berbew | 0feb659e6b9c10ab3f46142db871e811aa4684d380601ec327c6a4b30430bcee

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0feb659e6b9c10ab3f46142db871e811aa4684d380601ec327c6a4b30430bcee.exe
Size

227KB
MD5

a6d22c247765eb2a417155caef3cd77f
SHA1

f4770a50ae1c33b1dad50ea902ad68b2241a70fd
SHA256

0feb659e6b9c10ab3f46142db871e811aa4684d380601ec327c6a4b30430bcee
SHA512

207d2b51ce04a3228b5670b127f92c7cbf9ae5b38bb9ae951d31d16e75678d8d5dc965f094ad2e27900c0661c9a71f5bed3fb24b8fbd31e4dcfc4a2834b76fd7
SSDEEP

6144:WtVfson3JTFn3m7U5j2QE2+g24Id2jFHu:WbBNtiojj+Td20

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnqbanmo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1592	Jcbihpel.exe
3236	Jedeph32.exe
3852	Jbhfjljd.exe
3352	Jfcbjk32.exe
2468	Jianff32.exe
1816	Jmmjgejj.exe
3560	Jblpek32.exe
1060	Jmbdbd32.exe
4340	Kfjhkjle.exe
676	Kpbmco32.exe
1268	Kikame32.exe
3040	Klimip32.exe
1748	Kpeiioac.exe
4484	Kbceejpf.exe
1528	Kfoafi32.exe
2432	Kbhoqj32.exe
984	Kplpjn32.exe
3240	Lmppcbjd.exe
5116	Lpnlpnih.exe
4104	Llemdo32.exe
3392	Ldleel32.exe
1116	Llgjjnlj.exe
1468	Lbabgh32.exe
4988	Lepncd32.exe
1428	Lgokmgjm.exe
3252	Lingibiq.exe
3936	Lmiciaaj.exe
2352	Lllcen32.exe
4612	Mdckfk32.exe
3492	Mbfkbhpa.exe
4520	Mgagbf32.exe
4368	Mipcob32.exe
2264	Mmlpoqpg.exe
2808	Mpjlklok.exe
3656	Mdehlk32.exe
1896	Mgddhf32.exe
4344	Mibpda32.exe
1756	Mmnldp32.exe
4760	Mlampmdo.exe
2796	Mdhdajea.exe
3328	Mckemg32.exe
3288	Mmpijp32.exe
2844	Mlcifmbl.exe
1628	Mpoefk32.exe
3396	Mcmabg32.exe
4424	Mgimcebb.exe
4996	Migjoaaf.exe
4400	Mmbfpp32.exe
3280	Mpablkhc.exe
776	Mdmnlj32.exe
4296	Mgkjhe32.exe
2504	Menjdbgj.exe
5040	Mnebeogl.exe
2996	Npcoakfp.exe
792	Ndokbi32.exe
3664	Ngmgne32.exe
828	Nepgjaeg.exe
4128	Nngokoej.exe
3736	Nljofl32.exe
1384	Npfkgjdn.exe
464	Ncdgcf32.exe
2124	Ngpccdlj.exe
1008	Njnpppkn.exe
3052	Nnjlpo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Jmbdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Jblpek32.exe	Jmmjgejj.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Kfoafi32.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Nmpmkplp.dll	Jedeph32.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Migjoaaf.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpnlpnih.exe	Lmppcbjd.exe
File opened for modification	C:\Windows\SysWOW64\Mpoefk32.exe	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Jiopcppf.dll	Jcbihpel.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lmiciaaj.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Migjoaaf.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Mipcob32.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kbhoqj32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Nkbjac32.dll	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Mmpijp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4308	2616	WerFault.exe	247

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmmjgejj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0feb659e6b9c10ab3f46142db871e811aa4684d380601ec327c6a4b30430bcee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojoign32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 1592	4576	0feb659e6b9c10ab3f46142db871e811aa4684d380601ec327c6a4b30430bcee.exe	83
PID 4576 wrote to memory of 1592	4576	0feb659e6b9c10ab3f46142db871e811aa4684d380601ec327c6a4b30430bcee.exe	83
PID 4576 wrote to memory of 1592	4576	0feb659e6b9c10ab3f46142db871e811aa4684d380601ec327c6a4b30430bcee.exe	83
PID 1592 wrote to memory of 3236	1592	Jcbihpel.exe	84
PID 1592 wrote to memory of 3236	1592	Jcbihpel.exe	84
PID 1592 wrote to memory of 3236	1592	Jcbihpel.exe	84
PID 3236 wrote to memory of 3852	3236	Jedeph32.exe	85
PID 3236 wrote to memory of 3852	3236	Jedeph32.exe	85
PID 3236 wrote to memory of 3852	3236	Jedeph32.exe	85
PID 3852 wrote to memory of 3352	3852	Jbhfjljd.exe	86
PID 3852 wrote to memory of 3352	3852	Jbhfjljd.exe	86
PID 3852 wrote to memory of 3352	3852	Jbhfjljd.exe	86
PID 3352 wrote to memory of 2468	3352	Jfcbjk32.exe	87
PID 3352 wrote to memory of 2468	3352	Jfcbjk32.exe	87
PID 3352 wrote to memory of 2468	3352	Jfcbjk32.exe	87
PID 2468 wrote to memory of 1816	2468	Jianff32.exe	88
PID 2468 wrote to memory of 1816	2468	Jianff32.exe	88
PID 2468 wrote to memory of 1816	2468	Jianff32.exe	88
PID 1816 wrote to memory of 3560	1816	Jmmjgejj.exe	89
PID 1816 wrote to memory of 3560	1816	Jmmjgejj.exe	89
PID 1816 wrote to memory of 3560	1816	Jmmjgejj.exe	89
PID 3560 wrote to memory of 1060	3560	Jblpek32.exe	90
PID 3560 wrote to memory of 1060	3560	Jblpek32.exe	90
PID 3560 wrote to memory of 1060	3560	Jblpek32.exe	90
PID 1060 wrote to memory of 4340	1060	Jmbdbd32.exe	91
PID 1060 wrote to memory of 4340	1060	Jmbdbd32.exe	91
PID 1060 wrote to memory of 4340	1060	Jmbdbd32.exe	91
PID 4340 wrote to memory of 676	4340	Kfjhkjle.exe	92
PID 4340 wrote to memory of 676	4340	Kfjhkjle.exe	92
PID 4340 wrote to memory of 676	4340	Kfjhkjle.exe	92
PID 676 wrote to memory of 1268	676	Kpbmco32.exe	93
PID 676 wrote to memory of 1268	676	Kpbmco32.exe	93
PID 676 wrote to memory of 1268	676	Kpbmco32.exe	93
PID 1268 wrote to memory of 3040	1268	Kikame32.exe	94
PID 1268 wrote to memory of 3040	1268	Kikame32.exe	94
PID 1268 wrote to memory of 3040	1268	Kikame32.exe	94
PID 3040 wrote to memory of 1748	3040	Klimip32.exe	95
PID 3040 wrote to memory of 1748	3040	Klimip32.exe	95
PID 3040 wrote to memory of 1748	3040	Klimip32.exe	95
PID 1748 wrote to memory of 4484	1748	Kpeiioac.exe	96
PID 1748 wrote to memory of 4484	1748	Kpeiioac.exe	96
PID 1748 wrote to memory of 4484	1748	Kpeiioac.exe	96
PID 4484 wrote to memory of 1528	4484	Kbceejpf.exe	97
PID 4484 wrote to memory of 1528	4484	Kbceejpf.exe	97
PID 4484 wrote to memory of 1528	4484	Kbceejpf.exe	97
PID 1528 wrote to memory of 2432	1528	Kfoafi32.exe	98
PID 1528 wrote to memory of 2432	1528	Kfoafi32.exe	98
PID 1528 wrote to memory of 2432	1528	Kfoafi32.exe	98
PID 2432 wrote to memory of 984	2432	Kbhoqj32.exe	99
PID 2432 wrote to memory of 984	2432	Kbhoqj32.exe	99
PID 2432 wrote to memory of 984	2432	Kbhoqj32.exe	99
PID 984 wrote to memory of 3240	984	Kplpjn32.exe	100
PID 984 wrote to memory of 3240	984	Kplpjn32.exe	100
PID 984 wrote to memory of 3240	984	Kplpjn32.exe	100
PID 3240 wrote to memory of 5116	3240	Lmppcbjd.exe	101
PID 3240 wrote to memory of 5116	3240	Lmppcbjd.exe	101
PID 3240 wrote to memory of 5116	3240	Lmppcbjd.exe	101
PID 5116 wrote to memory of 4104	5116	Lpnlpnih.exe	102
PID 5116 wrote to memory of 4104	5116	Lpnlpnih.exe	102
PID 5116 wrote to memory of 4104	5116	Lpnlpnih.exe	102
PID 4104 wrote to memory of 3392	4104	Llemdo32.exe	103
PID 4104 wrote to memory of 3392	4104	Llemdo32.exe	103
PID 4104 wrote to memory of 3392	4104	Llemdo32.exe	103
PID 3392 wrote to memory of 1116	3392	Ldleel32.exe	104

C:\Users\Admin\AppData\Local\Temp\0feb659e6b9c10ab3f46142db871e811aa4684d380601ec327c6a4b30430bcee.exe
"C:\Users\Admin\AppData\Local\Temp\0feb659e6b9c10ab3f46142db871e811aa4684d380601ec327c6a4b30430bcee.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\SysWOW64\Jcbihpel.exe
  C:\Windows\system32\Jcbihpel.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\Jedeph32.exe
    C:\Windows\system32\Jedeph32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Windows\SysWOW64\Jbhfjljd.exe
      C:\Windows\system32\Jbhfjljd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3352
      - C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        24⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        57⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        65⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4692
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        71⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        74⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        76⤵
        
        PID:396
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        77⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        78⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3648
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        80⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        81⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        87⤵
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3480
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        91⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        93⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        95⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        96⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        98⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        100⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3080
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        110⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        127⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        131⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        137⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        138⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        143⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        151⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        152⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        153⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        155⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        157⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        158⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        160⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        161⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        163⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 228
        164⤵
        Program crash
        
        PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2616 -ip 2616
1⤵
PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
227KB

MD5
7de6ff968d623ba9fcd8d30765298d30

SHA1
54ee7cc10990ebbae30381c707183930a3e6ebcf

SHA256
d1c96c668ebd308f52c016a995d36455759f6d7b808601e66254bc46381d4f2e

SHA512
819c0d09faa2ddf0f46f928f210059879fbb0bbfca81161794f29d939e46edf1c059fc87e34f2dd3b268bec12306903bb5857bb7b243502ff2c5aff576f87128

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
227KB

MD5
954423aacbf4649829cb0a3f63127179

SHA1
8bd4ee3bbcad75c5c7ba92d2a672e674bca61211

SHA256
78ed9263e27f308f00b5d6ba7c706873db0da9a0a815c7406627f251b147df96

SHA512
367814c55855951f86e948cce3b436c9d1f4d4068781ada0b3184333374b542300e112e271a12d7bc93eb01b43811fcb7dd5b486429beda6508dbc8a6df1986d

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
227KB

MD5
deba1180a7b09cb8194789866f048625

SHA1
03117a65d7ecf70a6f20f3ffff32d4b198cd768c

SHA256
22a89df0a6b7c142642d06a491ce043ec2d7bf1463a44c95520ae0fe2c93acfa

SHA512
118dd93a3f1e69ce5fbf704349befaf97d3fdc17fba3aa32d0f9707ef81e60088146be45968840cdacae8a0073995d654f54c7f0a39d034d68b0f838beed79ff

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
227KB

MD5
c2c8ae5abe675ef7b74f288315f1ca40

SHA1
e24731f33bd4f48cbf7efbfcacf50167d1aa4f6d

SHA256
0a671369c2352e8f1bf57286d6e6b4652f175c7c4bdf7ddd035ed49c45c7de83

SHA512
4f71466ddee2af94f2df7effeea83720bee4861223c6a082056521d6007730a7653544da07677cc4cecda220d2b250d5dc35f1d8995801b143f1bbe8e1acb420

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
227KB

MD5
1b542188c8223941aaf661185683130a

SHA1
700f2d3b42d94d30da337ec40c84abdecbc777d9

SHA256
8146499f638f73ebf43fd9838eeb20e554af9142010e4d00219f11d873e5b368

SHA512
605548d9aea2dfa8603b98d6dea5d0d9a38b6d960ff062b51f27ce466afecd2001833a0a66032900abb56c0ee03272d4a3a5abefb24644e3938438e4eee61283

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
227KB

MD5
79dcb988e7385d9c27e3fdd4b854995e

SHA1
22c227e15cc5273edfdf968cb11e72e1c7af9142

SHA256
6d60c11c7636cb7b76081ced85be352c2f2a338ba6b8f242d4aef7a915ddc7d2

SHA512
9e9975c6f786af5f91d278ddd5ad2f265a84322f859c7f072ef903d6d72e67e58e519db96a6fefb55c3043798dd05ae6b20b9085bea0fe7f85e21b3a3466c0d9

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
227KB

MD5
33410275928a72885e311c3db2e99c5e

SHA1
027c441be767abb6a2372e708cf09607dbc7fcc0

SHA256
5d8864ec8b798dc17209d415efdd130a059e59d2f2558cddf6a1da37a1ae2258

SHA512
0b20c9f7c7a1c8755c7ba92f85dcd345d27ccc95f77dfa00843d18bb9e5529722fbe335d5923ca82ab7e0734065142c5d68fad10f76091a50e7e589868e22940

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
227KB

MD5
e4fbf8e07b4b5e98a4f0d7ea2985a4fd

SHA1
11aaf7ac7901db996132af7cb882b22e119f3bd4

SHA256
c543bd959207c6b0713b4328409f376c0d03e3821f331f43e5eb7b7729c38a58

SHA512
19a2f51886d9f5387fad6a2fa6277db35b2c6c031b5328215a61cee7781649ae33f09df4c861bd73e3ed2d9f8f456cae9cbb715824218a150b4dd51c5ac97284

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
227KB

MD5
f63514be7eb3512b6912110532b34f89

SHA1
97f2cb929759996b075445059256731e97d39282

SHA256
6e37dc12c168037838e2bf405259b84ba36a861db97fbe46a3b71c7d8f48a739

SHA512
378296ae5d788d72e8a5f20cb84efd93f1faeb5f80478621de174924dce09947596db0a2f27631ec7f14872b0a49c209192ae0aec2a2a6c9c647d0e0bf90b240

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
227KB

MD5
1b990b8983b6f50732dfadb662a9fe84

SHA1
b8a6ee3427e7fa62c0cd7267e7dd9ce13e64e1f3

SHA256
4e8ba4c06581343e9162aa7587f2a97ccba0059d783b81429f3ff60a4de43540

SHA512
8feedd90d8729f831363f455b2558cd580853c748f5eaff81e0310e9c0f8cd95bd7ac65e3b1f9c5d6ba042b484ae392b4d5bffc8fe7bda707b15542fb032ead2

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
227KB

MD5
a58fdbc0d02ac3444f7deb062092a7da

SHA1
5e74b0ace740ac42cdd8efd5cb052a069cadc179

SHA256
310838984cde5ad718a6565a6ce5a743d924644bbc9750fafab123022a6a4492

SHA512
6a6c16fe7701fe756eecb994ba82b2ce5eb591048d1c7512c359c5354c4f729d1302c5e5c528451f8b4b44bf9f26ca50046389a41b8ef3c47c10cccdf8c99e7f

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
227KB

MD5
e84ac938d568084b335334475ec01827

SHA1
f33b178ae20fc2f2cbac611e68dbf2e836d9c72f

SHA256
318b9dca853245c38e66037666e409b7ca8624da5f093ae7db4fb89740a6e814

SHA512
7514e35cb7e4a6f0c80a0a09ee56debe21bb1d46ef8284b59b40f2e609145c5a455c59b4869548a16f2b34a5901472d84606137fef42c69416f301a5fe84f81b

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
227KB

MD5
c1295d3666cfdccdde09cbd3563eb8f5

SHA1
70427f478f267144bc77ee5d4af6f74cf32a8360

SHA256
eec69da47ef0c462f7617e27c63787e5a5762ef311ebe55b3c0dcbf83176f075

SHA512
432cd921c695d6f30dafca8d49a130f86ff9c7869cc21ec20d797e5bd61e7233f4cf0e1561850d7f2109db8ec3bdcb249d29a48d74694b5eb6eaee3136dae703

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
227KB

MD5
ff867d5cb2b34f2594322d0c5abdc713

SHA1
65c8a06c58529c5b8b14e02e2f5bc4710f1c76d6

SHA256
f174664b2c914af670652caa9ab363b05b2389044ced0ed02774206a00f12c43

SHA512
178b666b8e0b96958cf2f605727bcc54140e685fd144f5c0193dd0958c10a211706149f2b99b15d74997321db2dc103215f60331de07b9713bcfb0aefa8cf2d5

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
227KB

MD5
83e11f29b213af88b40b1efcae552d87

SHA1
c27af40534e9d177d4572e4526e7a3532c118177

SHA256
71a281c54ee0ebd4727463218a1f7653683cdff28c7c33b39f35413ca308225d

SHA512
4c0686bc63f8af89dcb5e7cd51e48a336a19ae3f6b2f4e5d0ad67b76d64595848a904325c028de4cd8cf590d530c06a9284c63536fc5403eda81dc1df4b004ca

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
227KB

MD5
8c71347170e1983583947f8bdae48394

SHA1
4e45962cc6db90850c1cce49021f2f4ef315be34

SHA256
33bb62a2cdd700523a54dc86cbd5a657393553aae73ae31d420728388f451cd0

SHA512
dcdf6e872623b438fbd6c04e6c0c5aa2aabf819aaa20cfc4c2dda62bfdb0a527ce7b5d75e504d2619de32dc1199c6022a14749336583a4ea6eeed2aa2a51d4b6

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
227KB

MD5
bc5ec6188a2d5976ac6f7dd47c06e870

SHA1
8cd622be42e04832dc2042d46d0f08c6609ea363

SHA256
f7613506b6f65cbeb73a5061f3de0185bbeb1ae48d1471846f9c06d79471abd1

SHA512
6575cb88ddbdec4c44ac2b37d626afcf0ad44ffff53fd30bb05cc95d71c69b1b243cd04d63b60eee2dc22b30ac85f014e5399f798043e6b6d4c34565b5b5ac9f

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
227KB

MD5
c2afbd97da5e357a259b4b891344400d

SHA1
c396fe8f2c5d6694b22f6b04729af0467cf9f54b

SHA256
f4cf65c5c3f0bfc478787b9fb0ca6800ea5c56003250c11bac5ad58799980b93

SHA512
9dfb819a5797c6f597d53d3b030dd9a0cdc8ae80fc988065a6de3943368aee009ce43c69a6f1bf928e022e3241b5769637ed6e2e10f9ad04619dd884156164af

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
227KB

MD5
b514be47158f5a2b45a9737aa4918405

SHA1
24629dde3fed69c0af535fc300fa00c2e98d3c0e

SHA256
a0bad490f8e90c8436fe9c49c4e5b9335ecfff4eb9599d3e8b5b9e929c18f490

SHA512
dd5fbfd8624cbd2d28fe81d89c73abe7a4fe9c9c828fabcf01632d994ba9b719d542307bbacbbf8558f7bd95889c8d0c7c65d9834c269599a7f0d478eaef27aa

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
227KB

MD5
232204c9859a4ab5a12fa7d8b7120e0e

SHA1
3e69655187e680d68d73d2060a5a4bab40b77f6f

SHA256
ff9376296f029f90ab757dcccf4d5facda6ee53f0e6832242d919f23263ce5fb

SHA512
a66059fd5f16427d745bf48b4fffd862476c6b09e88dae9f051a2faaf32a037320cdcab6e8656c3376c5ab6f2b02dea84766f033e745a490fa007ae04db8a200

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
227KB

MD5
83c5f2bf88baf9b278c222d31bf849c6

SHA1
00f9119be228b3e6a589cca9b5846b4ef434b53c

SHA256
d896a3665b32cb675b65b71fd63c495bd49a4eabe5aefcab961353ebe89c0b9f

SHA512
153c6318a8d9bcb19b1aedf8e210072b443a9609fff9685a8cb5ceaad5efac5beb09d13e7029ab1b5892db0c27f81f1cdb4702e7f165318a9173ab4d43a6452c

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
227KB

MD5
6c3ebc96312ad36f4d6f33ba4293315b

SHA1
2b3790f2a06d1c251b83191de9ba5048566cd371

SHA256
7993742e7d836be0fd126e16dfd55d157bb33b6a8c9bb042b0f6fb438247ed93

SHA512
d961467bd5b8738bab4070e70af9f2dccfad6ac98484c198f49e21c676b1821fa1fd34986979c9cf20f3851ca79f581df656d0445b21b06f9cd03e1139b06bab

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
227KB

MD5
efda41bbf81a299055c7e2193bfe999e

SHA1
8ab0c46736234064fa053e54bf27a30936bc51b7

SHA256
6765789bbfc574dee2a7d4ab7d8403bc267d8443c23ef1d7d520f1130834cba1

SHA512
0c6f44da0698d020cd8c58c1d822ac946f0283b5ef77d845dc73a7fb424cfd6e429738140221c5942db338242b66a4178d21ea9e4712ba61cf38344b332c0063

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
227KB

MD5
2b949e59bbe14eb1c76bf68400b7a4e1

SHA1
25d008fa4eae574e8136a1bbdc049053856bf224

SHA256
63e5277ff3d144b7a7f2ea784b9b69f3c547c234b76b897fe404db95461a5e3c

SHA512
3e81926475aa1b165ccb15920dbafbcd795ba6d1c4fa6f94b950642de4ed613087a581e5087cd7ac78b2820ffe858f38fd643ca2e31fbc7b3c35c507d6d54b97

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
227KB

MD5
7c36e12504aef340a63577f63f50cc09

SHA1
124151ccc0ba0456e04e3640c84ef23cbc60866e

SHA256
5862a2b4d382d2caab01e2dc2617087af2162986523530e811c7888eb29ff695

SHA512
4dbf253bc01877682da3ed73f61907946e227d68b751114cc4f450ce2fce59a64779b70b23eaf2727f0295064160c5d7772a0e46207115145103c9834e5a43de

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
227KB

MD5
1358baa02de9ff1d08c4f5dfdc33f95e

SHA1
115faf3f145e9b2f2d1f6ae8375bbde801d6bdc9

SHA256
be4ab75db29b3cdfcab6b85b86b95fccd17ab6cb83613b4c51260c735edc0e4e

SHA512
8f2927bb70a11553238b36f7e44eb1ecd9b37cf867a699568221bdb4f56f335bfe13ecfb67bfc962d319cf2f511509fa4367d33f77d9e5302d3bfdd979cf75a1

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
227KB

MD5
00a561898dfcc08bf46972050b53c1bf

SHA1
1260f1064c80b07ad7f29619fbc4294cfbaeb938

SHA256
74d0cc0a2879822c756c9af0f002da627464eb4d7c970605fa5e9f7448f5731e

SHA512
1c560a07b57774ea40ebe9b378f4517af40ba4c3038c37a31df5a69cc04accb7940252c96395302f8e2d6b6b2dc760bf0d46ce1cb8860ad33e6af42c46da9ea4

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
227KB

MD5
b76f5bc156298b7b24940e47bbcfb36b

SHA1
9bbb63136532119fd4445a4417dbe46ca67f39bf

SHA256
39e97789f55e12c877083e602e1d0303d91c9bbd5579a1b892dc5fc7d4de41bc

SHA512
1ce361cdb74019833fcb4e381c6a5e5bf7d30dfa4c5dc9886d593f4026bc6bcf53f1f1a0d8dbbce2642312d5de8675cda6ae1c08dbad77ec215afc6a9b028b61

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
227KB

MD5
106c385c2d9d79d6e2b1421c3eed325e

SHA1
af0515bd479bd100220d7fbe2f4f6235ec05e971

SHA256
679e47f4e3d5b4d680d523c7619c1ba334450ef077712f82f9e50126aa553ec8

SHA512
d2b1fd409961812ef066fe3308b3e348e15b5415dd362b48ffa8ad440edff81be758bdf33fc0423616ef7c1cbf7f12ace0de103219a95f1aec075a2f432e166d

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
227KB

MD5
a275b012d5d774496f333efaee4e962e

SHA1
c87d4af0fed082a45bfdc8381a1fc7044054fa29

SHA256
618a650889e9b5f9fa22a03e52f3070f27b807930d748880b0f0d0da1422c0bb

SHA512
ed4edee0f31d46dc9257aa752ef388488e4f7af141f0a1e71b0d46789efa2dac272e2f188c22eddb89816b5d34564f473e4067a12e891d026167f804ae3661b6

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
227KB

MD5
673261325b7b9194e2fd46be2e712630

SHA1
bdb135b4557210a6b064862709827761c463302b

SHA256
3d62a939384bfefe71086f8a2b2ec24269d6c2719f6c3aaa278b1320ea3d3fc3

SHA512
12eea86ff891137a6ec64a1ec242edec66ba0ede11089a0bfac276c992fc214d44ba3725a1d763106c0a9b03908660222bfcaac84b2d0d2bbf1d955bcc809bb5

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
227KB

MD5
8f9e411e45ceae17b3a79565c86cf711

SHA1
a1711b25868b34a08ddb2312db163948c0da91c4

SHA256
19ae26ae33f413b4269ddf762d741aaa1284aa6de6cd3494e26521d27b785daf

SHA512
4e34bc1be8bad86d0cfe8538f41e3a42c9ad8e732a478fa7864eae3151d20c5d1b2bb2ab64e2a09678bc1f4f181955443db7f0bf214b07ef1e75e8ddfd03135f

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
227KB

MD5
acecf3e87299b99894ce6e2634c2649b

SHA1
2c24b6a016f8ac5e2f8f7cffbefdb00cb506cf66

SHA256
030bf1be33b6ec0da86dc6c9c3e2ce00be00b5e6d98ddea515f57329c50967f6

SHA512
0ac10fff74fd4fa0276de6c3e7cd9ccca3c04b1f13c1387f0335be0aba8016d0537ae9aba5298866179e86f890920d864701d0fb0f6c9caea1a6ddbaa8a04095

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
227KB

MD5
9a96a5c7bafb454be2f2f38f77b38da7

SHA1
0cdef26023bae3e6dc59527b0855b85aeb1e3a5f

SHA256
c7a3d0c9550884fc8368d8838ed372085d4e66c3c4198d7d51660ffabe4862eb

SHA512
44bc190eaa830d0cd12203aae487bb962c7bc3bdde28aafbb8e732d1b455cadd811c984fa6e18c087d5c2f1ca67eab791128ebdaaabbf52229b12fe8e11be68b

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
227KB

MD5
a86cb6b86a1ad5870812385d902e71c8

SHA1
25dd01cd8d7d9d869a3c1173764562d3bdf2e26e

SHA256
ce7f2a8740b0936826760d359de6d1b22a7f7ee3120b0ef72697fa03f6ec7dd2

SHA512
aa573754af8d3e9ee8fa64883ecd0ca68292a71674b835becf34e4899af18b8a78946936b6f9075c537bef672328af1c9985ad0635c4bb3e9f7d86d8c55676b2

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
227KB

MD5
f5c338fb11b3e0ffcdea2a30d4051d5e

SHA1
54c6dc8873001e540f3f4323d5f066246521ae64

SHA256
99db0e0d9b0f77e6afbc9424dfde2195ea022394f0648fd1b6888d75aa68b31e

SHA512
e21b7d89f1fa5dbb38fb8abde28b6564c3727d5c5c86986847988e1ee7ada26a5cffe5ad13f75180d08e1dbcc61cbc9c4c27d32f50ea73ce9993554106ecd961

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
227KB

MD5
7f369d6c5e771c47e499eca0e1886d11

SHA1
73790cd9dde462b6ea8f27800826c4dc35de0c11

SHA256
b7573ed1cf4e26556e9003fa0011cf15dd25e1c6a8fc3adb366439d964956f9b

SHA512
b1248384b0ce7b64542f7c34c8765e045541cc7d9dccb0393c5908252630f0343159dca4b7bba7d428ef8b5be4e4cd53c4d9ee41d91aa70945f5d665b7fd186e

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
227KB

MD5
59bbe1f9f0b5ac9b39f85a34ff48a2fb

SHA1
3dafc39bb75958b9120ae89cdaa845a8a3f7bbdd

SHA256
b204a453c17f2ada454781652e872ef4a5dde0479cf36052b7a663dd8c5862df

SHA512
58a7f413df7bd187f0d2e3e89ad20df02954eef3d224297048fa51a2a4fcf96cda41d091a1115882d335fcc97a725a19974fbc639a393618a9c3386f1f7bc114

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
227KB

MD5
9fe992e79cb87853bce5a1c0bfd919b1

SHA1
fe3b0a2ec1c621e11fb09d860bf85d06c85b6d1b

SHA256
3eccc3d7cac10962a49b0726afe26db326836114893f4737b7d57f19b99ebfcb

SHA512
6ae8d99d30cdc6a3f1b144ef3aa30f26bd932cfa8937a023313fa4628deab24df25c0e189606662139830c793dd29dd4cf6543be0ad4416d4344406ff1d68fe3

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
227KB

MD5
5d9ce52718e96cd3734f9db2ea14ec33

SHA1
e34b948d67c6f25f08d7fc95ca05662e0320ca40

SHA256
07fb2224f00e01b61b470fd4a5e652e63abba1ad609f03b4d1c10e89eb30596b

SHA512
3014de820b3030b5a76d68d1b0591def88f775733b6b82cfd3b155d5d65914ba29fde50f3747faf84da263813ac560454a280b6bd488876bd9749763910ec415

Download Submit
C:\Windows\SysWOW64\Mjddiqoc.dll

Filesize
7KB

MD5
25f18e6c25e4867460f594d2b555925b

SHA1
d9f8ac5f9184797ac11f87f07bda59a6215cf44d

SHA256
c7dbfec63bf9fdbf271e6f19177aba4d5141ae3696f21bf6ede6a6f1a60011ff

SHA512
4a40e01a28a29b9de3a65dd5d340d3c6bd95cb2f854ee96850933c623198e37f3a6541e90d32da564bd21933a376284a74aaee8332cfd160b2875fbbebbbf4b1

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
227KB

MD5
7b658f99697d5249215f6b64b1f43294

SHA1
0ca6f83d6c57ddb35d4313718436f0b39c9878e4

SHA256
3a86861c337ef7d9e507750bc83f6265fee47458aedc1834317e57b1f46580c6

SHA512
099f8e851bd1520691291e47d5b35c9bc8d4a4c061926e9dca1e1d044a882e5de2c127304e6cfa6df670f2f56cc3c1935b4e3302bd5d0d605900279303d73688

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
227KB

MD5
91959caceb2f757acf60e35906b0197d

SHA1
19e927dc071f35dbdd938b603c7735a1a56fdbe0

SHA256
4fc79b07d3bcfa1c0e8b5fb335fd550eb097afbaeed0c1eff534f03e2fe0b889

SHA512
10e689c0305c4755c6b42ac8f36d80b79a1cd30632717730572bb9e4171b85dbe0492031783671a50bddcc74896a88711e457f22421902703682d4c6cc298f67

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
227KB

MD5
5b3b50b6bb9bfbaef65aa3bff21af717

SHA1
cb8c5119b965f69fdbcf7fbed6836e6991564f6d

SHA256
5ddf4c1eeb10949f31ceb25a6a94c2a9ad7fb37928187dcafba55f5168c4a7e9

SHA512
33312819bcc1a6c8c9dce7486fe0ad08a68ce50b5f99afc41be34b74be339d26fc11d8dc38e9ce9358f4425d081c4cfeb23f27f42d46c2b38b96ba9812ea4607

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
64KB

MD5
c84e0dd21365a2c202a5801fdca61967

SHA1
1606b03dcbb2b34d0b00bdede8b48d4f9045b03f

SHA256
d132484e03eaf1511287c93bf82742e3f59ef268a1f6c49910131177a1f0f89b

SHA512
61b6f248d46ae3996267a2d179ecb58a36a6718c7fa117d04f2c24f23c9a76bc27444ccfdec97ea6b9d9738d68577b85817ea37d05e2e9792b51a05e64b43255

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
227KB

MD5
14cef7adf269d570e0ed2a7b07fa267f

SHA1
6a564f8609e7aa9961b1240beedc38b765850c7f

SHA256
bc7db1c4db11a3fa8709e7a9e758d089852ac2e827cdb5f80d8f3a8cc387e2d0

SHA512
cda7312a357833162914d19e0429fec680335b30ffc914cb09666c438349cccee633da19ba29915f53946a921636c835a9590fe3eed55096f56b1255284ed16f

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
227KB

MD5
4c0a778bbcc6b0a339448c1f542085cc

SHA1
7150754f9ba67e9fd96f947ab7958484564ebdc1

SHA256
c7c7a0accb9a3dbe6ffa8a4031c45152ce0275241981feadb0ea838f54988e82

SHA512
71eea7d3bdff32a851062daaf37f1c4dfff65158662f9c367391738999d0a3f9421ce6433dd4b1a0b84fcb27e450093f7eb890c13f1cbb2c0f2868d88ff9d23b

Download Submit
memory/464-458-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/676-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/676-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/776-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/792-422-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/828-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/984-141-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/984-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1008-470-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1060-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1060-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1116-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1116-187-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1268-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1268-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-452-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1428-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1428-218-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-195-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-213-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-123-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1592-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1592-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-194-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1756-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1816-131-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1816-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1848-518-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-488-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2432-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2432-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-404-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2808-295-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-500-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2996-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-186-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-476-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3236-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3236-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3240-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3240-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3280-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3288-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3328-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3352-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3352-115-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-271-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3396-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3492-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3560-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3560-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3656-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3736-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3772-506-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3852-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3936-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4128-440-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4296-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4300-512-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4340-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4340-158-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4368-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4424-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4484-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4484-203-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4520-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4612-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-494-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-204-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4996-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads