a797fa0c404aece8ec3d947d380656324c290dea1860d773ec5712ad7766b0

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
89KB

MD5
ab3e96ec87f4e10d5448d625ef07a89b

SHA1
3a9ee7b74742d6eca25caf9db44b1f203ef59e50

SHA256
3770b977d88fac00b14b065e416c507b5adc4094170d274a27c0a477c6427ea8

SHA512
ad0444c7a5bb88338116e51f71f9e80747ec51cf8410445459f568dd52c0951e46fc22f80ac8db92a612a8a3d9fb2dd7f589fd745f6aede43563faf1fdb52cfa

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
89KB

MD5
f7e429065d09d0950a5623bee2cbbe3a

SHA1
7b0c574b80a14aa38c27b062df73c8fe987da4d8

SHA256
fc05e4b2701b281e6029efd0154cec8dd8142d28e20bb263505c43e2c64ae31c

SHA512
ec3ec88cb4cfee6bf0a88c600e0327af51d9238a2202fa4f1928c972adfaf36f1e5686a0a1b82b82dd40d58cd8ee167ac8a9c2c68693e7f558d5b00f1820f376

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
89KB

MD5
50666627d43ea27b11505112bb49b228

SHA1
1fdfda6745f2097b7c6a434651105089386b16ea

SHA256
ab6f90b6e585acff65eb1d677120cb628dd5b8aaab920123d8816c977e71f08f

SHA512
c43c26046c79e054a139c4fb67e2e4f0057093dfc7866df8dd5c711667dbe27c8c71fd8d77dddde8d649c848ef1172520956e74c3cabdffe089cca4086a90e5d

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
89KB

MD5
3767c5ada680c40eeb8e39c1a9e30266

SHA1
e70c7e815f6d69a1687f8ba7696497fc50d8a2d2

SHA256
577146054a528b06c205c922d590863bedddadcdcc1c549d2fa17561b371736e

SHA512
5f948930f541078f4645e578eaf2a90aeff4962f6e6c567d72c225a85e8e1addb6840bcc1b1fd7fb1c9265ac16312883a59ba98b518f928cfebb792ea13569cb

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
89KB

MD5
f0548868041ec2a90e4708836ab89cc6

SHA1
4ecea4017ccef13cf9a468a00940ae1f19ba3d8c

SHA256
f6c06f2f9dc9b12cd8ab4e4a7b334aebd73f1fa3fcd26354506acb36c3f9d955

SHA512
9e879fbe7426836f931e60e864372d30ea44d140cbc60084003d133735bb17421a82f6cd0144f5e38efcb766b1200cb1a250195690e77eab52f4a4742a928454

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
89KB

MD5
371a6daf62a0cb0d244e165bfa71c947

SHA1
a19bf99c2a9ef66042865db232af1c444add1de8

SHA256
04b8a5ca98414c692843fd8e1b93c3ae9a3c47ff0f040a5793523a814b8fe203

SHA512
86f5e2301da7bb0317195f1488ccb974f6104fcef75c02d67b4b8e5d1eacbcd72cf1ae8d87417bd147360d21f8a4a251e2feb7c712405cd8546d37694126f37b

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
89KB

MD5
1da2d9495ef7b736424d1c3a0be4ba27

SHA1
d47ceaeeb21ab2d6533ee24e75e73b1248629502

SHA256
0022a2f223665d1e0d54ce3889d404c3efce0f1b3bbf2fab7bf8e053e92f2184

SHA512
3ace5e08e6de74d27f8fd44f2d53408ae330703f20536d8b25042b43901a8e2d1dc19bb5dd71a37ec2f98d22a13cf58e1f6e39c7a053539ccaeb0e166a40b8af

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
89KB

MD5
853175cc1af02b191cf565b717b5b67f

SHA1
332d9080e39b869695f5bce46e457f7fde7471fd

SHA256
3e22f27b5c598f05e62981f83b9add6d5a49cb8643508721bbc09b6704ebbb9b

SHA512
f8e279af62cfbb5f3824b1b502e099c662061789c33eb5c27d1b01d9d3999ade9df602f86b1982c73b6b350064e500ccb3cbdf5909e20a61c2cc1eb9651da46d

Download Submit
C:\Windows\SysWOW64\Ncbhll32.dll

Filesize
7KB

MD5
2541686390d16897eb1a6f39956f5703

SHA1
e41912bbf3150015555f3ec398c94a0edc924fd2

SHA256
248c64f80b1fdd27a85943a0deb077ea99787cd3b901dcf279a7d6d71c555bcd

SHA512
ae32fb3863cd630b04aeb37eba46b4fbf1728deead7b3fd58d747e99aba3c1eb406d81ec16cdb18bd397ab1aa1401565742da1c041c4d52c9c380fc4583710f4

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
89KB

MD5
36594a6ce24f423ce58059ccf637041c

SHA1
e9b3764159637d5d68e1f7f806bc55c6bb01ed80

SHA256
ee318f5e43d6587b19e59773c8b420e7d5daef7c818cd1bca54491c488aabc60

SHA512
67c34ade46543f2f3e560b01499211fd9dd459ed322ac5d19f6cf07438b15baa26fa2c90f004b699f8c108e6554c1f13396e9e5e17f68a8adf96b37e55ff8c51

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
89KB

MD5
69d5a3a7fae829304832a0797ac80f6d

SHA1
8211cd9d45838bfc2d3c0bc018751998a4d1da5c

SHA256
5fbaebe8e8f6282c6240a97b9e17a998b123cb3d49ed642c7604392d89b5ec15

SHA512
c15145912be305c2bdbc4caaf58d5b668f02accec6119a7b826d255540b155d325ffabcf1c2b3e8e35d280e1f47cad82db4116d3f6887806f04734d312de2770

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
89KB

MD5
ca80310b54cb1e08099dd27a2273142a

SHA1
69afd23197e1c0a78043b21abb280fdf664bbc4e

SHA256
65f71bdf85a634073c1060daa5e657504d64e9e8a56089259ea2e433bb090483

SHA512
55ce529201f23303f8bf52d754c6509c097ff0648864d20fc415401616cf1ec85bfb385614556bac42d0a910cbf7137f55210e02e75b09d59e2b3e8821fbf046

Download Submit
memory/64-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/372-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/516-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-569-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/628-544-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/628-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/704-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/836-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/844-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/888-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/888-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1636-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1812-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1964-549-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2616-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-538-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2940-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-526-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3184-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3248-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-578-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3672-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3820-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3896-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3896-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3968-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4456-551-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4456-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-536-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-584-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4968-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4972-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads