berbew | 0bd8eeeff9a3e776b8c6e3a00f9d1c2395cb88d5cac321b55e40930597504267

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bd8eeeff9a3e776b8c6e3a00f9d1c2395cb88d5cac321b55e40930597504267.exe
Size

93KB
MD5

f3de94fa65be09e7a5cf4a8f3d1bb12f
SHA1

03986db100c0fb267f0115d4dba48c25860564f2
SHA256

0bd8eeeff9a3e776b8c6e3a00f9d1c2395cb88d5cac321b55e40930597504267
SHA512

cab59d11df6799863e51e203383ec3aad8534ce2c673e62285ce6090a220c8cdaddb455d2f855747512ebd65472da0bd6d2fa13815a337ba3887a9bdd9ecb6c9
SSDEEP

1536:+/cGbguu7yvDQn8WnP8oJf1DaYfMZRWuLsV+1T:++uu7yo8WnP8o5gYfc0DV+1T

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1448	Jplfcpin.exe
4448	Jehokgge.exe
1472	Jmpgldhg.exe
2452	Jblpek32.exe
3100	Jmbdbd32.exe
1580	Jcllonma.exe
2756	Kfjhkjle.exe
1912	Kiidgeki.exe
784	Kfmepi32.exe
2140	Klimip32.exe
1540	Kfoafi32.exe
1320	Kmijbcpl.exe
2056	Kfankifm.exe
4404	Klngdpdd.exe
2388	Kbhoqj32.exe
2800	Klqcioba.exe
4416	Lbjlfi32.exe
5056	Liddbc32.exe
4376	Lpnlpnih.exe
4836	Lfhdlh32.exe
1928	Ligqhc32.exe
536	Lenamdem.exe
3944	Llgjjnlj.exe
5004	Lgmngglp.exe
3460	Lgokmgjm.exe
904	Lllcen32.exe
3496	Mlopkm32.exe
856	Mibpda32.exe
5072	Mplhql32.exe
1700	Mdjagjco.exe
4516	Mlefklpj.exe
5116	Mgkjhe32.exe
1732	Mlhbal32.exe
3132	Ncbknfed.exe
3644	Nngokoej.exe
4360	Ncdgcf32.exe
4144	Nnjlpo32.exe
4752	Ncfdie32.exe
540	Njqmepik.exe
3452	Ndfqbhia.exe
4716	Nfgmjqop.exe
1064	Npmagine.exe
1512	Nfjjppmm.exe
1624	Olcbmj32.exe
3328	Ocnjidkf.exe
1984	Oflgep32.exe
1076	Oncofm32.exe
2440	Opakbi32.exe
4016	Olhlhjpd.exe
3636	Odocigqg.exe
1480	Ojllan32.exe
4748	Olkhmi32.exe
2316	Ogpmjb32.exe
2012	Onjegled.exe
2736	Oddmdf32.exe
1412	Ogbipa32.exe
4228	Pnlaml32.exe
1516	Pqknig32.exe
1392	Pcijeb32.exe
1964	Pjcbbmif.exe
2272	Pmannhhj.exe
4372	Pclgkb32.exe
2432	Pjeoglgc.exe
1584	Pmdkch32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ihlnnp32.dll	Jmbdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Klimip32.exe	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Kfoafi32.exe	Klimip32.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Mkoqfnpl.dll	Jblpek32.exe
File opened for modification	C:\Windows\SysWOW64\Lpnlpnih.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Jehokgge.exe	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jmbdbd32.exe	Jblpek32.exe
File created	C:\Windows\SysWOW64\Ocdfloja.dll	Kfjhkjle.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Imllie32.dll	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Lbjlfi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5592	5396	WerFault.exe	196

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bd8eeeff9a3e776b8c6e3a00f9d1c2395cb88d5cac321b55e40930597504267.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcllonma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehokgge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnnp32.dll"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamhhedg.dll"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 1448	4876	0bd8eeeff9a3e776b8c6e3a00f9d1c2395cb88d5cac321b55e40930597504267.exe	82
PID 4876 wrote to memory of 1448	4876	0bd8eeeff9a3e776b8c6e3a00f9d1c2395cb88d5cac321b55e40930597504267.exe	82
PID 4876 wrote to memory of 1448	4876	0bd8eeeff9a3e776b8c6e3a00f9d1c2395cb88d5cac321b55e40930597504267.exe	82
PID 1448 wrote to memory of 4448	1448	Jplfcpin.exe	83
PID 1448 wrote to memory of 4448	1448	Jplfcpin.exe	83
PID 1448 wrote to memory of 4448	1448	Jplfcpin.exe	83
PID 4448 wrote to memory of 1472	4448	Jehokgge.exe	84
PID 4448 wrote to memory of 1472	4448	Jehokgge.exe	84
PID 4448 wrote to memory of 1472	4448	Jehokgge.exe	84
PID 1472 wrote to memory of 2452	1472	Jmpgldhg.exe	85
PID 1472 wrote to memory of 2452	1472	Jmpgldhg.exe	85
PID 1472 wrote to memory of 2452	1472	Jmpgldhg.exe	85
PID 2452 wrote to memory of 3100	2452	Jblpek32.exe	86
PID 2452 wrote to memory of 3100	2452	Jblpek32.exe	86
PID 2452 wrote to memory of 3100	2452	Jblpek32.exe	86
PID 3100 wrote to memory of 1580	3100	Jmbdbd32.exe	87
PID 3100 wrote to memory of 1580	3100	Jmbdbd32.exe	87
PID 3100 wrote to memory of 1580	3100	Jmbdbd32.exe	87
PID 1580 wrote to memory of 2756	1580	Jcllonma.exe	88
PID 1580 wrote to memory of 2756	1580	Jcllonma.exe	88
PID 1580 wrote to memory of 2756	1580	Jcllonma.exe	88
PID 2756 wrote to memory of 1912	2756	Kfjhkjle.exe	89
PID 2756 wrote to memory of 1912	2756	Kfjhkjle.exe	89
PID 2756 wrote to memory of 1912	2756	Kfjhkjle.exe	89
PID 1912 wrote to memory of 784	1912	Kiidgeki.exe	90
PID 1912 wrote to memory of 784	1912	Kiidgeki.exe	90
PID 1912 wrote to memory of 784	1912	Kiidgeki.exe	90
PID 784 wrote to memory of 2140	784	Kfmepi32.exe	91
PID 784 wrote to memory of 2140	784	Kfmepi32.exe	91
PID 784 wrote to memory of 2140	784	Kfmepi32.exe	91
PID 2140 wrote to memory of 1540	2140	Klimip32.exe	92
PID 2140 wrote to memory of 1540	2140	Klimip32.exe	92
PID 2140 wrote to memory of 1540	2140	Klimip32.exe	92
PID 1540 wrote to memory of 1320	1540	Kfoafi32.exe	93
PID 1540 wrote to memory of 1320	1540	Kfoafi32.exe	93
PID 1540 wrote to memory of 1320	1540	Kfoafi32.exe	93
PID 1320 wrote to memory of 2056	1320	Kmijbcpl.exe	94
PID 1320 wrote to memory of 2056	1320	Kmijbcpl.exe	94
PID 1320 wrote to memory of 2056	1320	Kmijbcpl.exe	94
PID 2056 wrote to memory of 4404	2056	Kfankifm.exe	95
PID 2056 wrote to memory of 4404	2056	Kfankifm.exe	95
PID 2056 wrote to memory of 4404	2056	Kfankifm.exe	95
PID 4404 wrote to memory of 2388	4404	Klngdpdd.exe	96
PID 4404 wrote to memory of 2388	4404	Klngdpdd.exe	96
PID 4404 wrote to memory of 2388	4404	Klngdpdd.exe	96
PID 2388 wrote to memory of 2800	2388	Kbhoqj32.exe	97
PID 2388 wrote to memory of 2800	2388	Kbhoqj32.exe	97
PID 2388 wrote to memory of 2800	2388	Kbhoqj32.exe	97
PID 2800 wrote to memory of 4416	2800	Klqcioba.exe	98
PID 2800 wrote to memory of 4416	2800	Klqcioba.exe	98
PID 2800 wrote to memory of 4416	2800	Klqcioba.exe	98
PID 4416 wrote to memory of 5056	4416	Lbjlfi32.exe	99
PID 4416 wrote to memory of 5056	4416	Lbjlfi32.exe	99
PID 4416 wrote to memory of 5056	4416	Lbjlfi32.exe	99
PID 5056 wrote to memory of 4376	5056	Liddbc32.exe	100
PID 5056 wrote to memory of 4376	5056	Liddbc32.exe	100
PID 5056 wrote to memory of 4376	5056	Liddbc32.exe	100
PID 4376 wrote to memory of 4836	4376	Lpnlpnih.exe	101
PID 4376 wrote to memory of 4836	4376	Lpnlpnih.exe	101
PID 4376 wrote to memory of 4836	4376	Lpnlpnih.exe	101
PID 4836 wrote to memory of 1928	4836	Lfhdlh32.exe	102
PID 4836 wrote to memory of 1928	4836	Lfhdlh32.exe	102
PID 4836 wrote to memory of 1928	4836	Lfhdlh32.exe	102
PID 1928 wrote to memory of 536	1928	Ligqhc32.exe	103

C:\Users\Admin\AppData\Local\Temp\0bd8eeeff9a3e776b8c6e3a00f9d1c2395cb88d5cac321b55e40930597504267.exe
"C:\Users\Admin\AppData\Local\Temp\0bd8eeeff9a3e776b8c6e3a00f9d1c2395cb88d5cac321b55e40930597504267.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\Jplfcpin.exe
  C:\Windows\system32\Jplfcpin.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\Jehokgge.exe
    C:\Windows\system32\Jehokgge.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\SysWOW64\Jmpgldhg.exe
      C:\Windows\system32\Jmpgldhg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        34⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        49⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        53⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        57⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        76⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        78⤵
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4856
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        80⤵
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        83⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        84⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:364
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        93⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        96⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        98⤵
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4208
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        102⤵
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        110⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        111⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        113⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 396
        114⤵
        Program crash
        
        PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5396 -ip 5396
1⤵
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aminee32.exe

Filesize
93KB

MD5
a9cdf18f894e3de9e7c4a50d8f972dec

SHA1
2f8c45a95b96fe114f245acef99618d5ceeb996c

SHA256
4bf7ca15f94a88a365ba74f1bf74b1a8b5c46ad3cf730013d1bbf24ba0086ae0

SHA512
7451318c662a9f31d901044c8d7a8d9022aabaa59e5c05291323f3162d67a522de67130e2e795c4ca89f51171cb39783b409be2a071d438c343f30f8c30a3535

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
93KB

MD5
85517b3c4a76bb5d14cc42c39698dd01

SHA1
22d301a004f5bcfda30c39b59d36f9e4a865ee5e

SHA256
4f88f3cf2445954222d3f9bfc54a561ccc5940f6ee7c258a6ccc9ef74d957565

SHA512
7cf1191b200a0a6c7515f6439bdcff6b4d656eee689400ea194a07781cbe164b2bfe3f3e89aac68b9bfd7504fd04a8074972abe61f91adf3171b2133a7d3398d

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
93KB

MD5
5e461531429284817bbb456dfa5bcc91

SHA1
de7ad46ccb56a66d383ab371ca39dc6f23290f17

SHA256
7283d28f0bfaad9c754bc98a968c58dad2fa88b752e06869fc7d2da56a281dcc

SHA512
4239717fed70597d48ea459c0eaa0413f252b322aed893acf054722ad1753859aba83eaf0698d78895c46a1d6828c886f949b5c02cb675fa1a5c1ff0a74f19c3

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
93KB

MD5
b635d37da907a3bb7d53f0ba7ca748eb

SHA1
21a0c16981fd7103a774536ab72df6cfc85a57fb

SHA256
135ba02f57303da9d9d28fda1b370b8c7030e224d9bf9905c91cd7a55b614e00

SHA512
9f3745b2ed6b8e6c00873f4e3d65d75ac3f6f9441d7af933c895efb35912be55010f68e6961f6625004a6e08c2c5a40e656b7f416643144c61ef4c11762a938f

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
93KB

MD5
be569153dd8fb321bf701c3b7c5330e6

SHA1
f8e368fdf213939e850530f784bccd7f53f074a1

SHA256
acc5b3dbec5a678344359fc8563cdff505d34d1825a0e098e95b49ca442bc41f

SHA512
aa792da7ef6bb57f453818bf7625a147c7f621509a6ad7b249b464b6bbfe1dadbd1a03bc6093b81ca960c552d8e9fd35d4101f397bfb62a2fa48cc80a00d97f3

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
93KB

MD5
0384bce17e9d50ef2877ebea159b01ea

SHA1
043b1f5bb5a474cf4680f5755d09b076ba1f4817

SHA256
c21a3504c0005766b6408459ebb655ea7f058a54397ecf7b740e0162ca04be45

SHA512
a66df8bb2c1bc66cc321a204d3c378bed6e83ca2025d99cffe94f4aeb8af547ea28a378e95a9300f6d57498213fb72e5da30c1b232700b0c10166de491e8114d

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
93KB

MD5
39041f3dbc4aab762f22b753db1033f6

SHA1
0f0f32074d490857b4d6b0d944e558d73fcdef2b

SHA256
e899fa9d57bfb49c4cb3c37cb3dd8c8a9a003004bcd252d9ac134231897ee171

SHA512
b4e80e4e128a2cd4b9521b4a77a8a07d610ae45fa85134af1e1ccd2bc0f5e54f2e0cf83b90a497620fbda691fa5057a05ab8972ebde676fdaba8713fafdc8b8d

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
93KB

MD5
2ffb123c9a5dc51ac2fd5613e76ee4dc

SHA1
1096edda2e50102ce914a85a9ee24edbe2eb407d

SHA256
2ceda1d47416f9cd7de0a0600539bd88d06b8cd316619c9b64ed0fac9d70bd8f

SHA512
53074f6e5d8749cd26f858cd200c653be41e7929f54bf2fe2e8ffa334c965810f2555fc5b8a0f0cd350ad473a292ea59dcb8fd35a78bd9336987afda6de5780c

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
93KB

MD5
90ddd760459c107594abe5669235c7c6

SHA1
53ef70a3a917145791956ddf57ab19e90ed7f03d

SHA256
1655a37e5cc4bcff583f41b70003a6c78e5a728fc1ea4a0fd86d31f97322bd92

SHA512
7fb52d0dd1d3688fb971fb5e2f0ec492401590e7b74d7f37e084f3ab15ab7cccb11f3c41409975a2fd9505d5ab27384ae45ff8f447fecb59000b584f7a7cd189

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
93KB

MD5
0f1d96fcd754173c8b4769e1d3b7b593

SHA1
492a088a10d6c8620e49b3436915c37af55a173f

SHA256
c987d411a0526b788aa15f539d65c589808a425e1490ebc510f699bdad505843

SHA512
aa4128192f698356c7b8a9c54d502ac583df77504f0e376a1d1c8b48fee2159d1f6e71729ffec17a611f7c72ecf6280cc5e39f6d73a44935f43c27f053f6eb72

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
93KB

MD5
5d61e59f717fad3e1d677af22a786a7f

SHA1
ef9b9ca8a399654bea1a851d37fe0a5244a5ea40

SHA256
9fa47ce95e95bf8b603a8d3d02552dc18bdf9820aa109515d7324f888dcd7818

SHA512
0ee337048af766aca54718b02e8db58381c3a09e9300b939e648604b1db3acab27e0bca5ca40cbeee71637281437b2fe4a6fc13eaee797992288215dfb7e9d63

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
93KB

MD5
595887f46d2ea6a516a03311061c798d

SHA1
19a992bb2a70c740a0d30a5f10ea6c9f201dc061

SHA256
672798871bee4a87465805e3d7347049b49e1fb8fbbc4d3b1879763edfe2092a

SHA512
865bb5c32bdb80dcbecbfc4d238bbe5e56b3b6ae0eb9d9d0a525b8b0831684e9c9b004da372e68191d4ca7af270e93fe8b9f00353d5847237da4bfe180a579b2

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
93KB

MD5
aebe701a06d886e360b470544576d903

SHA1
49774f650f5c76edf72f8466cc894d473a9096e5

SHA256
acc29c5ff37769d6b15588395ba53f85286957f562607b0ce82d18a0a312fa93

SHA512
633afcefdb53205b1285fd3fe9c101dd4127e24458dd23de13804810213c1ef978b4724816c74f7e161494a94c5addac4d5d61f3c221c3354cfe22ecbc293216

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
93KB

MD5
a1fde8e06ce036b5ecc6fc5819c6c883

SHA1
1f0312a53072826fb46352cf2740ee239f183e14

SHA256
332ae123f7320334e7a0a2a9eb41f19b4777ff6a6a59ca607d2e020a56a8eb03

SHA512
f6b3b7fcce03d71109cfa3c4fd58e100b203190045e974668ec13df33c205461938a132c82b2d3ef23b1eb0a14f74651e07c0b2ed258904d1c5e1ce7a4fb3c6a

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
93KB

MD5
07a90ec6fdbc07b4c58b27067277632a

SHA1
cadbe7a2861d154ae1230440460df0bf7682523e

SHA256
38aa1921914b7d2fe094508c8e426208ee7a04e5ad514da709ad981f35bebaa7

SHA512
152c206e706b9dfa1d5b3e791ad5f7cee0207dad01ef9e1326bbb38d9489a8cf61ac0f32f05db66aae2901bf44a3013db3a12cf592d560c4ec7713193e6c86f0

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
93KB

MD5
714cf84407cc176648a0e39abbd2285b

SHA1
ee56eddab750aea24e6852468bafb9b6f19a382e

SHA256
59f98e16587b9d67b12263a951682f8c35ce3403997819a9bc553bfc6fc81d6d

SHA512
2e0fb7928647ef6029a47dfe97090caadb4ac95d85f7df852e29b8f942a4b9e9a9d4befe31484134765e948a0e4042bb9cb3a9af4871f47ef9b52139fa737c58

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
93KB

MD5
d864e60a41ca566dd11f1410eda941bf

SHA1
85b6014472c66ce311e71050b297906ff3d3924b

SHA256
7f54793c825bcef896c84a2a6d181f028bc20b107e8ccae6d050192889d986bf

SHA512
0c149731b7b3dceae7b7bdc85772ed784a70783f94f0083e616ac63a6944991e314c509e8a7f9f38cf304ccf11f7a4cf2d7ee46b1c527a79220857ed63733d4a

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
93KB

MD5
f05d25d3ddf4bdc1524fab964796ac7f

SHA1
d0b347c397ab2fb63f6891548b0739bb22edecd5

SHA256
e2b80dbb70b3eb76998e424baa7a91a2b449e263cb5d8851626e27f31499dd8b

SHA512
1f6697ab2f1108fbc4e52a0f1216641de243b4da5921e574937e3005a9350a057ea032e91bd59a075b2034cfc53504bf3929dfc44f3a29699b8f9af186938c1c

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
93KB

MD5
8280e8a00f0d0964780940d872a8ca91

SHA1
97e20421bcf4ae5b441ecd234d012eff81e02b51

SHA256
5148ff97d37ade64a6f5e304d49131e432b7c7cb3cf2c128ee1a4e671718b688

SHA512
9a77dd9456814fe280b087a94f72080765acfa0f97126f7e1a66693f62ba076fb5cead1aa5aa80635757502c8008cc7234723efb1e238d438e60584007dc1406

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
93KB

MD5
133d2781ea9b0d5744eca074c9bfc904

SHA1
59ff8e5559885f5a1aae620af86cdc21985f4ec6

SHA256
1f7a59d1e3974aa7aa2462b89dec282056cbc9df3ee8c2bae8f5a059c8bacc63

SHA512
2a3799836a741188b4a9b53dfa40ede5c9181e94605422765827cdc760cf7c27ad5bccc9ed4bcc100e2d8b45d57056d48c5e71f8a22e29a9bb89532681975118

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
93KB

MD5
c3432a2ae829ebd3308b072fd2799ada

SHA1
75eae1af915317a8ea703d13b4a262f2ac6ce628

SHA256
92d5bdeafc9da2b17fca63b294296be2800dcf19dbca5aef6049ce5818593cd9

SHA512
94e7485827baef833601164e73396306f2629f9f59ee8ba9f232b7166b7dc9bb0b2a736f060bd6de37630607f9665e035c8d119405b18c6df60c5bc8ccf3937e

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
93KB

MD5
6d0b38e6e9f21f2e43a109bf15cc004c

SHA1
a0f457d9b4b92ad2938336dcadbee86b7027dbb1

SHA256
f04e8c9a3e9aa4da61bcabc8bdcaf57d34b41362bda095bcef173aad94b8b26f

SHA512
7b57f210a18f0dae68ba4c1a0d5718a864fd216771630d5ed1ce1f99a99dcd00a176e659f4b6f5f8ef6de1bf90e2b8b55e0b8fbb73218d3d9123888dea9abca7

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
93KB

MD5
e93977c9e8fdb8183011756bebf0738b

SHA1
d15bc97c41a598215f1a6e84c19baac273049f41

SHA256
cbf682e4a6fe9707396e80c4a76cf882492b0e4b02d4b54f60f08cabeafe2f3c

SHA512
a4b29cc1fd8ceaed1c56347f874ef54c7383f922fc8816f0a03f9e1f6140687337cb7ada49f0da6a3df8aed0f4d233b0ca50385209493305bded52e78b473d06

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
93KB

MD5
cd2749cd105a0800ce82561f3b579c66

SHA1
caa09bca42032f7c9d25ce36349a1883cc204ef2

SHA256
900363b61d62145f12592b24bc37288db41336c4914c3d25577fa0b68ed0e0e0

SHA512
b08e501a4fe8ad1f1dc93637fc671fc87e2f346a565dd6abdc2c7777d20092299bca575abbd26e7e0d992a381e724fb8986496757f14e00070006dd4f6745090

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
93KB

MD5
725fd16402d53fde7d0106acc39dc0e2

SHA1
ba9348d543234e44ce7b4875dc1c9b0829848753

SHA256
ea18742eb2cf9bcfc1fc25ffa12efd8698e59b41eaa85a4a5d3093ef53260d02

SHA512
8420c225e4b85edb5b7aab4358a68e7edd07c0a2b9baff8b449f6f16aaf9f33ed9e62964a54b199b9431660a69400d1da0c3f4dbaba2b08aa28ed7a9e0225529

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
93KB

MD5
0a46b935c6e269b80e5a44efb0329971

SHA1
dbb7873a110acc51a77e2e9de2d3a984dfe346ed

SHA256
200b077df333019d85ae995602b589b3fc795789e9c6e876317fe5acff278edd

SHA512
7c5b9aa7715d3ee57c04003efcbe92e0c53da38b3a7b5eb62a38d5edc3fa1201ebb539e6464e068adb51cacff76bc16108545773332d03b1243d1783b3a2dd45

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
93KB

MD5
3ac21c5b0ca03ab176bd4ff49f531430

SHA1
35b1c18cb37ea1e26777b729096c2b500718eb96

SHA256
e4fc1a105e1b25faf183450dbee344f1eaf8aedbf6b63f3189bb103b1918523d

SHA512
9f0ef673d5a2043188f6e5b8138b7009b1b3af98a035458546d68097c25d75efb140409c28266b57dc68ae0e21c800e3f8cad1e24c3ff28e332ade6c69f4f996

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
93KB

MD5
5156371df008324dbe29e8c253964da3

SHA1
98be5b936e854dea5d4e3ebaf34e97bbe1c5a639

SHA256
7e14573014e1e148f4fa789d0cf4b1f62d503f9f0d575c1bd449254a7a01240d

SHA512
673ac4161e884331e6ad28596a48c16d970bc919158e0f30c10587465018aa57c44e5d8b1b2129163392d4135478626f3db186eec9b5a281316aaf3ebd8aaa9f

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
93KB

MD5
21e1fe47ee45d37c028abacadc4606ba

SHA1
2cbe883052060c86777b44db3792f7fdede7e64c

SHA256
7183056b1957de7e6bdc8561f71b92f0143d89a24dec6aeeb04985c2a070a1ee

SHA512
4ad361f28df82e3ead4323e4ea43b3ff81e3b449251a05eaa40ae474d082cb74f6e6cf9d87cd6a0a6399a9627021c02b385afca471f356566b9208a6f714da3f

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
93KB

MD5
f4b3a6c418165c299c6165576a76e25d

SHA1
106b5e3333ee0d835f757d1fceda3cd022ba3617

SHA256
42850af36612d1b7d7eb42af7d05634da08e864aa167952e08119e5c926ff70d

SHA512
c383d4fc36ad6aedc8da6c88275cd86bd4eb6952e33700cf64bb0ea5af6fc866e61d7b64a0e40ee4d8ab0f9d04e187ba97d9e03918804219b52d46aa2eaff815

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
93KB

MD5
ce9797dd2ccae83b8d182d4daaf62bdb

SHA1
4061cb1f92dff678ad6045cf31412e623186a893

SHA256
979d010361e1097b53b1942c3fce9700bb5d58bbecb006d69eb393b2bef4797b

SHA512
665ae93a52efb3f591250521e206c0d5b0c5a6468ad75a9eb575c70c33ead1788d86b44b82397a60103f5bab0e2851cfed58f4c44d81e55d2458cd215a0678d1

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
93KB

MD5
b9dff9561baf9333df2b5e4854a3423c

SHA1
f23e7ef7e8a94fd1aa2c8efdb852f9d078a7ed49

SHA256
7d3a181ace6bb8607bcd30c9f729966d6e53c04107626a9de2b068b1057724cf

SHA512
813bc1c74bfc0d285e827c48b4b95210240543af854e26ec001d104d06d623f285cbeeec47f6aee25017b399c41da1f90385ea1f5ac7e1b8f5d6f52b0a7d38c7

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
93KB

MD5
1cddaf1afcb552cc9a3cdc632943fa24

SHA1
ef08c01f7b7fb75b7b172f9341d54e8d8375f4d6

SHA256
d1a596ab88b0f0390d9900534329bb8f70da19812e5bc62909b0ac000e479b47

SHA512
47b5d3d6eb97ce148fa371014f06f9deb9965d0582cb58d950ed3397ae97186a59f7f4d2b26cf26236109737aadcd251c6a026f3684cafce55ca563f02deaef7

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
93KB

MD5
6fae707a062e599c62190d25b5c79cab

SHA1
84964bbac0c0af1d671729b501af177f211cf120

SHA256
0da1db9aa54ce3fac976835f1a0bf03e7fc346e71e0c3674c17a82784a89bc3c

SHA512
ed92e821f93c9cd5ea972ab44f7c43fff315daa03023073d14bb0a66d5b997cd40a928d441b5952d51f3617d303b3a1d760ab73e57dddf0f27c922e793e3168e

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
93KB

MD5
1c379f4329f612117f6e621e3a61b11e

SHA1
ce34c2dd8f3466c682d2543b6eb9257814bd4a79

SHA256
aaaf01a25f994b44c71de4b47294c825330be4894d40367bd479707acdc8cd3c

SHA512
bcdb2da616b7a7f7c3ad63cadf137038ff4e8db326a8b9cddf23b56801af8f6aea504dd10b8ef1e3e002123bd6d0bf6f5e2defe3d27df330e1e7cde67b17a6a7

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
93KB

MD5
9b4184e39ce83ecb81b64703fb5477f8

SHA1
47dbf8ac207fdd1a20191222b6ea1e5bf109b600

SHA256
e45dc892229da9eea230a51be7652675a60c213435eba44ce434c39970ae03ee

SHA512
32f7cd89ab88713aa770101fecd1b131d358bcf33cc59c8fdba611994d127669a135190ae288781327d4da60fa72eb8ae734dd0704175b79cd1b9276f8496842

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
93KB

MD5
184cbba8359b4958dabf8194e9d940fe

SHA1
8829fa674cc401a6e41bc984a210e66c35e48260

SHA256
9b25c056c259612d46edecb53cbc9f5572b147aed82eb7e12ffd2c12695d3ebf

SHA512
0795287a97ee67340d853e9733ead293596d833fc6ba79b7ce75818552281463390d50f07ead4c5e86bd959e047d1f1278cec7f2f3a20f4ebfbb9d75409dc271

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
93KB

MD5
24e24fa566084de2850e5ac3ae94f02a

SHA1
33bad976f152b5f39ee63f0bace1a3bf08633eee

SHA256
aa1101750208309d45091518f9a4192fc54ad6a63d2d4cd47d9dfb366fcb820a

SHA512
e326bf8032a72eeda9de7d139c115a20a47358f17fb1ae1bc75eac3706e07b24c227d87e63dc67492389c3dccbd89eedd73462d47acc9447bbb88489ec940b00

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
93KB

MD5
e3abe113b47bf17aa70116a324fbe1c5

SHA1
e09ce6ff0a503e88be0451f4461784ba406adddb

SHA256
39e56104b5c34c328144a7cb5b7e5f94da2082aff434ae81ac91119f3bda1b0d

SHA512
f98c0021e722f45667553c6afedd28f4cc076b5d70e1decda7dd0cefe2a73bc0d1117ebb9fb1570d013d4d8bbb51d6920ca28eb144ba248a5f36abbaaa24df44

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
93KB

MD5
4e2a316b1f32de48d5ebe99aee22c767

SHA1
72aaeafe302cb8eedaca9af545c9ae24e9f57c17

SHA256
87d5610aeaa4255e1462baab2f8d9ad29000e3c9f3d99cdc89eac4fc4a3c8aa1

SHA512
231c965c2b49dc9b7bbcd79e5cf51fed753b396ba42db89ca09d1fd13fc0db079e694f365dca78f36ba9281a9d4406f47b6d6c7018c362642923832c526c081b

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
93KB

MD5
5ed3d01c052e06977d05d514ae0afc33

SHA1
e83dff9b744abb37f72d2c2ce4c8016adc81994a

SHA256
9f3f14e4b249996b3e1c831cd9a153e828d7c97cc5e6db8ef19c8673220bd1ab

SHA512
03b8621af4c0cccf637e1193acc029f74d401b7d056be7fe88a25d28549bb407eb5539c2befaa69c406318cd659e693d8a45ca5071f667918318be43892f5805

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
93KB

MD5
278b8e6aa631537b6d026260fb873f17

SHA1
5a7203084b7f1781e2d4f89b440b1a77259e9615

SHA256
bd9978ba260ddd1a209954b86d5a90c39700724bff09ce6a93a16bdc3af6d88f

SHA512
bf913166f611233226eada96921647bb12bd02cdd3e3e2615366e48f409d5ceb1cb6f393eaa8f4876000fc15a125a0403681120e1e27ce6e3ec766185a86157a

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
64KB

MD5
09a519d7cfa56d8e1a2cd816527516cb

SHA1
04c343e16e9fc6b4585417efae64fbca39eb7fc4

SHA256
c815ce3e8f8d539e1e89b3438cfdac5a8139b27d796134f83bd2cb44d913cc82

SHA512
557aa058e3052d06bfd9d26d3e759e7a52b679bd5e83c1831a1746a48d1bf3a9b75c4203ed13f7f693bb43d12d27a67d45623af5c820076dc188c517cfeebfa3

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
93KB

MD5
5b5d3ba0ca6a530ba96bd37c0a331b0a

SHA1
c9be9620e70b3d3f582427da0eabc6a45288a022

SHA256
48b3c80f44bc7cd4505328961241ff5e7a0369e089a7e437968ee81b90a97b01

SHA512
7cd3cb182cbccac2a6c16f9e233b190612be4d421322642b0904aea59df17104939b304b1966969e018ec7995b8ceeb6355ab16df7b4f0a7999e5e9c6243bc10

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
93KB

MD5
9fbba9fed40227a0cb6d2a249e4a0e3e

SHA1
0091287856fcf038351ee4992fb21734e2765cb1

SHA256
65226e055286e645e6ba5e0717558fa701ff42b6522d2dc673df60d11f5d74b6

SHA512
d2f76ba07a15cfe6edb0129cdb48ded8ebbb9431cc4a591abc3ccb432c7236d54865674059fa1d863791857a69ed638267e238a1ad4da10092341921c57f0041

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
93KB

MD5
921baab52b6a29742e7cf0c5cf866623

SHA1
af2840a5798c2825e724948950819fa2d80f20c1

SHA256
2209d5a2c78342df499a1f1a3909604f681b40af06caef505b4764e036ba070e

SHA512
38eee46a201f6b205d665f6147db21c33114e06c1b62622a738ac2b8d6d059b545cb237c3941f5abeb8f09179fd66dd9c0d7764b0c836b07a42d11f3ca17b188

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
93KB

MD5
7c88ea7c40d3560a9ca19c5fc15f0526

SHA1
c2ba050ad147f2adf9f775f4284d66b370564eeb

SHA256
f3c24d62202ebc54ba0b4e624afded96f9b9a25f12705e26b2a5c68fbda93f43

SHA512
f5c831ddcc8f55aa93e19558d939d2f04f273925c8c82f5483289e5aad3abfdd1e7f763d49999281ccbb042a9c2657b1132af79a6398ebffdf314d96891c776f

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
93KB

MD5
ac402ec7ba1000b67c1412bdb2c8b61e

SHA1
158943b56998c5b30735ab4f2657788734cfe206

SHA256
48c9c4e54c252b63e7788771107e538df88a2ddb90a4dbe5f1043253a682cb1c

SHA512
25af58e36c1494a4075b90ba6bde013d3527694803c6389f66249e0476ded773e7009c94d8614481f61f63ffaa92c726e1b19b4fdd1bd183cb47760a1df8407f

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
93KB

MD5
aad165a3938d7734a2886a812ccedb3c

SHA1
cfda00c130dafd50eb364dc1eb6fcdead88824e7

SHA256
333ac0c6ecb1bd2d1d82fa0f5a00e28fcfc18f967ae817b33344b4f2838c4133

SHA512
97cdacd744069a74dae1085576753e01e935a5bc9592deaeaf0d308510a63257cc7136cbf8ae70b7c283637454782bf3dba71d69cd62e1e6c0a1bc17f70fcbf8

Download Submit
memory/212-847-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/364-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-846-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-787-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-858-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-828-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-845-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-879-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-844-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-880-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-829-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4876-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads