berbew | 6a070b1a5fbecd3440ad7d48c92d3c2b1104deabf0ac5aec77826d4ddd9afb51

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a070b1a5fbecd3440ad7d48c92d3c2b1104deabf0ac5aec77826d4ddd9afb51N.exe
Size

163KB
MD5

f4dcfbdb26ce70168dc2aad4154302f0
SHA1

6f5c54c6558e2a77ce32aaf933ec508b60df641e
SHA256

6a070b1a5fbecd3440ad7d48c92d3c2b1104deabf0ac5aec77826d4ddd9afb51
SHA512

a2582c08e9832b518fbc9a1cf35e7bb905f779167ab2fcc19f8b88d74be57f39ba687c73143ed0ec7abdc7a04dddf2b58a08a0723c32a7cb753cfef6fbb0b161
SSDEEP

1536:PX4VtWHtpryEJUfHrkhAT8LbctNzSIblProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:bHumcz7bltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbnjig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpikonoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhqbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkcbnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgdmjpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhioblgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppbeno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgolnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lolaogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojmpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooopbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bafdjoja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kahpebej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mojmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qadnna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajcigf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajeemfil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbnjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baiqpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdkpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcglj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkaehdoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khifln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nofmlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqolldmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcihco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppbeno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amaeca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6a070b1a5fbecd3440ad7d48c92d3c2b1104deabf0ac5aec77826d4ddd9afb51N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjjfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klikgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lonndfba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llidnjkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjqckikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbndekfm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aahhia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbofbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piccfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aflfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkaehdoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lemolpei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjbhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhfifngd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqaiad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjemfhgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdjjaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcglj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmljjgkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pijjgdlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpggpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckfocc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amohnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjjohe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqhobced.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paaahbmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdepfjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kahpebej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdepfjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmedbeb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 64 IoCs

pid	Process
3596	Jalaid32.exe
5044	Jhfifngd.exe
2028	Kaonodme.exe
2008	Khifln32.exe
2856	Kppnmk32.exe
3288	Kbnjig32.exe
228	Klgoalkh.exe
556	Kacgjc32.exe
3516	Klikgl32.exe
4852	Kcccdfqb.exe
2836	Keappapf.exe
1828	Kpgdmjpl.exe
3884	Kahpebej.exe
2880	Lolaogdd.exe
1640	Lefika32.exe
540	Lonndfba.exe
3528	Lidbao32.exe
436	Lhioblgo.exe
2000	Laacka32.exe
1620	Lemolpei.exe
2860	Lcaped32.exe
5048	Lfplap32.exe
3496	Llidnjkc.exe
3620	Mcclkd32.exe
3136	Mojmpe32.exe
4244	Mfdemopq.exe
2104	Mbkfap32.exe
448	Moofkddo.exe
1132	Mjdkhmcd.exe
4404	Mqnceg32.exe
4164	Mjggnmab.exe
3036	Nqqpjgio.exe
2560	Ncolfbhb.exe
220	Nhldoifj.exe
5056	Nofmlc32.exe
1964	Nbdiho32.exe
4328	Nfpehmec.exe
212	Nohiacld.exe
1532	Ncdeaa32.exe
1436	Nmljjgkm.exe
3512	Ncfbga32.exe
3520	Nmofpgik.exe
4392	Nomclbho.exe
1884	Niegehno.exe
1708	Ooopbb32.exe
4484	Ockkbqne.exe
4032	Omcpkf32.exe
232	Oqolldmo.exe
456	Oflddl32.exe
1380	Oqaiad32.exe
3320	Oodimaaf.exe
4124	Ojimjjal.exe
2204	Oqcegd32.exe
440	Ocbacp32.exe
2488	Ojljpi32.exe
3176	Omjfle32.exe
1700	Ofbjdken.exe
4440	Piagafda.exe
1188	Pqhobced.exe
4436	Pjqckikd.exe
1672	Piccfe32.exe
2760	Pcihco32.exe
392	Pifple32.exe
2356	Pmalldhe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fnjlah32.dll	Laacka32.exe
File created	C:\Windows\SysWOW64\Gbddcd32.dll	Mcclkd32.exe
File opened for modification	C:\Windows\SysWOW64\Qcdgom32.exe	Qpikonoo.exe
File opened for modification	C:\Windows\SysWOW64\Bakmen32.exe	Bideda32.exe
File opened for modification	C:\Windows\SysWOW64\Cchiie32.exe	Ckmedbeb.exe
File created	C:\Windows\SysWOW64\Pfnjqikq.exe	Paaahbmi.exe
File opened for modification	C:\Windows\SysWOW64\Bjjohe32.exe	Apekklea.exe
File created	C:\Windows\SysWOW64\Jalaid32.exe	6a070b1a5fbecd3440ad7d48c92d3c2b1104deabf0ac5aec77826d4ddd9afb51N.exe
File created	C:\Windows\SysWOW64\Digabjai.dll	Khifln32.exe
File opened for modification	C:\Windows\SysWOW64\Lhioblgo.exe	Lidbao32.exe
File created	C:\Windows\SysWOW64\Lhhpffdk.dll	Lfplap32.exe
File opened for modification	C:\Windows\SysWOW64\Mojmpe32.exe	Mcclkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ncolfbhb.exe	Nqqpjgio.exe
File opened for modification	C:\Windows\SysWOW64\Cpcglj32.exe	Capgpnbf.exe
File created	C:\Windows\SysWOW64\Cmggeohk.exe	Cpcglj32.exe
File created	C:\Windows\SysWOW64\Dmpjlm32.exe	Dckfnd32.exe
File created	C:\Windows\SysWOW64\Aikcfk32.dll	Keappapf.exe
File created	C:\Windows\SysWOW64\Lonndfba.exe	Lefika32.exe
File opened for modification	C:\Windows\SysWOW64\Lonndfba.exe	Lefika32.exe
File created	C:\Windows\SysWOW64\Kodhkbmf.dll	Mqnceg32.exe
File created	C:\Windows\SysWOW64\Dgfcadbc.dll	Nmljjgkm.exe
File opened for modification	C:\Windows\SysWOW64\Bjmlme32.exe	Bpggpl32.exe
File opened for modification	C:\Windows\SysWOW64\Mfdemopq.exe	Mojmpe32.exe
File created	C:\Windows\SysWOW64\Nfpehmec.exe	Nbdiho32.exe
File opened for modification	C:\Windows\SysWOW64\Ncdeaa32.exe	Nohiacld.exe
File created	C:\Windows\SysWOW64\Bdjjaj32.exe	Bpnnakmf.exe
File created	C:\Windows\SysWOW64\Kacgjc32.exe	Klgoalkh.exe
File created	C:\Windows\SysWOW64\Oopadn32.dll	Ocbacp32.exe
File opened for modification	C:\Windows\SysWOW64\Qiocbd32.exe	Qbekejqe.exe
File created	C:\Windows\SysWOW64\Pnbodpej.dll	Aflfag32.exe
File opened for modification	C:\Windows\SysWOW64\Cibaeoij.exe	Cchiie32.exe
File opened for modification	C:\Windows\SysWOW64\Dckfnd32.exe	Caijfljl.exe
File created	C:\Windows\SysWOW64\Bkcbnd32.exe	Bbljmflj.exe
File created	C:\Windows\SysWOW64\Fjpiapan.dll	Ncdeaa32.exe
File created	C:\Windows\SysWOW64\Ockkbqne.exe	Ooopbb32.exe
File created	C:\Windows\SysWOW64\Paaahbmi.exe	Pijjgdlg.exe
File created	C:\Windows\SysWOW64\Qadnna32.exe	Qjjfag32.exe
File opened for modification	C:\Windows\SysWOW64\Ajcigf32.exe	Ablafi32.exe
File created	C:\Windows\SysWOW64\Oedgpbbf.dll	Bjmlme32.exe
File created	C:\Windows\SysWOW64\Ddjbhg32.exe	Dmpjlm32.exe
File opened for modification	C:\Windows\SysWOW64\Khifln32.exe	Kaonodme.exe
File created	C:\Windows\SysWOW64\Kcccdfqb.exe	Klikgl32.exe
File created	C:\Windows\SysWOW64\Mojmpe32.exe	Mcclkd32.exe
File created	C:\Windows\SysWOW64\Moofkddo.exe	Mbkfap32.exe
File created	C:\Windows\SysWOW64\Omjfle32.exe	Ojljpi32.exe
File opened for modification	C:\Windows\SysWOW64\Adnjek32.exe	Ajeemfil.exe
File opened for modification	C:\Windows\SysWOW64\Kpgdmjpl.exe	Keappapf.exe
File created	C:\Windows\SysWOW64\Mjggnmab.exe	Mqnceg32.exe
File opened for modification	C:\Windows\SysWOW64\Pijjgdlg.exe	Ppbeno32.exe
File opened for modification	C:\Windows\SysWOW64\Capgpnbf.exe	Cmdkpo32.exe
File created	C:\Windows\SysWOW64\Hebgdd32.dll	Cibaeoij.exe
File created	C:\Windows\SysWOW64\Qlggenhj.dll	Lolaogdd.exe
File created	C:\Windows\SysWOW64\Lfplap32.exe	Lcaped32.exe
File created	C:\Windows\SysWOW64\Mbkfap32.exe	Mfdemopq.exe
File opened for modification	C:\Windows\SysWOW64\Moofkddo.exe	Mbkfap32.exe
File created	C:\Windows\SysWOW64\Ppbeno32.exe	Pmcibc32.exe
File created	C:\Windows\SysWOW64\Qmaahjld.dll	Dcmcddng.exe
File created	C:\Windows\SysWOW64\Laacka32.exe	Lhioblgo.exe
File opened for modification	C:\Windows\SysWOW64\Niegehno.exe	Nomclbho.exe
File created	C:\Windows\SysWOW64\Dbdoodpc.dll	Pqhobced.exe
File created	C:\Windows\SysWOW64\Qiocbd32.exe	Qbekejqe.exe
File created	C:\Windows\SysWOW64\Nchmmd32.dll	Qcdgom32.exe
File created	C:\Windows\SysWOW64\Cibaeoij.exe	Cchiie32.exe
File created	C:\Windows\SysWOW64\Kaonodme.exe	Jhfifngd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5768	5676	WerFault.exe	210

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofmlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcihco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmcibc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnbgamnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgdmjpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laacka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moofkddo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncolfbhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqolldmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paaahbmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a070b1a5fbecd3440ad7d48c92d3c2b1104deabf0ac5aec77826d4ddd9afb51N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nohiacld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmljjgkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojljpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Capgpnbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmedbeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefika32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajcigf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockkbqne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbacp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfnjqikq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpggpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmggeohk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caijfljl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdkpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lonndfba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooopbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcpkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifple32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlmpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajeemfil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbkfap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjdkhmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omjfle32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaonodme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piccfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjbhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khifln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klikgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahpebej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfplap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdeaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jalaid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcclkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfbga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aahhia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppbeno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakmen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpgqgjel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keappapf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdiho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhqbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkaehdoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bideda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjkndi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcccdfqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckfocc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjjfag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amohnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baiqpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcaped32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llidnjkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcdgom32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimhlh32.dll"	Bdgmlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banjkndi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmggeohk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klgoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjlah32.dll"	Laacka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qadnna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbndekfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcaped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llidnjkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjpiapan.dll"	Ncdeaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbhqbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmdkpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omcpkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjggaiai.dll"	Ajcigf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcekkk32.dll"	Adlmpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmofpgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpikonoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmbpkja.dll"	Amohnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajcigf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmdkpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemgdggn.dll"	Llidnjkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcclkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncolfbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebgdd32.dll"	Cibaeoij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niegehno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojljpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaodfe32.dll"	Nomclbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqolldmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omjfle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbndekfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacgjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kahpebej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lonndfba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmalldhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfickphb.dll"	Bpnnakmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbnjig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lemolpei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omcpkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodhkbmf.dll"	Mqnceg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aflfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedgpbbf.dll"	Bjmlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bakmen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmpjlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Menogiid.dll"	Jalaid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klikgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiedn32.dll"	Kpgdmjpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacgjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liahpe32.dll"	Lefika32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ablafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oopadn32.dll"	Ocbacp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcidobif.dll"	Bideda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nohiacld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcbjd32.dll"	Pmalldhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcdgom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpnnakmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opejfjch.dll"	Bdjjaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keappapf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoodla32.dll"	Lidbao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binafnin.dll"	Nbdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnlono32.dll"	Cmdkpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmggeohk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpakbcj.dll"	Ockkbqne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piagafda.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 3596	4984	6a070b1a5fbecd3440ad7d48c92d3c2b1104deabf0ac5aec77826d4ddd9afb51N.exe	82
PID 4984 wrote to memory of 3596	4984	6a070b1a5fbecd3440ad7d48c92d3c2b1104deabf0ac5aec77826d4ddd9afb51N.exe	82
PID 4984 wrote to memory of 3596	4984	6a070b1a5fbecd3440ad7d48c92d3c2b1104deabf0ac5aec77826d4ddd9afb51N.exe	82
PID 3596 wrote to memory of 5044	3596	Jalaid32.exe	83
PID 3596 wrote to memory of 5044	3596	Jalaid32.exe	83
PID 3596 wrote to memory of 5044	3596	Jalaid32.exe	83
PID 5044 wrote to memory of 2028	5044	Jhfifngd.exe	84
PID 5044 wrote to memory of 2028	5044	Jhfifngd.exe	84
PID 5044 wrote to memory of 2028	5044	Jhfifngd.exe	84
PID 2028 wrote to memory of 2008	2028	Kaonodme.exe	85
PID 2028 wrote to memory of 2008	2028	Kaonodme.exe	85
PID 2028 wrote to memory of 2008	2028	Kaonodme.exe	85
PID 2008 wrote to memory of 2856	2008	Khifln32.exe	86
PID 2008 wrote to memory of 2856	2008	Khifln32.exe	86
PID 2008 wrote to memory of 2856	2008	Khifln32.exe	86
PID 2856 wrote to memory of 3288	2856	Kppnmk32.exe	87
PID 2856 wrote to memory of 3288	2856	Kppnmk32.exe	87
PID 2856 wrote to memory of 3288	2856	Kppnmk32.exe	87
PID 3288 wrote to memory of 228	3288	Kbnjig32.exe	88
PID 3288 wrote to memory of 228	3288	Kbnjig32.exe	88
PID 3288 wrote to memory of 228	3288	Kbnjig32.exe	88
PID 228 wrote to memory of 556	228	Klgoalkh.exe	89
PID 228 wrote to memory of 556	228	Klgoalkh.exe	89
PID 228 wrote to memory of 556	228	Klgoalkh.exe	89
PID 556 wrote to memory of 3516	556	Kacgjc32.exe	90
PID 556 wrote to memory of 3516	556	Kacgjc32.exe	90
PID 556 wrote to memory of 3516	556	Kacgjc32.exe	90
PID 3516 wrote to memory of 4852	3516	Klikgl32.exe	91
PID 3516 wrote to memory of 4852	3516	Klikgl32.exe	91
PID 3516 wrote to memory of 4852	3516	Klikgl32.exe	91
PID 4852 wrote to memory of 2836	4852	Kcccdfqb.exe	92
PID 4852 wrote to memory of 2836	4852	Kcccdfqb.exe	92
PID 4852 wrote to memory of 2836	4852	Kcccdfqb.exe	92
PID 2836 wrote to memory of 1828	2836	Keappapf.exe	93
PID 2836 wrote to memory of 1828	2836	Keappapf.exe	93
PID 2836 wrote to memory of 1828	2836	Keappapf.exe	93
PID 1828 wrote to memory of 3884	1828	Kpgdmjpl.exe	94
PID 1828 wrote to memory of 3884	1828	Kpgdmjpl.exe	94
PID 1828 wrote to memory of 3884	1828	Kpgdmjpl.exe	94
PID 3884 wrote to memory of 2880	3884	Kahpebej.exe	95
PID 3884 wrote to memory of 2880	3884	Kahpebej.exe	95
PID 3884 wrote to memory of 2880	3884	Kahpebej.exe	95
PID 2880 wrote to memory of 1640	2880	Lolaogdd.exe	96
PID 2880 wrote to memory of 1640	2880	Lolaogdd.exe	96
PID 2880 wrote to memory of 1640	2880	Lolaogdd.exe	96
PID 1640 wrote to memory of 540	1640	Lefika32.exe	97
PID 1640 wrote to memory of 540	1640	Lefika32.exe	97
PID 1640 wrote to memory of 540	1640	Lefika32.exe	97
PID 540 wrote to memory of 3528	540	Lonndfba.exe	98
PID 540 wrote to memory of 3528	540	Lonndfba.exe	98
PID 540 wrote to memory of 3528	540	Lonndfba.exe	98
PID 3528 wrote to memory of 436	3528	Lidbao32.exe	99
PID 3528 wrote to memory of 436	3528	Lidbao32.exe	99
PID 3528 wrote to memory of 436	3528	Lidbao32.exe	99
PID 436 wrote to memory of 2000	436	Lhioblgo.exe	100
PID 436 wrote to memory of 2000	436	Lhioblgo.exe	100
PID 436 wrote to memory of 2000	436	Lhioblgo.exe	100
PID 2000 wrote to memory of 1620	2000	Laacka32.exe	101
PID 2000 wrote to memory of 1620	2000	Laacka32.exe	101
PID 2000 wrote to memory of 1620	2000	Laacka32.exe	101
PID 1620 wrote to memory of 2860	1620	Lemolpei.exe	102
PID 1620 wrote to memory of 2860	1620	Lemolpei.exe	102
PID 1620 wrote to memory of 2860	1620	Lemolpei.exe	102
PID 2860 wrote to memory of 5048	2860	Lcaped32.exe	103

C:\Users\Admin\AppData\Local\Temp\6a070b1a5fbecd3440ad7d48c92d3c2b1104deabf0ac5aec77826d4ddd9afb51N.exe
"C:\Users\Admin\AppData\Local\Temp\6a070b1a5fbecd3440ad7d48c92d3c2b1104deabf0ac5aec77826d4ddd9afb51N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\Jalaid32.exe
  C:\Windows\system32\Jalaid32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\Jhfifngd.exe
    C:\Windows\system32\Jhfifngd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\Kaonodme.exe
      C:\Windows\system32\Kaonodme.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\Khifln32.exe
        
        C:\Windows\system32\Khifln32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\Kppnmk32.exe
        
        C:\Windows\system32\Kppnmk32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Kbnjig32.exe
        
        C:\Windows\system32\Kbnjig32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Klgoalkh.exe
        
        C:\Windows\system32\Klgoalkh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Kacgjc32.exe
        
        C:\Windows\system32\Kacgjc32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Klikgl32.exe
        
        C:\Windows\system32\Klikgl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Kcccdfqb.exe
        
        C:\Windows\system32\Kcccdfqb.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Keappapf.exe
        
        C:\Windows\system32\Keappapf.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Kpgdmjpl.exe
        
        C:\Windows\system32\Kpgdmjpl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Kahpebej.exe
        
        C:\Windows\system32\Kahpebej.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Lolaogdd.exe
        
        C:\Windows\system32\Lolaogdd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Lefika32.exe
        
        C:\Windows\system32\Lefika32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Lonndfba.exe
        
        C:\Windows\system32\Lonndfba.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Lidbao32.exe
        
        C:\Windows\system32\Lidbao32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Lhioblgo.exe
        
        C:\Windows\system32\Lhioblgo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Laacka32.exe
        
        C:\Windows\system32\Laacka32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Lemolpei.exe
        
        C:\Windows\system32\Lemolpei.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Lcaped32.exe
        
        C:\Windows\system32\Lcaped32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Lfplap32.exe
        
        C:\Windows\system32\Lfplap32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Llidnjkc.exe
        
        C:\Windows\system32\Llidnjkc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Mcclkd32.exe
        
        C:\Windows\system32\Mcclkd32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Mojmpe32.exe
        
        C:\Windows\system32\Mojmpe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Mfdemopq.exe
        
        C:\Windows\system32\Mfdemopq.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Mbkfap32.exe
        
        C:\Windows\system32\Mbkfap32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Moofkddo.exe
        
        C:\Windows\system32\Moofkddo.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Mjdkhmcd.exe
        
        C:\Windows\system32\Mjdkhmcd.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Mqnceg32.exe
        
        C:\Windows\system32\Mqnceg32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Mjggnmab.exe
        
        C:\Windows\system32\Mjggnmab.exe
        32⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Nqqpjgio.exe
        
        C:\Windows\system32\Nqqpjgio.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Ncolfbhb.exe
        
        C:\Windows\system32\Ncolfbhb.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Nhldoifj.exe
        
        C:\Windows\system32\Nhldoifj.exe
        35⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Nofmlc32.exe
        
        C:\Windows\system32\Nofmlc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Nbdiho32.exe
        
        C:\Windows\system32\Nbdiho32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Nfpehmec.exe
        
        C:\Windows\system32\Nfpehmec.exe
        38⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Nohiacld.exe
        
        C:\Windows\system32\Nohiacld.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Ncdeaa32.exe
        
        C:\Windows\system32\Ncdeaa32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Nmljjgkm.exe
        
        C:\Windows\system32\Nmljjgkm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Ncfbga32.exe
        
        C:\Windows\system32\Ncfbga32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Nmofpgik.exe
        
        C:\Windows\system32\Nmofpgik.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Nomclbho.exe
        
        C:\Windows\system32\Nomclbho.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Niegehno.exe
        
        C:\Windows\system32\Niegehno.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Ooopbb32.exe
        
        C:\Windows\system32\Ooopbb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Ockkbqne.exe
        
        C:\Windows\system32\Ockkbqne.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Omcpkf32.exe
        
        C:\Windows\system32\Omcpkf32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Oqolldmo.exe
        
        C:\Windows\system32\Oqolldmo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Oflddl32.exe
        
        C:\Windows\system32\Oflddl32.exe
        50⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Oqaiad32.exe
        
        C:\Windows\system32\Oqaiad32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\Oodimaaf.exe
        
        C:\Windows\system32\Oodimaaf.exe
        52⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Ojimjjal.exe
        
        C:\Windows\system32\Ojimjjal.exe
        53⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\Oqcegd32.exe
        
        C:\Windows\system32\Oqcegd32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Ocbacp32.exe
        
        C:\Windows\system32\Ocbacp32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Ojljpi32.exe
        
        C:\Windows\system32\Ojljpi32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Omjfle32.exe
        
        C:\Windows\system32\Omjfle32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Ofbjdken.exe
        
        C:\Windows\system32\Ofbjdken.exe
        58⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Piagafda.exe
        
        C:\Windows\system32\Piagafda.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Pqhobced.exe
        
        C:\Windows\system32\Pqhobced.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\Pjqckikd.exe
        
        C:\Windows\system32\Pjqckikd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Piccfe32.exe
        
        C:\Windows\system32\Piccfe32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Pcihco32.exe
        
        C:\Windows\system32\Pcihco32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Pifple32.exe
        
        C:\Windows\system32\Pifple32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Pmalldhe.exe
        
        C:\Windows\system32\Pmalldhe.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Pbndekfm.exe
        
        C:\Windows\system32\Pbndekfm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Pjemfhgo.exe
        
        C:\Windows\system32\Pjemfhgo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:708
        
        C:\Windows\SysWOW64\Pmcibc32.exe
        
        C:\Windows\system32\Pmcibc32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Ppbeno32.exe
        
        C:\Windows\system32\Ppbeno32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Pijjgdlg.exe
        
        C:\Windows\system32\Pijjgdlg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Paaahbmi.exe
        
        C:\Windows\system32\Paaahbmi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Pfnjqikq.exe
        
        C:\Windows\system32\Pfnjqikq.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Qjjfag32.exe
        
        C:\Windows\system32\Qjjfag32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Qadnna32.exe
        
        C:\Windows\system32\Qadnna32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Qbekejqe.exe
        
        C:\Windows\system32\Qbekejqe.exe
        75⤵
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\Qiocbd32.exe
        
        C:\Windows\system32\Qiocbd32.exe
        76⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\Qpikonoo.exe
        
        C:\Windows\system32\Qpikonoo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Qcdgom32.exe
        
        C:\Windows\system32\Qcdgom32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Aahhia32.exe
        
        C:\Windows\system32\Aahhia32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Afepahei.exe
        
        C:\Windows\system32\Afepahei.exe
        80⤵
        
        PID:840
        
        C:\Windows\SysWOW64\Amohnb32.exe
        
        C:\Windows\system32\Amohnb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Ablafi32.exe
        
        C:\Windows\system32\Ablafi32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Ajcigf32.exe
        
        C:\Windows\system32\Ajcigf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Amaeca32.exe
        
        C:\Windows\system32\Amaeca32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2900
        
        C:\Windows\SysWOW64\Adlmpl32.exe
        
        C:\Windows\system32\Adlmpl32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Ajeemfil.exe
        
        C:\Windows\system32\Ajeemfil.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Adnjek32.exe
        
        C:\Windows\system32\Adnjek32.exe
        87⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\Aflfag32.exe
        
        C:\Windows\system32\Aflfag32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Apekklea.exe
        
        C:\Windows\system32\Apekklea.exe
        89⤵
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Bjjohe32.exe
        
        C:\Windows\system32\Bjjohe32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4184
        
        C:\Windows\SysWOW64\Bpggpl32.exe
        
        C:\Windows\system32\Bpggpl32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Bjmlme32.exe
        
        C:\Windows\system32\Bjmlme32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Bafdjoja.exe
        
        C:\Windows\system32\Bafdjoja.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3012
        
        C:\Windows\SysWOW64\Bdepfjie.exe
        
        C:\Windows\system32\Bdepfjie.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:936
        
        C:\Windows\SysWOW64\Bbhqbg32.exe
        
        C:\Windows\system32\Bbhqbg32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Bmmdoppe.exe
        
        C:\Windows\system32\Bmmdoppe.exe
        96⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\Baiqpo32.exe
        
        C:\Windows\system32\Baiqpo32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Bdgmlj32.exe
        
        C:\Windows\system32\Bdgmlj32.exe
        98⤵
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Bbjmggnm.exe
        
        C:\Windows\system32\Bbjmggnm.exe
        99⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Bkaehdoo.exe
        
        C:\Windows\system32\Bkaehdoo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Bideda32.exe
        
        C:\Windows\system32\Bideda32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Bakmen32.exe
        
        C:\Windows\system32\Bakmen32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Bpnnakmf.exe
        
        C:\Windows\system32\Bpnnakmf.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Bdjjaj32.exe
        
        C:\Windows\system32\Bdjjaj32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Bbljmflj.exe
        
        C:\Windows\system32\Bbljmflj.exe
        105⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Bkcbnd32.exe
        
        C:\Windows\system32\Bkcbnd32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4900
        
        C:\Windows\SysWOW64\Bmbnjo32.exe
        
        C:\Windows\system32\Bmbnjo32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4040
        
        C:\Windows\SysWOW64\Banjkndi.exe
        
        C:\Windows\system32\Banjkndi.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Bdlfgicm.exe
        
        C:\Windows\system32\Bdlfgicm.exe
        109⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Cbofbf32.exe
        
        C:\Windows\system32\Cbofbf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4308
        
        C:\Windows\SysWOW64\Ckfocc32.exe
        
        C:\Windows\system32\Ckfocc32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Cmdkpo32.exe
        
        C:\Windows\system32\Cmdkpo32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Capgpnbf.exe
        
        C:\Windows\system32\Capgpnbf.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Cpcglj32.exe
        
        C:\Windows\system32\Cpcglj32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Cmggeohk.exe
        
        C:\Windows\system32\Cmggeohk.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Cgolnd32.exe
        
        C:\Windows\system32\Cgolnd32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Cpgqgjel.exe
        
        C:\Windows\system32\Cpgqgjel.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Ckmedbeb.exe
        
        C:\Windows\system32\Ckmedbeb.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Cchiie32.exe
        
        C:\Windows\system32\Cchiie32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Cibaeoij.exe
        
        C:\Windows\system32\Cibaeoij.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Caijfljl.exe
        
        C:\Windows\system32\Caijfljl.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Dckfnd32.exe
        
        C:\Windows\system32\Dckfnd32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Dmpjlm32.exe
        
        C:\Windows\system32\Dmpjlm32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Ddjbhg32.exe
        
        C:\Windows\system32\Ddjbhg32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Dcmcddng.exe
        
        C:\Windows\system32\Dcmcddng.exe
        125⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Dnbgamnm.exe
        
        C:\Windows\system32\Dnbgamnm.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 400
        127⤵
        Program crash
        
        PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5676 -ip 5676
1⤵
PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ablafi32.exe

Filesize
163KB

MD5
f286f3a16a6af3893ec6919cff1636f7

SHA1
38344fa37a246a10e484032a99c46cee9a571430

SHA256
a773268c4fc5e2652fcb66f3ed318c32234498075ead90cd8353119e80f7cd6c

SHA512
f15914436e16a36c88fa175c67d9359f6f03dc13603a162efe15a4acb4cedc4ea9c7980564cf35d8c63bc9795b8c8dead93d66756ce9ec25a969b2a71160971a

Download Submit
C:\Windows\SysWOW64\Adnjek32.exe

Filesize
163KB

MD5
bb7f013cf23b990e4cb27783146ad7fa

SHA1
fe8c235bc440c1b26b5b159cc307cc08182ef7c2

SHA256
7adc0a42043cfc45fe5adcd6061f142f3e3c21e2ab5d0b13271564bfe6670a9e

SHA512
9c58af6f32f4ff721dcd706c7b270bfacd9986ed11e8684d1ed7301d822bda02f232c6fdf33a34d70fbd03a11875639efaff6a2dd2401a2ff59fe81490336d32

Download Submit
C:\Windows\SysWOW64\Apekklea.exe

Filesize
163KB

MD5
aa4652c0bfb2727444226ebd674e7c8d

SHA1
50703c52c89ff13a40eacd5c61449c35794ce1bb

SHA256
20865cbd8b99a2fc793c36e4fd33a04ef5be6a39e5ce35e7c04666a5cd21cb03

SHA512
28403eb9cc41b5b7c606050a6b4f5ad9fa21a82ce290b13b030cf00f2c1253acec27c983133e80aadd837f091f2501bcb460ef181955ee2b476e3289d5af11a4

Download Submit
C:\Windows\SysWOW64\Bbhqbg32.exe

Filesize
163KB

MD5
e4ae8a57b81b2c18f23b0e6fdadc9f79

SHA1
e9023d5e29ecea82197d905b5183e725a8af40c6

SHA256
1f67e01cd7c4c85b14ac6130326e0315e9a664944335e7f3f0479decd6c66a9a

SHA512
22a371da2f4259f315460759d7ca5ef7feefa3c962cb6a41f4b952aa6d44c37f6ecf289bf370dbb65a44a36bcd47c93418fdbce7162d973ebf6f7192f24417c6

Download Submit
C:\Windows\SysWOW64\Bjmlme32.exe

Filesize
163KB

MD5
762b69c6591d93b320dc4006f57027ae

SHA1
89c0284d55837252c4d67392059fb42a7a11c7d4

SHA256
72d01a84a85f6f4f86f53dfbb00f9f6155a17c5894ab6bb8b42f81456d5f8dc8

SHA512
e983c5ac0cab11d5d21b80acd0f9ee620a8a02925fb21aa0837eef8b2292a7777457feb1357987246aba0b511095d3cd13c7346d56a7d9cee77b060479596cec

Download Submit
C:\Windows\SysWOW64\Cchiie32.exe

Filesize
163KB

MD5
f0dd458a2714693458515b568b2a9987

SHA1
b5cf59cf5566c32d885f160a85fc30a23774719d

SHA256
10386cc6430a27887c2d01f7724e9701680482ec635fa11c093cdbcd1411cdb2

SHA512
a7ec50148c91d705b34d7cdee5fd5025422eb3b62ac7387e85e27f5b52904f08feeba6a734faf1951d8fea4c6b54b68ec480d6e27376ae5ef25f0202d11c3661

Download Submit
C:\Windows\SysWOW64\Cmggeohk.exe

Filesize
163KB

MD5
d659c8b009280b3deb455aec9966e4dd

SHA1
aa117cc3b4d7cdc1a69f54ab39d07a58ce857eda

SHA256
f76c6e63f6941c1edc2508760e4d9c5607abbdf13b5d142a6d467c0f121fe0cc

SHA512
734cb5e14de4816df48cbc908450df0c534dae5f8296dad8a1aee161837a041fd206869278ca392fb978fbc16e65c5d7c4385ea8259861c92d072fb8012fb711

Download Submit
C:\Windows\SysWOW64\Ddjbhg32.exe

Filesize
163KB

MD5
5293e4956edc65c810b1cd898ef28cee

SHA1
ff37a4713a902bb6cf380e7981fe8378da694a88

SHA256
cbb78d67e3e7b781401339ced82a1c32d5b36ab42e98ef6cefa2688d32c15b25

SHA512
4f6a94f84747291474ebd2a66a7bccf1d9c89d09ed573e84a5eb758b856c522515fb1dbe074b881eb8f50a92a7b274fb3907c3b9f69d5ffd7499e916d881e366

Download Submit
C:\Windows\SysWOW64\Dnbgamnm.exe

Filesize
163KB

MD5
8ae8c955255d73ded7cdff4e5d2d5c05

SHA1
7237cc145ee92e5b26190f589100303174b4436f

SHA256
1848c3a08b89b79d113f87a087bcc8d12268cbd07833064c301bd4f7360a274c

SHA512
0aaa90713bf8e667bfe8e623d02b023ef00b33b86f9be47c1f47eb51dd1150eb840b06c6f3ef9da4c8ff3ead4dba40223312c1001d5e5f10450f173250bd6288

Download Submit
C:\Windows\SysWOW64\Jalaid32.exe

Filesize
163KB

MD5
571c604afe6947a1814f74c9ed259a64

SHA1
2f18036bc939a39bdaaa81c9906a292e3b6831db

SHA256
70ed374a10237cc667e3994a790dd5434a0cdcc35a83884e217a403af461c123

SHA512
fd2f0f92e0a24719daaa396e4784613700994f2a55593446595438895a52f40adf14cbee297a9e3daa64a6f3a987135d5597721a26bb8df4c6382f51d5ef4594

Download Submit
C:\Windows\SysWOW64\Jhfifngd.exe

Filesize
163KB

MD5
f644ed20255b21ff130af6e3a470cbfd

SHA1
c734568ba4001f9d74f3dd1ea91e0b0c53227a10

SHA256
37505b78c598ab5c96a2b983720accc97a551d1c810ecffe5858c3167466bc66

SHA512
c0a3c72bd5e81e289722fd7f76063773bad5ab3bd362685efbd320b71544a6f4f49c9e978ef56602b53e9abb025e5dc229399bd6307f9ff3a4081cd86eeac6b5

Download Submit
C:\Windows\SysWOW64\Kacgjc32.exe

Filesize
163KB

MD5
92588f16d31374809075f49857a98a70

SHA1
49fc722d3194db1205964c146ef74b82b3c0b5d9

SHA256
411802287ab2ee500934b46d8690079095da8515473db51034efc6c69864ea4b

SHA512
cf06ea1d1627d4503906c3da87b4d00544b8bb46705eaba37f5f6bec8ddba8f581643318d2072672688d9439115bc2b24f8f3c1137fd8ac2506d1af55624b0dc

Download Submit
C:\Windows\SysWOW64\Kahpebej.exe

Filesize
163KB

MD5
d1940510f3baac10f34b192a83c0e143

SHA1
9c6abdfc3811e744748980e40823dbcedf7a0131

SHA256
7e6df4fd07f71317edcb8abdb39a2039d70601259d694f981efc6de20a8b2098

SHA512
0dc00816aeacf5c6e6a5357dcf5c507c45727975dc86fc95baaeea00932e33178d4a5de4f34f372a5af5147a92d9aeeeec143d10a9a3053184e67702d50202a2

Download Submit
C:\Windows\SysWOW64\Kaonodme.exe

Filesize
163KB

MD5
340e8363cf39dc9a4398a09e8ee67f18

SHA1
52a49eed93564767931a2064fb02bcf8c84f2b88

SHA256
65c60d610e1f0570f0b1c1f732ab1b2292e8adf9505417543d210149a8a419da

SHA512
0632e571bea006f62a8d8cb8930a53143b5cb5cb38ec0b2a037f0f906ed108b8f658221b1fe4bbfef78a31fdb5c079daa7edb580c726024d2b167e44f5617bca

Download Submit
C:\Windows\SysWOW64\Kbnjig32.exe

Filesize
163KB

MD5
4b57be8c2e536cb4c30ddae2652d1a8c

SHA1
e9b6a82ca9fdd215828bafa6d6eac60a677af55c

SHA256
fb75bd9c37bc3205466e28bbccd4dbf15b61615cbb3be5f74679a3dbb958c20a

SHA512
5310e15e28121740f891ee8c2593d997ae7a03ea24d847953d3edd8718bd60c8014bfb8631cc7cc491b47a40c5d6ae9898ed74a01dacf1c45051695080d718ea

Download Submit
C:\Windows\SysWOW64\Kcccdfqb.exe

Filesize
163KB

MD5
b4127a8b1a70ee1d89cb0f35d417696a

SHA1
11a9507a0924be646f8fee084e85b5be11f677d5

SHA256
19feeec0e46d5a8a9431a5950a9c8d05afc96e9c64c2ce727001ef0e0801da94

SHA512
f5ee4395791bcf524c29c850f8ec38e2ccdea44e566cc59418d9ca5ee1135f8064ccd7ff69d07c62c7026e502b5bb6d248cdf9308434ce72f4193e9e8a56ea81

Download Submit
C:\Windows\SysWOW64\Keappapf.exe

Filesize
163KB

MD5
614b05f784422d8dd3c770ad44c27775

SHA1
aa00c7db1aee2079950fcd0f6f20039e7a844009

SHA256
4a9d302ef99d39a74754d2dea5afb5365126a909b48e09d0d06d7c055eb098c8

SHA512
627ae3165429f252948b554b7209059fc872597fcfb680ae0edf62ecb49f709dbdfe6c68f6fa9aa77ba8f6cd1261aa6c143e880ed91def9fe3b3b0ddda68b15d

Download Submit
C:\Windows\SysWOW64\Khifln32.exe

Filesize
163KB

MD5
7150fd881ebbd5652335f3c24198ce82

SHA1
e06e8e7e8eebbd450ac0095111e2d869698bd7ef

SHA256
5822aeb70582d619080c97989d935d8a3c66f54d7137f9714e98cacfa3cc8c84

SHA512
641f075dbb1711adf4a64d2b285d35fe963b9890214efd65e294f40f84d012eea727db3508f540c903d8b6358259f9ed798658e24bc8973d9d7c2d0bc25ffa7f

Download Submit
C:\Windows\SysWOW64\Klgoalkh.exe

Filesize
163KB

MD5
59500aba7f838aaf33f8a1d74a5a1bb3

SHA1
28f3f9b831b67817e8648f13246dcf8dd229895e

SHA256
d942cc9b68d966460f748c3f868937c63411f180400e5f094d2cd67e350794fc

SHA512
92006224f80eac190e4b694c973a0d290cee671446e35efc43c43103371ffbf11a28db3bd05625d292f51d99e0a90ff17c2f4d2a989aca1668b36399001515b3

Download Submit
C:\Windows\SysWOW64\Klikgl32.exe

Filesize
163KB

MD5
14c23656aff114c83ac4ffa49dc9f095

SHA1
d74995ac729541f2a98dd6372e5cbf00101cc6ff

SHA256
e79afe5e3e0dfceea0f7fb7f1f2c626755f8aa27796ae8677f0daf7ee27cfdc9

SHA512
22a47755801f38fb9dca1f2f4ab722d0eafd739f047e45e7ec91ea02d15d68bb30aa56e7429d1f3f367a20637438745a5cd46930b1db0f7989c00dd9a1fceb21

Download Submit
C:\Windows\SysWOW64\Kpgdmjpl.exe

Filesize
163KB

MD5
be97ee0b822403e69ceb07c1759c22db

SHA1
42ddd0e1e458581183c32b564ef2311453fc623c

SHA256
07cbf9b945a900742df85f15c7180bd7b09ce306abe066938899bd117b98eadf

SHA512
9f00dc32c1be980efab314a92bd940b624c314f4cf94db17a4e1fc58ff3743929b74e24dc18face38e59bd1b7f5149124c73dda725e66f2ffec8e4eee049fd49

Download Submit
C:\Windows\SysWOW64\Kppnmk32.exe

Filesize
163KB

MD5
740e797050f3d49b53f41de849045477

SHA1
c0d2397c055fc95ee691e5868adb6112aa66465c

SHA256
1b252f25959b3790aed6fab2005b694cf34f23bbd837ab8a75adcc6474027498

SHA512
ed7a1652b95c576d6de056feb5fcd312272c168320f2801758471a0d42049b44ac5348786b8228792a82f682651e849b9f347c77faebaa465a95f4dd9eb08d19

Download Submit
C:\Windows\SysWOW64\Laacka32.exe

Filesize
163KB

MD5
6c058bb6b7ef53994b9dba263e4cdeb0

SHA1
51bf3a7fb06e8b1a85e2f8846b79d3fc030aa82a

SHA256
3ce0daf468d414a9e3f30fa065020c67d8704d19014125bf3d622c89f5b8b669

SHA512
d8e54a8c29836403f9b59b7c2271c82c3a4f0fc33969d8842d5992298c24e40edde9ba3086572aab467f2ec9577eef0038a199ad50095f98a3be8014095b1199

Download Submit
C:\Windows\SysWOW64\Lcaped32.exe

Filesize
163KB

MD5
15a5beb54d6ed8af11e866d9dd56c44c

SHA1
9bd2abe023bd859463ee7ab7a3f06952db3cd61f

SHA256
9e89e1600d8cfc45a1e601fb79e67ef95ee4189b81cbcbeb0b469ec9ed29787b

SHA512
6b64ce5efb615dd66bf1f5ef7456eb772881496505470da40487744ebdf9093f9c674f7b927e8c4cb1f7d4bff3e7fb410ef12edf441f138cd32c62202931798d

Download Submit
C:\Windows\SysWOW64\Lefika32.exe

Filesize
163KB

MD5
48711a665c7a721a9fef492af3fb6591

SHA1
32970613bc499b8b21de37f56dca9a981b8de940

SHA256
9515ae28b97d146e1772498d5789ae4d55591184c884224b9883946ac308803c

SHA512
97b6ea2eb6d7dd3aedcfc0241ff95372469c54f27a5e51bf88ced362154d1de9055471da22b97aad6b42e3971e9dc4965cc0e28fbccc0e2a5d93aea3b4a48aeb

Download Submit
C:\Windows\SysWOW64\Lemolpei.exe

Filesize
163KB

MD5
7331e4349d0f0b0a072e1230bef67347

SHA1
d93f94f8da127fb7a7875feec921d0ec6da76c85

SHA256
29fe87f3184902474a0264967068c70a997fc032579d23cacf7fb422052df97f

SHA512
b8c433599a36eafac6d89da804425d60996fd17d0fe3e5f8925fa4099fcdf6b9261206fdd9c076e73ea0f672daf064af179d235a452d867a72c9e308c3c4a5b0

Download Submit
C:\Windows\SysWOW64\Lfplap32.exe

Filesize
163KB

MD5
1774c7b422e71b2fa495e826de92e0bc

SHA1
b25a189a757683ef22f058d9d001ed8719ab2461

SHA256
33f5733951b6794c6a5253d31446c9bcb1ad1aa1b7010c3069519c9efc397126

SHA512
590f5794e245f8e540b4633ec65d45285e58ad32605ea93b5483aabf4a174be1c92fab86920d19fff4afdcc35cee160ecedc7097ada72f99c1af6c3830141fe5

Download Submit
C:\Windows\SysWOW64\Lhioblgo.exe

Filesize
163KB

MD5
ba8e5308614da5166f8a4823eba824f5

SHA1
5874dc72c1d1acb53bf544e148f8e34bf510eeaa

SHA256
f825acc02ea7625dd08b36d90324933ca40f5170b45dbfb96f118e377e13c8f7

SHA512
421c2abd8e4cab127154a639fa925bcd755189c005ea53ae15a88ee3fcf2bf6000cf378c50c9924fc0e3fde2daf28685ff906f58536efc26027a739bb1a34a1a

Download Submit
C:\Windows\SysWOW64\Lidbao32.exe

Filesize
163KB

MD5
9194fa363cf01370957b6d0b8da58fff

SHA1
cd17da9e6651514ebb4e921d37dfc3c0083c7215

SHA256
469d297a9ca9cf705b4d9d31d01a880e3e678f85703f4ac293672f91a1a64bc4

SHA512
23c65d72457227498ecad8a49167277535d989fd6111ed3341dd78316b2828a2cebc83df1697e3caac649cc4efb32f1e5ff28610b8ec45bc9efe896185029b95

Download Submit
C:\Windows\SysWOW64\Llidnjkc.exe

Filesize
163KB

MD5
5f74977d36c2d33244732cbf38f11eb9

SHA1
a1cd9d2d15e844b7152f9ce495b64db3e5e13fe6

SHA256
a55339ea76172c9412b424f48ee49b1d83409e576284b68a25f606e609d0f417

SHA512
f7d12f25d884a088be098e556c292bc02519c9c912262dc00be0c1b1171e01d8e75db9cce8083a4825ba84f6cb5204d078e3fee3470e0270fa1bb0d99dbf5e73

Download Submit
C:\Windows\SysWOW64\Lolaogdd.exe

Filesize
163KB

MD5
905b4f08343319c67719d6310620388d

SHA1
b92f659783155f85eded2639c30873255cadb313

SHA256
62356ac1ae5908f4ebf39e24afab87585c22a2a37ebf0be4c2b56373013ac5f0

SHA512
28e1042c7fceeeb8222f262c476e7c845752e9087d54c86fe581717f371e41ad5b03c430a9c47c6484bae729606f1359e9ae95ba3a20e20027f47bc09bd22d76

Download Submit
C:\Windows\SysWOW64\Lonndfba.exe

Filesize
163KB

MD5
b14fe9e35900c4bddcb3175f033fd435

SHA1
02c77df9636d2010a18daa362b72caec005ef675

SHA256
3494d0411deb084982d735aaff6cd8c5de77702d7143774319d3762c39e719b2

SHA512
6047c8f5e7b5800d31371b7e8700f78cbe607b4a73a5498447e14781f841467a61f88209adca56b5347b0d60e3e0cad00aa25fcd5415d1fc30e779424eca480c

Download Submit
C:\Windows\SysWOW64\Mbkfap32.exe

Filesize
163KB

MD5
cd826744395a1afed6596846189aa4a2

SHA1
bd3893845464fd50c1ecfab24099f863ccfddefe

SHA256
58a3dc4e5780a409267caa2b42870183986a8a3286544fa3a8b048417207e674

SHA512
9de593ee7f75ac678c4c0feb8079def5e7b24d54b9286d991cc0ce88f80bacb22589ef8a41f982da5c16b96b91d6e61ad11898708f0a16f03bd3059135aae970

Download Submit
C:\Windows\SysWOW64\Mcclkd32.exe

Filesize
163KB

MD5
8cc749e3a6eb27066ef972c9374e9143

SHA1
74d5ce6b74eed495edb6c1aa722a7895ffd4592e

SHA256
24148a4311f7f71d3ad256828b65fe0e7894f22889394ce8609e9bea17bce193

SHA512
83c2fc9dcf9fd778772780e4325a451c4a530472ad95e1708cb66a4d279ef66b74e6951f756bc49d85d2a5e4055b0a9e6c97ee3f7bda8d899320ddffd72f7199

Download Submit
C:\Windows\SysWOW64\Mfdemopq.exe

Filesize
163KB

MD5
fff9ffc8794e5a63ca6f0f5f8dfeda92

SHA1
17a33f7c24370598af56b78d6a2ebb706fce88b9

SHA256
e020438bdbfa68680047027ab7d15d467afb44d89c9ce24d01ab7edd02f988a0

SHA512
67cf0ed8c823e90eb194c78987715e4d5b4533029789d6f7b7f4a28adb3be33da3bb5f0d41ae39537cca93e27f91188e80ef6400911e880ca4602ed35ed04687

Download Submit
C:\Windows\SysWOW64\Mjdkhmcd.exe

Filesize
163KB

MD5
96f229a5ed299933f5dab03a94067afa

SHA1
730ef75ab499a9bf94d72b62c09a9108e7f084b8

SHA256
15103c8e90c9d781e4a145ac296cc13561b68145cfe72c6b8c045d067ae10da8

SHA512
61c4f5de7c2711e73f3f6654da5c96184c5321ece3c6a2e2ddd442eca0e21e6901842707b7c12b3f6d492535cf4c6ff1dfb0d1792f15bf2ab75d4591dd9adc7c

Download Submit
C:\Windows\SysWOW64\Mjggnmab.exe

Filesize
163KB

MD5
bb03bf0b834547d16ea584a727a818b7

SHA1
6610619ffbc38569eb5dd92d592605489e565835

SHA256
42cae6f25f75d6aab577a1ffed402ea72f651bdecc0c6c6606151fea60ff0140

SHA512
21ba453912dcd122445b1e59ea8f163029e193f50a9fe801db138a4cf35ed25a6a4e9d9e912970e5c4583ac58dc43b8a84ae07f48a32a5aaaadc0efb5119ef5e

Download Submit
C:\Windows\SysWOW64\Mojmpe32.exe

Filesize
163KB

MD5
70beed0358c288aa442eff63d1af3900

SHA1
46fb65a8100adf259abc8b775fbea3c959b945dc

SHA256
0e6c90621c2acac56a52670cd39be93ec571bad73b0e32e623ceadb669e513a0

SHA512
2880d4cc15a4049c8d0d7c74b6037dfe5a0534b5928bb525ee5500feee215163d8edfbabd98cee55088ed33bdcb4a2b1a6ffd4aeb8174135d488927c5286b77a

Download Submit
C:\Windows\SysWOW64\Moofkddo.exe

Filesize
163KB

MD5
b61e3275af351f5b2803d53aeba4ee2d

SHA1
722d36cfdefe21428a012afdae47da569ea0d741

SHA256
cf1125283b51c9d596e798a4ed99e2e2f693384fab8ea7339a1e8281465f0904

SHA512
be77d6868688185e14724beea2e39f25b17034fe3eb3369351b35058f3fc87499c102cbfa5f371c9e0a7897c55fd084289c21a01490aa5f3445ca5ac53614df8

Download Submit
C:\Windows\SysWOW64\Mqnceg32.exe

Filesize
163KB

MD5
142560f5d8f4021a83e2184832434e24

SHA1
9b9964898fa45c2840c5337fb4d29fd372f6d320

SHA256
711a5155ac1ccac9767edf8b8d2d2993214bdc84739d74ce010f4d9966907745

SHA512
07cdb557bcf91d1af0a19db390c6ee3720e4cbe107feb922ab71331d253bd6985a6164b27f0f544292e5452eec8d8a38ffa92ac2868e571bb901671df3b2885f

Download Submit
C:\Windows\SysWOW64\Nhldoifj.exe

Filesize
163KB

MD5
a9d52633c634552809a64d811aa625f0

SHA1
1cb7e4c817aede0145ebae87224dfcc30c561ce2

SHA256
f202ae0687e3235accc506ccf103c21953c52cbe957def1dd7fb6a8d4e298065

SHA512
883d2f57e040a357a822d2a6c4cfe7aa9a5940ba85d55ffa5f314b0f42ee7272cb117b96ffec39c2e9bf93e15e063146a54f28f89b8f53364871931b601e4581

Download Submit
C:\Windows\SysWOW64\Niegehno.exe

Filesize
163KB

MD5
865c4b5301db69918344549b06eaeaaa

SHA1
9f23e810995142dba443fa0aa32b4eaebbcab0cc

SHA256
ed86e8ca3ad08fac47ced1b8ffc4fe03504712595feaaa720bc7564ea1d15665

SHA512
bf1e9a974e5351de8b727ac2963d6d6de4f8a2913f89dac7761300aa87f344bf0d50ae7a136c2424249ef8e2c11685d88c46d0430fba2bc940485c99d6fa0df5

Download Submit
C:\Windows\SysWOW64\Nmljjgkm.exe

Filesize
163KB

MD5
c9cab2c63538cedc2c7143b1d01c7593

SHA1
b10846eaae1fb8134f1f8c6c5587418417232baa

SHA256
f632e1036515a5d31a53c4e5ea6411e13b15ea3857bf397967610a1389619a58

SHA512
7d3a62a52f8c36f9a825de0dba87d5df9dbab3126761dda02dd1d177a146d3e183f9fdd1ca94108a7eef7f8573b88a536a04a97f87c047b8fdfd989dab84abc1

Download Submit
C:\Windows\SysWOW64\Nmofpgik.exe

Filesize
163KB

MD5
a7d084d5c13e188accf51680e3578c2f

SHA1
df4fb14da8d8020debaccf611378ccb651bd09ac

SHA256
0c6d105d8812fce24878b6b7aeabb0e895315a274047fed9043f99d20e70f205

SHA512
26316a1d445a3b1fc5ef9240b20a35526086701d907009a000ddcd0d01e8c0e39672699ab3f3261be535a007cbf351e3bea7791747e3a095549264818073fbec

Download Submit
C:\Windows\SysWOW64\Nohiacld.exe

Filesize
163KB

MD5
7f4f0350def93c0c596d5f321115b9d2

SHA1
27d01681f11df8d643202dc0fc5b60fd5e2a263c

SHA256
80e8c4f807850082360a865f1fc91e914f2ae9f296e295dc53f287f15275f8f7

SHA512
3270dba78c5c3abfe11c71a3818cc04f6748665349c0ef4b6391508804107152e0da90ef1ab604d3e8da483d3251c71d7967fed32ff991bd9dc87b699296c9dc

Download Submit
C:\Windows\SysWOW64\Nqqpjgio.exe

Filesize
163KB

MD5
f99aa97e1ed72323548cf3621e6da8fe

SHA1
f6de6de56acea290f550cc4ea1f3365a82dd9cff

SHA256
b01e25900794464a296699edaaf204b4182049f29fa421d8ef2c8d5f52771248

SHA512
009ee1ef4f42abde9a2930cd8358ec67a666f015f8d5c499555dffaffa94e3ccb4ea1b5116b6cc634c8ad0a9c0eb3853c9ee154a61469169867c79e2a4510b7f

Download Submit
C:\Windows\SysWOW64\Ojimjjal.exe

Filesize
163KB

MD5
98a0fccda7b1ae2f4cfa22474c245902

SHA1
816a76d1b88040e4f5b6a933b992f41e16a18006

SHA256
a577b8e19226cf63accdf3edcaa75420cabf577f82c383eea3c3daf5541570fe

SHA512
008952f655d42ecdf5fd9bd1d818f0670d94e97dc2e36f69b0845652c88a28e1d91a8b4ba61d8da0ebcd1fdb79a358110b2fe071ed59976c81163836f41a7632

Download Submit
C:\Windows\SysWOW64\Omcpkf32.exe

Filesize
163KB

MD5
a7c28b07f13b507da01507deca8673be

SHA1
cdf1cfdb0a26206813cdd9f53da8de8ea97fae02

SHA256
ae0f379d4639846c00d34a44965a9c6db79a005c24b2870c115ecaf7b980ed44

SHA512
33a296a1615a3befe9c6d1a6b9b747f7964e3530c761e98651b7e5fe2e8e9721d94b18cb3417ab0ae0b79027103ae5976057d8602140e95e3ce2db58d730cb5d

Download Submit
C:\Windows\SysWOW64\Omjfle32.exe

Filesize
163KB

MD5
f85bac6a2bf0ebfa45ff0b10be1bde18

SHA1
ead2f7ddcd15e177e3a14224418c160582f8719e

SHA256
e44aeca6211a858763aaff9920c7b2fdc5098e6887f9bb2e445a98e267f6b54c

SHA512
b697eaee0a6bdf86a03f1f182aaedce2a7c2c1b2f005afc1794024239af201f05bd95bb417e5d161435d18045fbfcea5e6db72ef6dceaec34489df6344b07544

Download Submit
C:\Windows\SysWOW64\Pbndekfm.exe

Filesize
163KB

MD5
426b45a1346a5339ecf780f46fd37059

SHA1
939e13e515d51ada60839d8e3772473bc2d38f30

SHA256
c31f155ac29e5db6a8f73545a9d87453c583eaaaf5f07d88dfff94d2450a8e5f

SHA512
dbeb951b2c595923b296e365450ee0a72928342a3c9203d63fe39fd8bea987de2fcf836816c3d144342d357c3b566d00bc62f5f8c0dbfc53a3ade2ffe5bdceff

Download Submit
C:\Windows\SysWOW64\Pcihco32.exe

Filesize
163KB

MD5
d6549f6b13ac8afbf586629ad449c753

SHA1
f1094fe99ff6633c093843a1c0957c71b182e2d3

SHA256
93cbe71bf547db7c9336fc29bb85b28ceebf65b0a7bb8c04d09b1b1b917e25d0

SHA512
d598b87a3647a1dee51cf92501e6571195307723c11365093f449713ff7e051dbbe87481c47a56812d18d87557161c33805affa3911a79bcee29c507469986dd

Download Submit
C:\Windows\SysWOW64\Pjqckikd.exe

Filesize
163KB

MD5
8be2e2ad85fc99990f4242740cec484e

SHA1
14f7b462710027411eaefe90a7fcaea255b8600a

SHA256
833a9f289649c8a6cb1c20bfa59c2033ddea1482e60d1c5e8af266dcef726b80

SHA512
d50693b6fd72971b49c811e4daa38571542dae5fe705ee5b9f1486e5d7edfc6d47fb4b4e4404f8329d4b1f9ff4bd0aced5ab86ebcbea13de97dbe09dad0cf2c5

Download Submit
C:\Windows\SysWOW64\Qbekejqe.exe

Filesize
163KB

MD5
123f3c86625717295c82334657a63e27

SHA1
e882d09e86fbb3bccbcf311e1fa25c8f7ac014c7

SHA256
010253bb2ee4c22d7b66cf64bc15e11a3b2ae90cbaa2d4aa71b030e7c2e51e9a

SHA512
d9ab619d0945d6ac954a9d812976c4604bbf3e8cbb9eefac453c289195c0bbda4836bd03244ba3663a3d93acea380e9ce451f0fa21d70ef9cda19f80d36b0ff9

Download Submit
memory/212-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/220-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/228-586-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/228-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/232-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/392-445-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/396-484-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/436-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/440-393-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/448-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/456-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/540-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/556-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/556-593-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/708-460-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1064-472-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1132-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1188-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1368-574-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1380-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1436-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1532-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1600-543-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1620-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1640-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1672-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1700-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1708-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1828-1072-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1828-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1884-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1888-513-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2000-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-567-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2028-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2028-561-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2160-531-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2204-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2220-507-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2324-490-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-967-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2488-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2488-986-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2560-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2672-525-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2836-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2836-614-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-573-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2860-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2880-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3036-261-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3136-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3176-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3288-580-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3288-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3320-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3512-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3516-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3516-600-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3520-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3528-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3596-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3596-549-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3620-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3752-466-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3884-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4032-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4124-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4164-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4184-601-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4244-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4328-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4352-524-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4392-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4404-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4436-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4440-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4472-587-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4480-594-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4484-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4624-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4792-608-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4852-607-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4852-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4984-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4984-537-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4984-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5044-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5044-555-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5048-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5056-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5056-1025-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads