berbew | abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe
Size

71KB
MD5

cef88437ba1506fce9a149f20358e005
SHA1

4805f263461e00f9a33e9212c4d456d3be985ef2
SHA256

abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7
SHA512

dbf2cf7ed4eebc48d456a25ac6604702848684cddabe3589c19f7e39fed6b81fb4db84c09e9e08688fbff2ca4f4c7adf9822d79ba41f964669a4643645163d8d
SSDEEP

1536:V857Dr8qKKgJbro8TXuMQgAWpjGCSbmRT6zRQCpDbEyRCRRRoR4RkG:V8tDr14JbU8TXggAW0Cyieze8Ey032yx

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjboeenh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffboohnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljjhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chofhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcilnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glfjgaih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Igkjcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npkfff32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Injlkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jobocn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npnclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gecklbih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjbqjiem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hijjpeha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lehfafgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlmaad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnbmoi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igbqdlea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihdmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjbqjiem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Igbqdlea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdogldmo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kihbfg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcimhpma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopnma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laackgka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enbapf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gngfjicn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbhmok32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mehbpjjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Egkehllh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhopjqi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meffjjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgfpni32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gecklbih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdihmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhfmbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jobocn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnlepioj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffboohnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgppmpjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mifkfhpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcilnl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igkjcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dljngoea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbpfeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhogaamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhfmbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdogldmo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2472	Blobmm32.exe
2864	Bbikig32.exe
2936	Chhpgn32.exe
2724	Ciglaa32.exe
2060	Cenmfbml.exe
1128	Chofhm32.exe
1500	Cjboeenh.exe
1940	Dgfpni32.exe
2952	Dncdqcbl.exe
2364	Dgkiih32.exe
368	Dljngoea.exe
2192	Ehaolpke.exe
1680	Ekbhnkhf.exe
2452	Enbapf32.exe
1476	Egkehllh.exe
976	Efpbih32.exe
1020	Ffboohnm.exe
772	Fcfohlmg.exe
1292	Fcilnl32.exe
1964	Fnbmoi32.exe
2092	Fbpfeh32.exe
2028	Gngfjicn.exe
852	Gecklbih.exe
2248	Gdihmo32.exe
1572	Gjbqjiem.exe
1988	Glfjgaih.exe
2876	Hijjpeha.exe
2920	Hhogaamj.exe
3048	Honiikpa.exe
2704	Hhfmbq32.exe
2680	Igkjcm32.exe
2228	Injlkf32.exe
2908	Igbqdlea.exe
2620	Ihdmld32.exe
2940	Jobocn32.exe
2716	Jdogldmo.exe
3060	Jgppmpjp.exe
1688	Jnlepioj.exe
572	Kcimhpma.exe
2376	Kopnma32.exe
2276	Kihbfg32.exe
2116	Kjhopjqi.exe
1328	Kpgdnp32.exe
988	Lbhmok32.exe
1376	Lehfafgp.exe
2164	Lgiobadq.exe
1952	Laackgka.exe
1692	Ljjhdm32.exe
2016	Mbemho32.exe
2128	Mlmaad32.exe
1580	Meffjjln.exe
1600	Mmmnkglp.exe
1536	Mehbpjjk.exe
2916	Moqgiopk.exe
2676	Mifkfhpa.exe
1768	Maapjjml.exe
1936	Mlgdhcmb.exe
3016	Nhnemdbf.exe
2436	Nogmin32.exe
2948	Nknnnoph.exe
560	Npkfff32.exe
1840	Nkqjdo32.exe
3044	Npnclf32.exe
940	Nmacej32.exe

Loads dropped DLL 64 IoCs

pid	Process
3032	abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe
3032	abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe
2472	Blobmm32.exe
2472	Blobmm32.exe
2864	Bbikig32.exe
2864	Bbikig32.exe
2936	Chhpgn32.exe
2936	Chhpgn32.exe
2724	Ciglaa32.exe
2724	Ciglaa32.exe
2060	Cenmfbml.exe
2060	Cenmfbml.exe
1128	Chofhm32.exe
1128	Chofhm32.exe
1500	Cjboeenh.exe
1500	Cjboeenh.exe
1940	Dgfpni32.exe
1940	Dgfpni32.exe
2952	Dncdqcbl.exe
2952	Dncdqcbl.exe
2364	Dgkiih32.exe
2364	Dgkiih32.exe
368	Dljngoea.exe
368	Dljngoea.exe
2192	Ehaolpke.exe
2192	Ehaolpke.exe
1680	Ekbhnkhf.exe
1680	Ekbhnkhf.exe
2452	Enbapf32.exe
2452	Enbapf32.exe
1476	Egkehllh.exe
1476	Egkehllh.exe
976	Efpbih32.exe
976	Efpbih32.exe
1020	Ffboohnm.exe
1020	Ffboohnm.exe
772	Fcfohlmg.exe
772	Fcfohlmg.exe
1292	Fcilnl32.exe
1292	Fcilnl32.exe
1964	Fnbmoi32.exe
1964	Fnbmoi32.exe
2092	Fbpfeh32.exe
2092	Fbpfeh32.exe
2028	Gngfjicn.exe
2028	Gngfjicn.exe
852	Gecklbih.exe
852	Gecklbih.exe
2248	Gdihmo32.exe
2248	Gdihmo32.exe
1572	Gjbqjiem.exe
1572	Gjbqjiem.exe
1988	Glfjgaih.exe
1988	Glfjgaih.exe
2876	Hijjpeha.exe
2876	Hijjpeha.exe
2920	Hhogaamj.exe
2920	Hhogaamj.exe
3048	Honiikpa.exe
3048	Honiikpa.exe
2704	Hhfmbq32.exe
2704	Hhfmbq32.exe
2680	Igkjcm32.exe
2680	Igkjcm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Engplgdp.dll	Fcilnl32.exe
File opened for modification	C:\Windows\SysWOW64\Igbqdlea.exe	Injlkf32.exe
File created	C:\Windows\SysWOW64\Ifdeao32.dll	Ihdmld32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgdnp32.exe	Kjhopjqi.exe
File opened for modification	C:\Windows\SysWOW64\Moqgiopk.exe	Mehbpjjk.exe
File created	C:\Windows\SysWOW64\Lclgbcdk.dll	Ffboohnm.exe
File created	C:\Windows\SysWOW64\Igbqdlea.exe	Injlkf32.exe
File created	C:\Windows\SysWOW64\Fnlppbbp.dll	Kopnma32.exe
File created	C:\Windows\SysWOW64\Chofhm32.exe	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Ppiodh32.dll	Cjboeenh.exe
File created	C:\Windows\SysWOW64\Fagimi32.dll	Fbpfeh32.exe
File created	C:\Windows\SysWOW64\Hfndae32.dll	Meffjjln.exe
File created	C:\Windows\SysWOW64\Blajkq32.dll	Glfjgaih.exe
File created	C:\Windows\SysWOW64\Kpclfokl.dll	Igkjcm32.exe
File opened for modification	C:\Windows\SysWOW64\Mmmnkglp.exe	Meffjjln.exe
File opened for modification	C:\Windows\SysWOW64\Ehaolpke.exe	Dljngoea.exe
File created	C:\Windows\SysWOW64\Mgmhmkfc.dll	Fcfohlmg.exe
File created	C:\Windows\SysWOW64\Igkjcm32.exe	Hhfmbq32.exe
File created	C:\Windows\SysWOW64\Cfnmqjah.dll	Kpgdnp32.exe
File opened for modification	C:\Windows\SysWOW64\Laackgka.exe	Lgiobadq.exe
File created	C:\Windows\SysWOW64\Baohnn32.dll	Mmmnkglp.exe
File opened for modification	C:\Windows\SysWOW64\Nmacej32.exe	Npnclf32.exe
File created	C:\Windows\SysWOW64\Pagmlp32.dll	Moqgiopk.exe
File created	C:\Windows\SysWOW64\Chhpgn32.exe	Bbikig32.exe
File created	C:\Windows\SysWOW64\Mokegi32.dll	Chhpgn32.exe
File opened for modification	C:\Windows\SysWOW64\Dgkiih32.exe	Dncdqcbl.exe
File created	C:\Windows\SysWOW64\Fcfohlmg.exe	Ffboohnm.exe
File opened for modification	C:\Windows\SysWOW64\Gecklbih.exe	Gngfjicn.exe
File created	C:\Windows\SysWOW64\Gdihmo32.exe	Gecklbih.exe
File created	C:\Windows\SysWOW64\Jdogldmo.exe	Jobocn32.exe
File opened for modification	C:\Windows\SysWOW64\Nhnemdbf.exe	Mlgdhcmb.exe
File created	C:\Windows\SysWOW64\Nkqjdo32.exe	Npkfff32.exe
File opened for modification	C:\Windows\SysWOW64\Bbikig32.exe	Blobmm32.exe
File created	C:\Windows\SysWOW64\Efpbih32.exe	Egkehllh.exe
File opened for modification	C:\Windows\SysWOW64\Jdogldmo.exe	Jobocn32.exe
File created	C:\Windows\SysWOW64\Eldplnan.dll	Kcimhpma.exe
File created	C:\Windows\SysWOW64\Jhflco32.dll	Lgiobadq.exe
File created	C:\Windows\SysWOW64\Inbndm32.dll	Ljjhdm32.exe
File created	C:\Windows\SysWOW64\Mmmnkglp.exe	Meffjjln.exe
File created	C:\Windows\SysWOW64\Hijjpeha.exe	Glfjgaih.exe
File created	C:\Windows\SysWOW64\Jgppmpjp.exe	Jdogldmo.exe
File created	C:\Windows\SysWOW64\Kopnma32.exe	Kcimhpma.exe
File created	C:\Windows\SysWOW64\Lehfafgp.exe	Lbhmok32.exe
File created	C:\Windows\SysWOW64\Ahgdoqqo.dll	Ehaolpke.exe
File created	C:\Windows\SysWOW64\Ffboohnm.exe	Efpbih32.exe
File created	C:\Windows\SysWOW64\Injlkf32.exe	Igkjcm32.exe
File created	C:\Windows\SysWOW64\Kanafj32.dll	Mlgdhcmb.exe
File created	C:\Windows\SysWOW64\Cmnhge32.dll	Nogmin32.exe
File created	C:\Windows\SysWOW64\Oemhjlha.exe	Nmacej32.exe
File created	C:\Windows\SysWOW64\Ecmdqkbq.dll	Nknnnoph.exe
File created	C:\Windows\SysWOW64\Cjboeenh.exe	Chofhm32.exe
File created	C:\Windows\SysWOW64\Ekbhnkhf.exe	Ehaolpke.exe
File opened for modification	C:\Windows\SysWOW64\Jnlepioj.exe	Jgppmpjp.exe
File opened for modification	C:\Windows\SysWOW64\Lehfafgp.exe	Lbhmok32.exe
File created	C:\Windows\SysWOW64\Ljjhdm32.exe	Laackgka.exe
File created	C:\Windows\SysWOW64\Bgbjkg32.dll	Mehbpjjk.exe
File created	C:\Windows\SysWOW64\Ibnjlg32.dll	Mifkfhpa.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Oemhjlha.exe
File opened for modification	C:\Windows\SysWOW64\Chhpgn32.exe	Bbikig32.exe
File created	C:\Windows\SysWOW64\Dhompmdf.dll	Dljngoea.exe
File opened for modification	C:\Windows\SysWOW64\Efpbih32.exe	Egkehllh.exe
File opened for modification	C:\Windows\SysWOW64\Gjbqjiem.exe	Gdihmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ihdmld32.exe	Igbqdlea.exe
File created	C:\Windows\SysWOW64\Lgiobadq.exe	Lehfafgp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2280	1308	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjbqjiem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glfjgaih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciglaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncdqcbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffboohnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gngfjicn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meffjjln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenmfbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljjhdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbemho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maapjjml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhnemdbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgfpni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enbapf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjboeenh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdihmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnlepioj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kihbfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lehfafgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nogmin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npkfff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkqjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chofhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekbhnkhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gecklbih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijjpeha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgiobadq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laackgka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehaolpke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igbqdlea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhmok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmmnkglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcfohlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhfmbq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npnclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Honiikpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injlkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jobocn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcimhpma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oemhjlha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbpfeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhogaamj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopnma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mifkfhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nknnnoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efpbih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igkjcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihdmld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlmaad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkehllh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcilnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moqgiopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmacej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhpgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnbmoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdogldmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhopjqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgdnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgkiih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dljngoea.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpclfokl.dll"	Igkjcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kihbfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egkehllh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhogaamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhogaamj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Honiikpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndcjglje.dll"	Honiikpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhfmbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbemho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajkip32.dll"	Bbikig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppiodh32.dll"	Cjboeenh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efpbih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagimi32.dll"	Fbpfeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbpfeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaggm32.dll"	Igbqdlea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbagfo32.dll"	Jgppmpjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlmaad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmdqkbq.dll"	Nknnnoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Blobmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ehaolpke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffboohnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jobocn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kopnma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbhmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichnpa32.dll"	Gngfjicn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdogldmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdogldmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baohnn32.dll"	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgmbedh.dll"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbikig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilhb32.dll"	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmgnmlma.dll"	Gdihmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffojn32.dll"	Lehfafgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maapjjml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhflco32.dll"	Lgiobadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mifkfhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gecklbih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkihcnfk.dll"	Hijjpeha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknpkfec.dll"	Hhogaamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldplnan.dll"	Kcimhpma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kopnma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgkiih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekbhnkhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hijjpeha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgiobadq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Egkehllh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fnbmoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Oemhjlha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljjhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbikig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll"	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dljngoea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgdoqqo.dll"	Ehaolpke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engplgdp.dll"	Fcilnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgefap32.dll"	Jdogldmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmacej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Igkjcm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2472	3032	abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe	30
PID 3032 wrote to memory of 2472	3032	abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe	30
PID 3032 wrote to memory of 2472	3032	abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe	30
PID 3032 wrote to memory of 2472	3032	abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe	30
PID 2472 wrote to memory of 2864	2472	Blobmm32.exe	31
PID 2472 wrote to memory of 2864	2472	Blobmm32.exe	31
PID 2472 wrote to memory of 2864	2472	Blobmm32.exe	31
PID 2472 wrote to memory of 2864	2472	Blobmm32.exe	31
PID 2864 wrote to memory of 2936	2864	Bbikig32.exe	32
PID 2864 wrote to memory of 2936	2864	Bbikig32.exe	32
PID 2864 wrote to memory of 2936	2864	Bbikig32.exe	32
PID 2864 wrote to memory of 2936	2864	Bbikig32.exe	32
PID 2936 wrote to memory of 2724	2936	Chhpgn32.exe	33
PID 2936 wrote to memory of 2724	2936	Chhpgn32.exe	33
PID 2936 wrote to memory of 2724	2936	Chhpgn32.exe	33
PID 2936 wrote to memory of 2724	2936	Chhpgn32.exe	33
PID 2724 wrote to memory of 2060	2724	Ciglaa32.exe	34
PID 2724 wrote to memory of 2060	2724	Ciglaa32.exe	34
PID 2724 wrote to memory of 2060	2724	Ciglaa32.exe	34
PID 2724 wrote to memory of 2060	2724	Ciglaa32.exe	34
PID 2060 wrote to memory of 1128	2060	Cenmfbml.exe	35
PID 2060 wrote to memory of 1128	2060	Cenmfbml.exe	35
PID 2060 wrote to memory of 1128	2060	Cenmfbml.exe	35
PID 2060 wrote to memory of 1128	2060	Cenmfbml.exe	35
PID 1128 wrote to memory of 1500	1128	Chofhm32.exe	36
PID 1128 wrote to memory of 1500	1128	Chofhm32.exe	36
PID 1128 wrote to memory of 1500	1128	Chofhm32.exe	36
PID 1128 wrote to memory of 1500	1128	Chofhm32.exe	36
PID 1500 wrote to memory of 1940	1500	Cjboeenh.exe	37
PID 1500 wrote to memory of 1940	1500	Cjboeenh.exe	37
PID 1500 wrote to memory of 1940	1500	Cjboeenh.exe	37
PID 1500 wrote to memory of 1940	1500	Cjboeenh.exe	37
PID 1940 wrote to memory of 2952	1940	Dgfpni32.exe	38
PID 1940 wrote to memory of 2952	1940	Dgfpni32.exe	38
PID 1940 wrote to memory of 2952	1940	Dgfpni32.exe	38
PID 1940 wrote to memory of 2952	1940	Dgfpni32.exe	38
PID 2952 wrote to memory of 2364	2952	Dncdqcbl.exe	39
PID 2952 wrote to memory of 2364	2952	Dncdqcbl.exe	39
PID 2952 wrote to memory of 2364	2952	Dncdqcbl.exe	39
PID 2952 wrote to memory of 2364	2952	Dncdqcbl.exe	39
PID 2364 wrote to memory of 368	2364	Dgkiih32.exe	40
PID 2364 wrote to memory of 368	2364	Dgkiih32.exe	40
PID 2364 wrote to memory of 368	2364	Dgkiih32.exe	40
PID 2364 wrote to memory of 368	2364	Dgkiih32.exe	40
PID 368 wrote to memory of 2192	368	Dljngoea.exe	41
PID 368 wrote to memory of 2192	368	Dljngoea.exe	41
PID 368 wrote to memory of 2192	368	Dljngoea.exe	41
PID 368 wrote to memory of 2192	368	Dljngoea.exe	41
PID 2192 wrote to memory of 1680	2192	Ehaolpke.exe	42
PID 2192 wrote to memory of 1680	2192	Ehaolpke.exe	42
PID 2192 wrote to memory of 1680	2192	Ehaolpke.exe	42
PID 2192 wrote to memory of 1680	2192	Ehaolpke.exe	42
PID 1680 wrote to memory of 2452	1680	Ekbhnkhf.exe	43
PID 1680 wrote to memory of 2452	1680	Ekbhnkhf.exe	43
PID 1680 wrote to memory of 2452	1680	Ekbhnkhf.exe	43
PID 1680 wrote to memory of 2452	1680	Ekbhnkhf.exe	43
PID 2452 wrote to memory of 1476	2452	Enbapf32.exe	44
PID 2452 wrote to memory of 1476	2452	Enbapf32.exe	44
PID 2452 wrote to memory of 1476	2452	Enbapf32.exe	44
PID 2452 wrote to memory of 1476	2452	Enbapf32.exe	44
PID 1476 wrote to memory of 976	1476	Egkehllh.exe	45
PID 1476 wrote to memory of 976	1476	Egkehllh.exe	45
PID 1476 wrote to memory of 976	1476	Egkehllh.exe	45
PID 1476 wrote to memory of 976	1476	Egkehllh.exe	45

C:\Users\Admin\AppData\Local\Temp\abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe
"C:\Users\Admin\AppData\Local\Temp\abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\Blobmm32.exe
  C:\Windows\system32\Blobmm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\Bbikig32.exe
    C:\Windows\system32\Bbikig32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\Chhpgn32.exe
      C:\Windows\system32\Chhpgn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\Ciglaa32.exe
        
        C:\Windows\system32\Ciglaa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Cenmfbml.exe
        
        C:\Windows\system32\Cenmfbml.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Chofhm32.exe
        
        C:\Windows\system32\Chofhm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Cjboeenh.exe
        
        C:\Windows\system32\Cjboeenh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Dgfpni32.exe
        
        C:\Windows\system32\Dgfpni32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Dncdqcbl.exe
        
        C:\Windows\system32\Dncdqcbl.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Dgkiih32.exe
        
        C:\Windows\system32\Dgkiih32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Dljngoea.exe
        
        C:\Windows\system32\Dljngoea.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Ehaolpke.exe
        
        C:\Windows\system32\Ehaolpke.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Ekbhnkhf.exe
        
        C:\Windows\system32\Ekbhnkhf.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Enbapf32.exe
        
        C:\Windows\system32\Enbapf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Egkehllh.exe
        
        C:\Windows\system32\Egkehllh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Efpbih32.exe
        
        C:\Windows\system32\Efpbih32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Ffboohnm.exe
        
        C:\Windows\system32\Ffboohnm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Fcfohlmg.exe
        
        C:\Windows\system32\Fcfohlmg.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Fcilnl32.exe
        
        C:\Windows\system32\Fcilnl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Fnbmoi32.exe
        
        C:\Windows\system32\Fnbmoi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Fbpfeh32.exe
        
        C:\Windows\system32\Fbpfeh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Gngfjicn.exe
        
        C:\Windows\system32\Gngfjicn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Gecklbih.exe
        
        C:\Windows\system32\Gecklbih.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Gdihmo32.exe
        
        C:\Windows\system32\Gdihmo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Gjbqjiem.exe
        
        C:\Windows\system32\Gjbqjiem.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Glfjgaih.exe
        
        C:\Windows\system32\Glfjgaih.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Hijjpeha.exe
        
        C:\Windows\system32\Hijjpeha.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Hhogaamj.exe
        
        C:\Windows\system32\Hhogaamj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Honiikpa.exe
        
        C:\Windows\system32\Honiikpa.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Hhfmbq32.exe
        
        C:\Windows\system32\Hhfmbq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Igkjcm32.exe
        
        C:\Windows\system32\Igkjcm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Injlkf32.exe
        
        C:\Windows\system32\Injlkf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Igbqdlea.exe
        
        C:\Windows\system32\Igbqdlea.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Ihdmld32.exe
        
        C:\Windows\system32\Ihdmld32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Jobocn32.exe
        
        C:\Windows\system32\Jobocn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Jdogldmo.exe
        
        C:\Windows\system32\Jdogldmo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Jgppmpjp.exe
        
        C:\Windows\system32\Jgppmpjp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Jnlepioj.exe
        
        C:\Windows\system32\Jnlepioj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Kcimhpma.exe
        
        C:\Windows\system32\Kcimhpma.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Kopnma32.exe
        
        C:\Windows\system32\Kopnma32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Kihbfg32.exe
        
        C:\Windows\system32\Kihbfg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Kjhopjqi.exe
        
        C:\Windows\system32\Kjhopjqi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Kpgdnp32.exe
        
        C:\Windows\system32\Kpgdnp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Lbhmok32.exe
        
        C:\Windows\system32\Lbhmok32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Lehfafgp.exe
        
        C:\Windows\system32\Lehfafgp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Lgiobadq.exe
        
        C:\Windows\system32\Lgiobadq.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Laackgka.exe
        
        C:\Windows\system32\Laackgka.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Ljjhdm32.exe
        
        C:\Windows\system32\Ljjhdm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Mbemho32.exe
        
        C:\Windows\system32\Mbemho32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Mlmaad32.exe
        
        C:\Windows\system32\Mlmaad32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Meffjjln.exe
        
        C:\Windows\system32\Meffjjln.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Mmmnkglp.exe
        
        C:\Windows\system32\Mmmnkglp.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Mehbpjjk.exe
        
        C:\Windows\system32\Mehbpjjk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Moqgiopk.exe
        
        C:\Windows\system32\Moqgiopk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Mifkfhpa.exe
        
        C:\Windows\system32\Mifkfhpa.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Maapjjml.exe
        
        C:\Windows\system32\Maapjjml.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Mlgdhcmb.exe
        
        C:\Windows\system32\Mlgdhcmb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Nhnemdbf.exe
        
        C:\Windows\system32\Nhnemdbf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Nogmin32.exe
        
        C:\Windows\system32\Nogmin32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Nknnnoph.exe
        
        C:\Windows\system32\Nknnnoph.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Npkfff32.exe
        
        C:\Windows\system32\Npkfff32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\Nkqjdo32.exe
        
        C:\Windows\system32\Nkqjdo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\Npnclf32.exe
        
        C:\Windows\system32\Npnclf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Nmacej32.exe
        
        C:\Windows\system32\Nmacej32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Oemhjlha.exe
        
        C:\Windows\system32\Oemhjlha.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 140
        68⤵
        Program crash
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbikig32.exe

Filesize
71KB

MD5
8170bc9d431425033f5fdb25b8fe96c3

SHA1
7b44f1067e05d0b62ea34f6fd7780d97e0026e37

SHA256
b2e8af9c15886516123eab09e3eaff481be405b4443a8e10e10bce287e4ac6bc

SHA512
8e03500d474bf43cac3f844ebc5d2b0843ab8444c5c0c0db5ff3eeb4a4a43d54904c76ea7c6f987c91b25a2680852bb4b5c844e892dbdb5a2910cbac7078ca92

Download Submit
C:\Windows\SysWOW64\Chofhm32.exe

Filesize
71KB

MD5
30b73bae520874e4b9deaac10b6fbebd

SHA1
4bcd33f7adef5e7439c3708e449968d1aa23efcb

SHA256
808d18bc41df6201d5724e06f0f56c650b329c86813c93011e3a681230a66488

SHA512
ec291682c26bf5c685ebb7e48246b6ca2aae51fbf35d468b16dc24b1efc52bbf3f4437670c47d457be8a9e4b4904b161600278a3275c89d84138a8f2d3b6ea0a

Download Submit
C:\Windows\SysWOW64\Enbapf32.exe

Filesize
71KB

MD5
0d6f5f40ef19b2a2b5ac54cb387e3601

SHA1
d3b7d9537c2b1c2651fcd10ea34b2854179093c2

SHA256
05e7a81e9970fe388b4c339ef1f944d3560eee1fd177ec6a3ee0c68fa0f62574

SHA512
0b6b67b4d1945ac95f726f1bb878de5320988ef8acd916025fd752829b2ad5e04e6a4c9f66c450890c2b8b3e6f9033e8882cd757172596c2bc98e8f99d5af399

Download Submit
C:\Windows\SysWOW64\Fbpfeh32.exe

Filesize
71KB

MD5
5d0c449161e3f024e874bec9e7689978

SHA1
8eb0e613990930922a3f260b6a86cd5b454a8720

SHA256
350e3ed777a2bb1bc4a271e1907b620966b4e6bce3f18fd3aa35430f926520a5

SHA512
013a48116098d1ff1c2bc60eecc11dc33fb36bc607b30ee3a5d519c3e7e8ee9125419cfff7da67f0b71d611cae87f539daef3139f8c4f2de59aaac53f13cdbd0

Download Submit
C:\Windows\SysWOW64\Fcfohlmg.exe

Filesize
71KB

MD5
5f62419ce30a55b2d8f7194fdac65ffd

SHA1
9d11f7deb93e7e9e48a6137fc41f2f3095bc1f88

SHA256
5fdcd6f1cdbbcfdc92a67dd8087389aff8e80e492616ba1ddfac073341b43b1c

SHA512
f01a73092715e7c68c2ff1c456a5704f5acee9dda8f1e36f78d86e50ed446da30be3aa5a60d2ccd1ea823e32faac432fb39d2c0a3702e1eb19bac74b52f45893

Download Submit
C:\Windows\SysWOW64\Fcilnl32.exe

Filesize
71KB

MD5
2c07482a5e06f6d6d055355ee85ac6ab

SHA1
73a0ea9f4c38eece1687808620ad8554ad7c70d3

SHA256
83506b5e6ba40dd3758ccf6165ae6a48a0e543fedfc9e976af2564354d51d4c0

SHA512
dad55a0cf4571cdf7a2620e5d24bbd71fc1e6cf2ff09f3d088ccd1947fc91130cbc44225e9e205a4087892f176fd8226e62d95433ccd5d7acc35edde6015d870

Download Submit
C:\Windows\SysWOW64\Ffboohnm.exe

Filesize
71KB

MD5
e48f646a5c00be6c9ec6600ae43930c5

SHA1
4c5fa009241a96219250f37c883b34b84ab9cf93

SHA256
723e3d529eb9a3c124aea848d1a9599496e63fa9cfd7d0c0f9ef22c4adfef3dc

SHA512
8d8057fac33240551e78954dc5a0a0d4ec07a8ce2a43ea5eb2813187ae0f05a2dba3440e49c5afdea92763c14b7c9a76477b60f7fc87f588fcb4bdd52743c26f

Download Submit
C:\Windows\SysWOW64\Fnbmoi32.exe

Filesize
71KB

MD5
d9de7647e91442be5bcfee8199f81bd6

SHA1
0e71528444c9963eb2172139f0e51ed54bdce0f3

SHA256
ab217dd110dc1dbd2f0912e4fac2aa60e7fdb6e6636ed5221261fcd5d58853e6

SHA512
9b15067c6d3b44b29df04df68d023db6169296fa72bfb85cf5e4e956c4ce6f4787a2a56d844b5ea5ec7556a83450047262f1998c7df1cacc172819fee408dbd8

Download Submit
C:\Windows\SysWOW64\Gdihmo32.exe

Filesize
71KB

MD5
743e572379a34ecaddd04ead649b0d3c

SHA1
1b1385b8834e0c80081633a55347cd7f594e0c66

SHA256
849475bd73c34ca9a6cf0d9d196bc87ca597117dd393629e2aaaf087009b57bb

SHA512
8352505e2fdd9d4b1d06257ec609db7d1ae3bab7480f91a6c979d8655501619b3e94830a189b5db0fc7a7fdfbbd31688b635486a26d74eda7b894839412f84a5

Download Submit
C:\Windows\SysWOW64\Gecklbih.exe

Filesize
71KB

MD5
5d7943f49a26a0d4753283bbefcf8353

SHA1
7391d22c9710b8fb2b1ce66ae029efa2169cd3fa

SHA256
124ca2c52454a58a32a76a02f2ec568f292aa75a620475f4cb644317688f6bfa

SHA512
341810beeb4b9781353cfaab36f202d854c824c15c07504855d5ec3a259ac6be0a88b92905dc35b1c48c588defdc0a6d71d5923df4770ccf5d8ec29185344634

Download Submit
C:\Windows\SysWOW64\Gjbqjiem.exe

Filesize
71KB

MD5
bbd9856e394dc6278e3550548d1f5751

SHA1
1b775fcbf716c3a0ae80166a522020c656bbe272

SHA256
37e0243e451b8ef12ee7b2110fb1d2fb7458181fa598f009347e25f9bcc23801

SHA512
93faea29b93c0d310d9684fa9c7e073637d4ba4e7c5e4e565f6a0776d3a9034d2ad5d6e824b9fd4a852ccfb0dbf6358c6f896d3e266d088b59534685a6153d50

Download Submit
C:\Windows\SysWOW64\Glfjgaih.exe

Filesize
71KB

MD5
5e215b8c582736bc3cc8029598b0e1dc

SHA1
243b823bea598379e0698050d2efd342856a9c1b

SHA256
c6a7646dd60a9df83663d5f63fa6804b304fb1eefed304573556e7666e2e9e18

SHA512
45bad2a4d048e7fc60835b84b7476394bd775139aed68310b6942f3ba694638b66f9e89188b7d38f0d0ad25507e1d055b767dfe92bb5c8e51f57d33a2c4cdc45

Download Submit
C:\Windows\SysWOW64\Gngfjicn.exe

Filesize
71KB

MD5
f23c6c4cd1107a4b08d68438e788a2aa

SHA1
50da148814867397818c03267ee12feb3bed1219

SHA256
707a5a9fee30b599de133bac3cdfe7a271a7640c1fe441c6e42b5786e56b4203

SHA512
5c188f1f814be4ca7f7dbef97663f649b637cf2b3f5acf30cc398c7f0ec6639f3bb58d1de397dd4ae20784a37c7d41ca353ccda8995cbc18a3b1e551e7a3b4d8

Download Submit
C:\Windows\SysWOW64\Hhfmbq32.exe

Filesize
71KB

MD5
3457ca7880cd23fc55af53a79dc4be75

SHA1
8d887d89ee931d8392afb3b7fa3984267c30d8c4

SHA256
9585dbf243918ed2b76f79dc754f455fcc0406537126ebb9da8959ae417f3ea1

SHA512
12c85259563938f30151f4a5a50d1d09eebb5940eff04ed82f66244f48088ebdadb7753d569a36bf94423613be607c9f17021689ea9e281a04cdc22abcf5f68c

Download Submit
C:\Windows\SysWOW64\Hhogaamj.exe

Filesize
71KB

MD5
da618ec31730c1ecdc704c6213ceecfe

SHA1
ab309978d09f70f7c8d9dd45e00e8608d1446078

SHA256
425e6c301ec9d318884c2e3b3ae5f3465571798466127805e34e6c1c5c2e4409

SHA512
562821c8dfe714eb7235b19a4eac352266ea288d3313c08b61150a873118a6636581321eda64281df9a3912ae2c67753644bb32e9c04d7409b849ba14eb2d4ae

Download Submit
C:\Windows\SysWOW64\Hijjpeha.exe

Filesize
71KB

MD5
98189dc4f549d76018fdef5aa1a5d7d8

SHA1
f95f5b601822c179ce0074c8db3cd15d817de95e

SHA256
6bbf80547013b985389f6b5c9a050e88af2747e2a4061c759b9e05b4543a96bb

SHA512
7737d09fd3b3cba08c2c9c71a211b0a92de9aec4e3f02a2030c069b924eafc888ca19b539c542147060ff82bef50fcd3206b503087fda8261e3910f6b84f6874

Download Submit
C:\Windows\SysWOW64\Hlilhb32.dll

Filesize
7KB

MD5
e7e38c8ca9a6a651768f01fd749b40b1

SHA1
988e2b9113e8ac7cf90f71c4de69a2261f116ec9

SHA256
7453be47b0e70e368354a8265b28920850fa6cb50b9d794dc3f07f2037c0cb57

SHA512
5ab32682066e16c1c174c3a6cf1eac7af5b8893b17104afe1fae079dae55467560c34730c79ad86f243b3f5a04066d639c401bbc6372ed2fd4dfb54fa9899dda

Download Submit
C:\Windows\SysWOW64\Honiikpa.exe

Filesize
71KB

MD5
bdb0b223d8063ffda38f4c04215a879d

SHA1
87d6830fe8c1753a261ec8af4cc1dadc500277f9

SHA256
413a7c9985b1700fec6ad77ac2eb2c9f49c8df27f8d3aaf9570ea26f2b5caa78

SHA512
ab190b9e31b24314e45ec5ebe2ca248b1e2e7ddcb8826892f96e6d902f0d2b72027dbcdf369bdeb2c4f376d9bc9a6ccbfc1c911280bdb2acd53ca2bf93614dfb

Download Submit
C:\Windows\SysWOW64\Igbqdlea.exe

Filesize
71KB

MD5
977458d4dee5aa30c67af1af9883faaa

SHA1
67ce087f8a91ae005ff3b232a7383b5020fd0dd4

SHA256
94e4783dc06763f407d36069da61c88a61ff48d12edd60138099d24e1bf0115b

SHA512
c726015f6efc817d9e472afd38862d5f6914311a0d5b8a700c278b1084e9bf5ace25d2c7bc1334c3510019d6f55e6d92dfb0f617e717d5a345ccf2fd0840d749

Download Submit
C:\Windows\SysWOW64\Igkjcm32.exe

Filesize
71KB

MD5
a8565314c205c7a12ddbef2ef6170325

SHA1
5797081ee644aa85a129cad6def158157fbe93f1

SHA256
caa85661ae1c339e165cb845635e9b0e076339d278db33c7f140c1bc2a040d68

SHA512
e88074f2b87dcc28b93af7ce39b18ec878acb721a94cfd293b1a3105d9c36a44e587b3bca73144e0f1b160756758bbc0a5df389eeb7da4cebbcf6dbd7cc457dc

Download Submit
C:\Windows\SysWOW64\Ihdmld32.exe

Filesize
71KB

MD5
a8f4676a47f13a23123bccd4c2970878

SHA1
65bb976e2a1854b5de4a8f53bc0ce615b7cc7873

SHA256
a99d8b966d09fdb1f1ebcdf8014b66a159439508fa3c1458e4210bed0bb5c281

SHA512
eb92878bf3852fbc8fbfda398370bc97e7dddf1bc7469547a41662715220e5dd9670cc39b7e2c104fcdc577e078b6b07f2dcd560efd462158a61ad44be0ec2d9

Download Submit
C:\Windows\SysWOW64\Injlkf32.exe

Filesize
71KB

MD5
84748baccef1b11c5e1ffc9f49ba8116

SHA1
971360fd4b2dac3879ea55557a87f44ddda75c7f

SHA256
bd84dbe602ce4d88420ca479860e6184635c87be72cf5c3378b52e8faa1c572e

SHA512
89cbedd35baa7cb74b5455bfe1a9682cfdd8250ba0fce29e5d3277b5ab76676fb63013c89aabd3eb0f55ddb95bcb56165f3579a975a78223e596b18d3e144713

Download Submit
C:\Windows\SysWOW64\Jdogldmo.exe

Filesize
71KB

MD5
e3d8e9e54d42d14dc539f9a003533ae6

SHA1
2a7de63359fb213b18384ff645a62393f4cbaadc

SHA256
b76c8755ddf920f9f9c9c30c8cf13b78cd542417d75ce04c968edf333cb8aedd

SHA512
efc2385586e3a4536152f24b1a1f24eb2998a65b10c13519a65b01523f402d052f5632420411acd2748ae493b94c56888177e39e9e476ebfc94d7bab9d5b5ba3

Download Submit
C:\Windows\SysWOW64\Jgppmpjp.exe

Filesize
71KB

MD5
0601efa07b3281ce9c09d8f114aeae62

SHA1
63ba32f144af26d23a0b2d3c5f126de350c6182d

SHA256
fd5b3bc125b9086fdfcca859744f01cd91804c5514ffaf3234e920ef39483c64

SHA512
bf2ab65ab8be622a30a6a4fdd7e46ba62569268d426995b6c8ac6b9ab7374dcda2fb163ba26fd1adb052218a7f8fc12552bee89519e13dff9cd9df97346cbe2c

Download Submit
C:\Windows\SysWOW64\Jnlepioj.exe

Filesize
71KB

MD5
b6fea2c5832af51d0bd47b2e9dcfe67c

SHA1
61f779004adca8ff62ba07ecc54abee36e88ef26

SHA256
5b868a16beff74887b20a96c91fa1e8fcadbc34da13a5b568f9a5c0aeb08c179

SHA512
d31d54c7df603de7963fdc4f39b23122577e4b3e665054d2d298c98d0f0a886dd3e52fce8ddb6dc4673650888d3962851895ed38069f5b13b89ca95a2b9586d3

Download Submit
C:\Windows\SysWOW64\Jobocn32.exe

Filesize
71KB

MD5
45cdeafcf07dbf493ae3684db0df904c

SHA1
e4f4cebb818abd248621c9d96b53faed501b24c4

SHA256
d722a4381c27d4230e09fd3989c8f7d7ff7ab7d5d28d701fd7c2a3b0b48a1995

SHA512
0a73119b77d4fe23609960958ecd0db4e5b1a534dd25ae6b8784c9f1cfb8ae41b31e82eb39ce1bae168c4afc7f1247324812038ccc5301c7ef2817923770912f

Download Submit
C:\Windows\SysWOW64\Kcimhpma.exe

Filesize
71KB

MD5
5f2b676cd41c356d54af8c019a49d3e3

SHA1
0739280e2e922882325cfaea9b8a13f9cc336b7f

SHA256
96093b29e700a5383a1dd83d168f293e925dd5fe68bbf9fd3a8d2e4d399fd9f0

SHA512
ee61ec02b4d323647042ec20f1d228cb4040070691cd5ab9fcd7b6cb30c59295cecd5c0eac891116391e4a3a3197355033d27742b714606120db750f62dbc066

Download Submit
C:\Windows\SysWOW64\Kihbfg32.exe

Filesize
71KB

MD5
a5926ed3390045dd496e90076c008911

SHA1
42c83ddb8b5796ecf35092175111b88f827f02f0

SHA256
7ff740fbe8fde72c2009dc425dcac9966fb1cddf55928fbb14ee880628496368

SHA512
168621adbba67dee1aaf5a7c6ccf0c13387c3aef98a972e4ec58b7271b69918f9376d873f3ac525e6b11abbd7764cd61ff673da66e795ce9964ad33b72b127cb

Download Submit
C:\Windows\SysWOW64\Kjhopjqi.exe

Filesize
71KB

MD5
ebe6f5822d8eeeb85fb7b541f093f9ea

SHA1
cc11d0485f40d1aabd304c8828b5152646b98b58

SHA256
9b3f6873efd9827d74cdc8222b56a89cb137cb448b55bce8113371b7fe0c572c

SHA512
85899d85a0f5d17f079229a1eb93e4fe124f2aa24e6cd8d9a0697d5b3f52bd45dd10f3d7669a7013bfd0f463577e1a36db142775a897e2903bfe554072b75e7f

Download Submit
C:\Windows\SysWOW64\Kopnma32.exe

Filesize
71KB

MD5
745f0791b9deac118a3b0f8c13e8c7c9

SHA1
9b9d345c56a0984415b4cec8c6d9fe1323212df5

SHA256
c2748db7a3665dee7cc224136c621e12e1b3c631dacd57ae8982f9f176c4d7dc

SHA512
cc2206df1a955b53342952a39cc0edfeae5a16f09d23788ffde328de8163c99dcae7b3ce301f747ec222f9300c08387302a4964f2c0ce1df2b9dfc3be342264b

Download Submit
C:\Windows\SysWOW64\Kpgdnp32.exe

Filesize
71KB

MD5
c13f3deaeaed8ca8aa9f36e03872c437

SHA1
56363f9feb75f99889e8b64a99005166177f5bd3

SHA256
9cc24d66c6778e8def512b5ec398d4e68db58d6458a4afc53f9423a0ebbe00f9

SHA512
6598491196bbe7b1d09d806dc71da82a3c86f326fd2b626218e5830526314398d1a131a1af183dfc5322501b8c663dac8f15d1880e0b107462fd81d740df6e8e

Download Submit
C:\Windows\SysWOW64\Laackgka.exe

Filesize
71KB

MD5
d39608133205d4f135d1996097ccfd6a

SHA1
e503ef8a911dd9a89f899538458f7510e481d71d

SHA256
82cd821ef9c50034ace67b413e1452f5c25b325268ff74bf0d6c5f2a4762e662

SHA512
976ed6b7adfe90944376d672de03bd90aa95fa72a2b897be9784880bc8d2c095cc1de1f292aca16cf5a30282418a970f4ffbd5390ab3c6e2e4552646f0ec40f0

Download Submit
C:\Windows\SysWOW64\Lbhmok32.exe

Filesize
71KB

MD5
724e9458dc49b309798fa28924a690e7

SHA1
6b868143befd8e368e3d3b551feb63750488c804

SHA256
dcbeec742b96edc73134a64f256aefbe95f7ed22594323021c1cd60ab37ad44d

SHA512
06ac913900e7f4257f529bda5d622fd958415c025ac05892cfb806584a066dff65810aa1efa96efe769e00b24ce64419a7599f7439cbfe61c1136d94c5b19037

Download Submit
C:\Windows\SysWOW64\Lehfafgp.exe

Filesize
71KB

MD5
8bbec3becf7240a8716cdbe1940d231b

SHA1
fbc874f815d81597e8029f7f16827e1660130832

SHA256
eadd5433be87353e55e013d4891d4738bb1d171c846f910accda097d46ec1554

SHA512
ef0990474d30123fae7a549e0c6e6d171adfb71687eda96258d51be6b57ebebe459e8b444fa25f0f09f5f67a5ef6e6d7d4cfa88b7af0ca74315b1d7e600a39b2

Download Submit
C:\Windows\SysWOW64\Lgiobadq.exe

Filesize
71KB

MD5
a677f72bf0c520ccdbfbb28c0a4e245d

SHA1
b587e06789662f80dbe5aa6bebe64a598265e829

SHA256
69dcd41c2c24ca1c98acfe0bf05e4cfa542878c5eebe3681c53383949a185e04

SHA512
d984146d024c6e7343178e904fa10a8f4358ecb14c477496a9f7fdf4cd17898d261d0fa5d81bb8661be31e14d5ed29ebc8061ce23dd246dfcbe45201be76019a

Download Submit
C:\Windows\SysWOW64\Ljjhdm32.exe

Filesize
71KB

MD5
b7dabd82c2c0b422d89b2f41d71e8eec

SHA1
74f4e9ce63b4b5d88adc5b77dc4f2dec8304f5dd

SHA256
fa92e379ca6c32473c7940f4171ccf759e429c2c47a45c7934c413ef569db794

SHA512
0125c83263c1f31897687542e25045c54fc6688a5b45987ad9262978e44938c79f58dcee0ac6c3956d6eb6a6b31f420bdd73d75d05bd3a7938459e9e89d51d5b

Download Submit
C:\Windows\SysWOW64\Maapjjml.exe

Filesize
71KB

MD5
2660e1b942d5483f9682244e1636bead

SHA1
68cc5cbb6e40ce4db892aad8556028eb8bec9996

SHA256
bb335d64a273a74b505e1ddad836ebf0efd2fd065488e39560ce51fb239cf440

SHA512
4a464f926808434fd5d342912a463cf644223d4c9cf720804ad4966d851eaade2bee13c84ed948d9f380aea10e1746e0a1f947530fbc49397ee5520b7515a83c

Download Submit
C:\Windows\SysWOW64\Mbemho32.exe

Filesize
71KB

MD5
b8c54b9a7d78c24f0d5106499b189844

SHA1
65719ed8f6426c02427fb5e107712447b78cdaea

SHA256
b6248c1719c9c259545c1e9bed1302cf8dd2f6fdf8eac5e9b9a66bad3d8a24c3

SHA512
4f14b1d5c20dad7471bb5ff7db2802c36830d6d60bb8baa82e15d21affedd8392e9e2e3ccd384ccfcbe6b5c48cc8e8f7dc63f52417e605803cfbd09fc0307a67

Download Submit
C:\Windows\SysWOW64\Meffjjln.exe

Filesize
71KB

MD5
d5a0898818386f17fd4d361325c46148

SHA1
a8cd2b7224d8efbb1c04075bc2e4617d73a8f82d

SHA256
5a96ae9dc8bba0f5bb7cf2250d59f69dd5cbe9c293edbe2b47377ffa46dbd01c

SHA512
20e8b54f9e00bbdd8f7e449fd4bb0c5be8fc417baa6c096d476fe5b409b6960d0b2c1b7150421450eab1a4fbcc2beb2142864b643f692a570657c76f8d424dac

Download Submit
C:\Windows\SysWOW64\Mehbpjjk.exe

Filesize
71KB

MD5
72eda52498a507c8aa0068731b52f37c

SHA1
9bd931cba3b7d86875c221bc40e89e18a3d54f80

SHA256
ce2b97c2b72697f259e74703561b7714fd72800e9f1ed89fd8a14e9a1252a04b

SHA512
67bd30fdbb7ab648210369ae8479ea475044ae9506b597291e0b5293ece4cd2260896e6518ce96463a2df75e7567c3441aa63cdae8f1f667cf5fbe644d142af0

Download Submit
C:\Windows\SysWOW64\Mifkfhpa.exe

Filesize
71KB

MD5
bb5536d327e3c8fc8cc54ee96b98b1d6

SHA1
f227cbb3458675d54f8cb85690e498da19df32c1

SHA256
54e4da0a334c775fc690c8e16bd9ebe27e2ec1857fe881bbd753d94017be9b90

SHA512
ffb094994fa47c63f4349fdea86b03592c84a2611906d1826c87303c7a8d655406b53da61ff756093c43320c3d2bbac6f35227bca19aec57a18b0f040e705f1e

Download Submit
C:\Windows\SysWOW64\Mlgdhcmb.exe

Filesize
71KB

MD5
547ed99c66a2b09e62ac5e25198e4714

SHA1
94ff1cb58aecd02258e9a0b87526c5299c007b05

SHA256
b17329b81196122df362f076190482b600ec333fd65cf8c4c2a6de56242b0d8e

SHA512
6467ad7236cebfc2c2217495d6c846aeb1065b5f0bbce37300cd5f85beb34d72de70253503eb1d6534585871d2d9c3d34ba415c2aa6c605c7d9556b6d1817d74

Download Submit
C:\Windows\SysWOW64\Mlmaad32.exe

Filesize
71KB

MD5
b023933216db9e722aee1b959bb8ba0e

SHA1
4c59bf6459cf10c64e64004ba9520aed859c8ca9

SHA256
926f9cc6ad006270c121781e36f370da7129a62b67523c74848a87a64a2bddee

SHA512
f0fb4c27abe5a681745a25b6b67f81522a81e050c04065611791e791e9067a788078b72050f1f9eafa5a95a0f2ba5672d7567e32109f60a34599c98d6ac5be19

Download Submit
C:\Windows\SysWOW64\Mmmnkglp.exe

Filesize
71KB

MD5
522f19834d0b536b232d275f030fc189

SHA1
19de6c24df39c97710c68dc98694fe0c90605caa

SHA256
15c823b91340850393ca035e5b8621502b604e0a1685b8abffbd12eee8860fc7

SHA512
f560c38829b527eba7544383830165dcec21afbf5272a166d549f1b64e48d829ba6673b998d4e3f0c67edb97a07c25f415b812d411ea54929c3d2be6849de88b

Download Submit
C:\Windows\SysWOW64\Moqgiopk.exe

Filesize
71KB

MD5
cfbe7ef4a6ef6392740b5f724b3be26b

SHA1
ee231895e599562de662b2e26d70aecb544264d4

SHA256
af89cfb87347b5261ec196eaaa12767aa53346ebe482b1846ab737b5700d366c

SHA512
4e77f920c347086b96f79b819c973b0362d03f979640e395c1f272ccc6e1983f149dcab3fd13633fad82791c5a6cfbf4e3b20f9ae8a6603040e940769c89c583

Download Submit
C:\Windows\SysWOW64\Nhnemdbf.exe

Filesize
71KB

MD5
dd56562f9d15f5cd28fe872b3c774e35

SHA1
18643370acf2b030f6cced2cea6c76cf5293987b

SHA256
f35ad8e089f9c21dbe50df480b106b3f507a45cc12ac222fdc9449fe2866581e

SHA512
233447a1b2dd708ccbde23c6b90c8f8becfa9fe99572e9fe528cd05deeda1a9c43b09c47abbd6665e1b2cde8478a7d7b1b5b585039162c038db13b1277473b20

Download Submit
C:\Windows\SysWOW64\Nknnnoph.exe

Filesize
71KB

MD5
5da3951e014956e9b6d29261ab1a4371

SHA1
2120cc1941464a5db8a828e8488643b65a4c4628

SHA256
ea77aaac695a41de3e4ee1a76ce22792f8a1b99c3370206cfd306d75eb51825a

SHA512
b6c4da7c8b59f7b71e7e59953d4aaf40bfbd517a3b5a7e44ce5f9b289d11863545ab0513340ce73a52550ce154c0b25dd4301ec2df01d539ed1f181641e8317f

Download Submit
C:\Windows\SysWOW64\Nkqjdo32.exe

Filesize
71KB

MD5
61a3fe5dd64bba6e5f480ea5514f2c86

SHA1
de698de4a0f140974645ba621f84153e00eea224

SHA256
71dd03d48c94247663f7ffcfb409c392fd633523c063268a97596b3ed5bf9c28

SHA512
f054c280997251ca0055a4e98c7dee8167738e20cb2825dc9ca3e89e6b1089ce1767e5a00443b16eddd69ecca753ca25b0f83d3d6c619926ec597027c16dbfa5

Download Submit
C:\Windows\SysWOW64\Nmacej32.exe

Filesize
71KB

MD5
7104894c669ac58139f3366b629473f3

SHA1
c3d5e516e203fd139747ca7c4c0fce4dd67d1f98

SHA256
dac0eeaac431aa5165c2dd81f15522a4e5d3659536032a08000b97e15053c054

SHA512
03b9af383e4d4a4fd89ca04be977a01828bdc6f90aa7c400c005fba116ec950dd57a7b26b420a6f8a02b5a53c1b6959ea3fd89136d231a3b4ece0d453a6b0ea4

Download Submit
C:\Windows\SysWOW64\Nogmin32.exe

Filesize
71KB

MD5
ae906155ccc8e034765e7a53e3002c55

SHA1
3c10e552cfd1d33885834e00a9e6fa6ccad1c77d

SHA256
1678b92bb8b730b7e89fd0f3beceba9b36c7294cff2e8c87b147ebe9c1e2428a

SHA512
57d860044a30e02afb35cc49735aff0546040ed9e8873da0fe0821bcc6fb4da48a4fade228a149afa493308a9616b2fb3ca483162e903a434b97e57e483f968d

Download Submit
C:\Windows\SysWOW64\Npkfff32.exe

Filesize
71KB

MD5
c86d7c86d75934a1f812ffc0d4d3f413

SHA1
9daeca605d2518509aece8fa8a3bff7e46e8779d

SHA256
da491867be5a8b3657ea35f41ec7143e39613fc2c747b3aca6f4b8a47a5f9b3b

SHA512
d65670fbf26e79f28b66570d2ae3d0155b4c24f2d4a8e5f96eb52c9261fdca0aed337e0b08c78fc084584f342385611028bba8d0ccdc030b4fe4432d1ccfebcb

Download Submit
C:\Windows\SysWOW64\Npnclf32.exe

Filesize
71KB

MD5
ac33c213095e3b6bac250da202c98135

SHA1
f7321ff7d52b0579f9f51496d586503b58574fce

SHA256
9ac7158624e50644cb9f8ca976729f470140a26099500c48da247f1a67eb4454

SHA512
4476a4e77b21e73e5d473ca2ca365247ccdd9e07a2043091b790572856d43e079a1dd45d2fb8c2a1ad6122d689c75797d9d8056f1ab86f6ba4009632f4e23b8d

Download Submit
C:\Windows\SysWOW64\Oemhjlha.exe

Filesize
71KB

MD5
3abd4fb0ada8800edc82fbfda0e9cf2b

SHA1
1964f1e8b7503371e16da871ea299ade6f0e2e2b

SHA256
2c3eacbba3042c4698e0f8912b61b162499c961757f113aea22d11940ddc1d13

SHA512
d47c9ce599b30e4da6e2291033456988f4279f8818f9b56b858e58631d5d7dd666fd55e35a6a8c57527f7bc9f71131df589af1d3b2dd90430739aca5c9945200

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
71KB

MD5
ac1f063ca963582cc999640eaca2c3c0

SHA1
e19fd3e6d25198855cd61505d0fb9a87a68f6eaa

SHA256
2df25dfeebf59e650ad22a38a1fa202d7594f5e9343fe6339310930e154e7ca3

SHA512
c5a52dd394ece2820ac1c4291a62cdab1b77dcf3989ad7a90278a2ba5887048de776c582bef3c9fe4bfe646bf3ce067a45a7892344a9ee6f8bbd8cb350ddb318

Download Submit
\Windows\SysWOW64\Blobmm32.exe

Filesize
71KB

MD5
1b7bebfc7704cd91feeb5693d0d39ed2

SHA1
0c1f7aa47acef8ac360f2acfda10a1503b74caab

SHA256
206406b9b4678aaaa8459925c60e6ea9d1a119ed1f8f03c01df22f57061ab659

SHA512
0837ce8440fc7e34dc9d6576de882e4c514e93a6f0d5a37cf9d09bd1f9e328e67ffa2e05e1712270888d4c7539c54293c89a43a0dd92ee4b4cd6686cdb16efa5

Download Submit
\Windows\SysWOW64\Cenmfbml.exe

Filesize
71KB

MD5
6e742a6ac4a66976f5b26760b97bb7c1

SHA1
77bb27611b0baa199b7beba74e5c2dfe861b5329

SHA256
3cd29b06f86fd9cac0bf010f7d0fb3ce72e8534e8f67d257bce909d2f2e1eeb2

SHA512
9c9e6bf8bf8289c53ea991250b8c0e8c79349138a980384ab45978fc12853c77f3edc3f4107e0e815cf12933279c588ad11f295d7289f8a3f7557acfbc427dc3

Download Submit
\Windows\SysWOW64\Chhpgn32.exe

Filesize
71KB

MD5
53f73056d7d8907e55224627ae679480

SHA1
483904a799d5f0da8eccf30e48f5975e8c08c08a

SHA256
13a37f73a1ac0461107ec6eb9ba9f93daf0c3cfba30b3d3ea385bb1a9a02f182

SHA512
3db94b264f59a8ee77e1f6126fe210b45a7d22cb7895cf3dacc2aca7cff01932fdd2254b82bbe58c540e8299f0a52b380960da649ec77f0fa846ed7164c7045c

Download Submit
\Windows\SysWOW64\Ciglaa32.exe

Filesize
71KB

MD5
195c3f7b8ddaaf306c82c86a0ccede7e

SHA1
6f107ecef9c6165b2b7df7d8506918e8370455fe

SHA256
c6ebf2b5e6781075836f0e2749bbcb3f1ef318e8f25be4463439b51bd95b1436

SHA512
6d9626dd683503c61660f431a81d288f9eb98bca90660e60390103c69789adc6a0829d22fe4d9fab5cbcbe576119a485d23b37b230ecd2cbd2cdd12728b9c683

Download Submit
\Windows\SysWOW64\Cjboeenh.exe

Filesize
71KB

MD5
e7f894bc78a56711c7e5206a2ae92ec4

SHA1
9290f403322d7ec4cc65f2309f6c367b1643f454

SHA256
2cd6979a4d7a83bf7000ca09178017bbd831dd5b3b5faf3f234ce777feafc64f

SHA512
2c2217baf239e80457c8cdf9ad7b63c3433ac3881d5bfa7d673ef4461f8ed1b69417f6c82b14167dcd1b1d89983b2f07d02eef22824c4f0d5fd8684959e37d25

Download Submit
\Windows\SysWOW64\Dgfpni32.exe

Filesize
71KB

MD5
aac7c9e5d216ab5a69e20137cd88ad6c

SHA1
977b84df79507e6a708b1ceae1e296294c8521cb

SHA256
98832612e0da815eaffe662df778103a886c9cae7e5161d9dbd139d10a50efe9

SHA512
b52ede030874f48b680c3ee6a4b3b694c0c5a265ae1b923399f8039d29e52795c837b9cfb9a6f5b6fd420db01b68f85cd797add87454a66077d0e5848ed94557

Download Submit
\Windows\SysWOW64\Dgkiih32.exe

Filesize
71KB

MD5
20d1cec5e4b35723cab2045c5ebba4cf

SHA1
4d2f742a72edbd73e107e02a00118a43b446a515

SHA256
48952c1705ff6c2d77bbfa4bfe21fc0f85861e6cc8b3225090f17271c669086e

SHA512
a5e0ef7239a79fd46cfaf22afd1f88f8452edc38175341cc47d28b8c57e76f8ee21613328904300b090c3f7f29f4029a1b22ed05d7ed427c2195d61721e700d8

Download Submit
\Windows\SysWOW64\Dljngoea.exe

Filesize
71KB

MD5
9fc0690aa312189470362f6e679b2ca2

SHA1
c0046f41a0021ca25eaf909ec550a73092201677

SHA256
a3513a13ec866a6b0bf6fcd82b0377e7ff06e743c0fec8a0236c604af9a44829

SHA512
44bae61f08d71f94e4682bfe1b1f45eaf121ab51ba4335d41eb4db3aa9fbba5fe2e206da004dff4d7389830823bc58abd6129d218d0d934302e92b46475e1f03

Download Submit
\Windows\SysWOW64\Dncdqcbl.exe

Filesize
71KB

MD5
1546c8c016f681a840fdc41d1e1ac299

SHA1
5372d9814c7e4fa0fe014ee54d9d1d78bdaff289

SHA256
776351078f06c8e87965b3aa76990b6720908a2a847af7b6312eeee742808408

SHA512
5848e37f3bd8b18c1d2862d04c8e70602c33e8f6ae40314c7d47668cb88c2467beea8e93f44d945da6d4ee095976f50e967b486c3033f66dc9c0d0ddfe833d32

Download Submit
\Windows\SysWOW64\Efpbih32.exe

Filesize
71KB

MD5
101abd57ebbd6db91acd9e22cdaf99e7

SHA1
150f9bcab7d1ce515c1cb16f60795521b2321816

SHA256
30bc921ffa1e3f58c99a1ad3d9ec2fa9b5bf77b3eefc7daf3e85c1fb8f938a62

SHA512
a7187447c724385fde1d484ee65ea65d5d808f8a04ec811e5d48cc8feeb891c708adadaea3e8a5e982d17d092ae34882c1e476e42dd133a3efec03fc1e60ba3c

Download Submit
\Windows\SysWOW64\Egkehllh.exe

Filesize
71KB

MD5
f2049dade4bd03005bc3b39d84ebafec

SHA1
d29dacd647d1a6705ce4ef2cbf30f18c061942b4

SHA256
ddd70231a2c9c418a61ce2e2e355bdda8f29a0d3fdc5ec8a7ab503a4c2d4e7e0

SHA512
6d12218f1ac7e8145cac9064350633ebaf2229db7efe4a56208d5499a709f900d7f870e77a6eae28c90e1624b033a66773629328efeff1997505dc2464370102

Download Submit
\Windows\SysWOW64\Ehaolpke.exe

Filesize
71KB

MD5
c2dbfc668053e798f175b981bdc01eaf

SHA1
01e98bcf4cd527396a8d363c62374e43ec59d89f

SHA256
a15b22aaac73d50da20dd2b014d1ac3351dcda63fc5ce8db451082e5a0eac138

SHA512
a7921738771635353a36cd87532b765ddab8c694003fc367de4168a1b2b69b07cc9b4a3d5236bcd754fd858583cdd42dc586d090dbbe010b05ea23a3c3bde43c

Download Submit
\Windows\SysWOW64\Ekbhnkhf.exe

Filesize
71KB

MD5
d33d4321fb712ab6f19020daf7144996

SHA1
d0b54dd67197b73e58aec0bff9e812c908ce81b9

SHA256
5dbdfb1d4dba8d54467ee1a324863b59c23412a38e3ca4a4ab0873d64d6aef1b

SHA512
e3aeb2c3d887597f8b71907e78eece60adb9bbd2add8f7f84c58f344330124713d7392c25b7ef8dec33ee8f63070fe8015722c75a8d7fbf19887c2aad7c09045

Download Submit
memory/368-499-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/368-150-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/572-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/772-237-0x0000000000320000-0x0000000000359000-memory.dmp

Filesize
228KB

Download
memory/772-231-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/852-294-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/852-292-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/852-282-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/976-212-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/988-519-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/988-509-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1020-222-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1128-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1128-438-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1292-241-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1292-250-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1328-504-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1476-199-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1500-105-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/1500-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1500-93-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1572-315-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1572-314-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1572-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1680-172-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1688-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1940-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1940-459-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1964-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1964-260-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1988-325-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1988-326-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1988-316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-272-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-280-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/2028-281-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/2060-427-0x0000000000230000-0x0000000000269000-memory.dmp

Filesize
228KB

Download
memory/2060-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2092-266-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2092-270-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2092-271-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2116-495-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2116-489-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-510-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-166-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2192-158-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2228-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2248-304-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2248-300-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2248-293-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2276-488-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2276-478-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2364-487-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2376-469-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2452-185-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2452-193-0x00000000003B0000-0x00000000003E9000-memory.dmp

Filesize
228KB

Download
memory/2472-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2620-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2620-415-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2620-413-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2680-379-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/2680-380-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/2680-374-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2704-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2716-429-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-62-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2724-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-414-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2864-381-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2864-27-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2864-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2864-35-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2876-336-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/2876-327-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-401-0x0000000000600000-0x0000000000639000-memory.dmp

Filesize
228KB

Download
memory/2908-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-402-0x0000000000600000-0x0000000000639000-memory.dmp

Filesize
228KB

Download
memory/2920-337-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2920-346-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2936-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2936-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2940-428-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2940-416-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2940-426-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2952-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-127-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/3032-347-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-17-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/3032-18-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/3032-348-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/3048-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3048-358-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/3048-363-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/3060-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads