berbew | 511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0.exe
Size

352KB
MD5

d5ca9d56fcf6b2e2cfe6582caf3471b3
SHA1

b693ecec6d4e8f25dfedacaad2b25b37273c8292
SHA256

511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0
SHA512

3dd31ab9ad81502ef5d4c9cd798adbcc822bfbfa2c1eed9bf9c6bd9412c63914795e222a5bb99afcd49f8b0b71fcd348ff03aae6f408112ccc81d2b22795fe42
SSDEEP

6144:smA28Ai8IoB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R:smJ8LG6t3XGCByvNv54B9f01ZmHByvNR

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qbekejqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkanob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhkkhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjdkhmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmljjgkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oiojkffd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpndmlm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amaeca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdncliaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khkban32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klndbkep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdjjaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdjjaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajoplgod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhbbegj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkdkeaoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cccpnefb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oilmfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pihmae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pijjgdlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qimfmdjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banjkndi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckkhocgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kejipb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajoplgod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnhbngf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomclbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdepfjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ladpaakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ooopbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbpajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnnfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpofhiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qimfmdjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabcfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdgmlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llidnjkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njidcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfgdpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aihfhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagmamlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcqgnfbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lidbao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofbjdken.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbedlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdeimhkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpdghkao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqeiefei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oijqpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abjdqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Appapm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhkkhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhmggcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhbaijod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbndekfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adpgkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlbefm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcepif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefika32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekbfpgk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakdnqdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Appapm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4748	Jlbefm32.exe
1116	Kejipb32.exe
3776	Kppnmk32.exe
2448	Khkban32.exe
1748	Kcqgnfbe.exe
3708	Kpdghkao.exe
2736	Kimlqp32.exe
532	Kcepif32.exe
4824	Klndbkep.exe
2816	Lefika32.exe
2344	Lidbao32.exe
4724	Lclfjehh.exe
2544	Lekbfpgk.exe
4492	Lhkkhk32.exe
4192	Ladpaakm.exe
2984	Llidnjkc.exe
1044	Mfbigo32.exe
4580	Mojmpe32.exe
1368	Mhbaijod.exe
4780	Mbkfap32.exe
2284	Mplfog32.exe
2800	Mjdkhmcd.exe
904	Mqnceg32.exe
1376	Mhihii32.exe
4496	Nfnhbngf.exe
2004	Njidcl32.exe
4296	Nfpehmec.exe
2468	Nhnadidg.exe
1144	Nqeiefei.exe
4104	Nmljjgkm.exe
2976	Nokfgbja.exe
396	Nomclbho.exe
224	Ooopbb32.exe
2324	Omcpkf32.exe
3132	Oijqpg32.exe
808	Obbeimaj.exe
920	Ofnajk32.exe
624	Oilmfg32.exe
2220	Opfebqpd.exe
3924	Oiojkffd.exe
1888	Opibhq32.exe
2832	Ofbjdken.exe
4392	Pmmcad32.exe
3596	Ppkonp32.exe
2964	Pfegjjck.exe
4768	Pajkgc32.exe
688	Pfgdpj32.exe
948	Pjcpphib.exe
3288	Ppphipgi.exe
1960	Pbndekfm.exe
3516	Pihmae32.exe
3384	Pcnaonnp.exe
4368	Pbpajk32.exe
440	Pijjgdlg.exe
1824	Pcpndmlm.exe
5004	Qimfmdjd.exe
5012	Qcbjjm32.exe
3588	Qbekejqe.exe
2920	Qiocbd32.exe
4532	Qcdgom32.exe
5060	Ajoplgod.exe
2760	Ammlhbnh.exe
2020	Abjdqi32.exe
1364	Ajalaf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bpnnakmf.exe	Bkaehdoo.exe
File created	C:\Windows\SysWOW64\Igdnkeof.dll	Cmidknfh.exe
File opened for modification	C:\Windows\SysWOW64\Dkdkeaoj.exe	Dghodc32.exe
File created	C:\Windows\SysWOW64\Jdhgjk32.dll	Lekbfpgk.exe
File created	C:\Windows\SysWOW64\Fgmhoj32.dll	Oiojkffd.exe
File opened for modification	C:\Windows\SysWOW64\Ppkonp32.exe	Pmmcad32.exe
File opened for modification	C:\Windows\SysWOW64\Pbndekfm.exe	Ppphipgi.exe
File created	C:\Windows\SysWOW64\Pnhejh32.dll	Adpgkk32.exe
File created	C:\Windows\SysWOW64\Kellfi32.dll	Cbofbf32.exe
File created	C:\Windows\SysWOW64\Fglonpeb.dll	Dpofhiod.exe
File opened for modification	C:\Windows\SysWOW64\Kcqgnfbe.exe	Khkban32.exe
File opened for modification	C:\Windows\SysWOW64\Kimlqp32.exe	Kpdghkao.exe
File created	C:\Windows\SysWOW64\Cdeimhkb.exe	Cagmamlo.exe
File opened for modification	C:\Windows\SysWOW64\Appapm32.exe	Amaeca32.exe
File opened for modification	C:\Windows\SysWOW64\Bdjjaj32.exe	Bpnnakmf.exe
File opened for modification	C:\Windows\SysWOW64\Nhnadidg.exe	Nfpehmec.exe
File opened for modification	C:\Windows\SysWOW64\Pajkgc32.exe	Pfegjjck.exe
File created	C:\Windows\SysWOW64\Pijjgdlg.exe	Pbpajk32.exe
File opened for modification	C:\Windows\SysWOW64\Ckkhocgd.exe	Cccpnefb.exe
File opened for modification	C:\Windows\SysWOW64\Cgdeicjf.exe	Cdeimhkb.exe
File created	C:\Windows\SysWOW64\Kcqgnfbe.exe	Khkban32.exe
File created	C:\Windows\SysWOW64\Edlagnqg.dll	Lhkkhk32.exe
File created	C:\Windows\SysWOW64\Lhqimkkm.dll	Cmnnfn32.exe
File created	C:\Windows\SysWOW64\Jehnpp32.dll	Kcepif32.exe
File created	C:\Windows\SysWOW64\Jmfnmc32.dll	Ammlhbnh.exe
File created	C:\Windows\SysWOW64\Binafnin.dll	Njidcl32.exe
File created	C:\Windows\SysWOW64\Pjcpphib.exe	Pfgdpj32.exe
File opened for modification	C:\Windows\SysWOW64\Qbekejqe.exe	Qcbjjm32.exe
File created	C:\Windows\SysWOW64\Oljcip32.dll	Ajoplgod.exe
File opened for modification	C:\Windows\SysWOW64\Bbedlg32.exe	Bmikdq32.exe
File opened for modification	C:\Windows\SysWOW64\Bdgmlj32.exe	Bfclbfii.exe
File opened for modification	C:\Windows\SysWOW64\Klndbkep.exe	Kcepif32.exe
File created	C:\Windows\SysWOW64\Lekbfpgk.exe	Lclfjehh.exe
File created	C:\Windows\SysWOW64\Cgjbcebq.exe	Cbofbf32.exe
File created	C:\Windows\SysWOW64\Cagmamlo.exe	Ckmedbeb.exe
File created	C:\Windows\SysWOW64\Dmabfe32.dll	Appapm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfclbfii.exe	Bdepfjie.exe
File opened for modification	C:\Windows\SysWOW64\Llidnjkc.exe	Ladpaakm.exe
File opened for modification	C:\Windows\SysWOW64\Afhmggcf.exe	Aakdnqdo.exe
File created	C:\Windows\SysWOW64\Ajhbbegj.exe	Aflfag32.exe
File created	C:\Windows\SysWOW64\Ccfmcedp.exe	Cmidknfh.exe
File opened for modification	C:\Windows\SysWOW64\Mhihii32.exe	Mqnceg32.exe
File opened for modification	C:\Windows\SysWOW64\Obbeimaj.exe	Oijqpg32.exe
File opened for modification	C:\Windows\SysWOW64\Abjdqi32.exe	Ammlhbnh.exe
File created	C:\Windows\SysWOW64\Lhkkhk32.exe	Lekbfpgk.exe
File created	C:\Windows\SysWOW64\Lbpllpmk.dll	Nomclbho.exe
File created	C:\Windows\SysWOW64\Bmikdq32.exe	Bjjohe32.exe
File created	C:\Windows\SysWOW64\Gbddcd32.dll	Mfbigo32.exe
File created	C:\Windows\SysWOW64\Fjpiapan.dll	Nqeiefei.exe
File created	C:\Windows\SysWOW64\Ppkonp32.exe	Pmmcad32.exe
File created	C:\Windows\SysWOW64\Eghaag32.dll	Qbekejqe.exe
File opened for modification	C:\Windows\SysWOW64\Ammlhbnh.exe	Ajoplgod.exe
File opened for modification	C:\Windows\SysWOW64\Banjkndi.exe	Bdjjaj32.exe
File opened for modification	C:\Windows\SysWOW64\Dkanob32.exe	Ddhfbhip.exe
File created	C:\Windows\SysWOW64\Iiecpppf.dll	Nfnhbngf.exe
File created	C:\Windows\SysWOW64\Ekagcb32.dll	Opfebqpd.exe
File created	C:\Windows\SysWOW64\Qiocbd32.exe	Qbekejqe.exe
File opened for modification	C:\Windows\SysWOW64\Lclfjehh.exe	Lidbao32.exe
File opened for modification	C:\Windows\SysWOW64\Pcpndmlm.exe	Pijjgdlg.exe
File created	C:\Windows\SysWOW64\Olkjco32.dll	Lefika32.exe
File created	C:\Windows\SysWOW64\Difbepij.dll	Mojmpe32.exe
File created	C:\Windows\SysWOW64\Bipliajo.exe	Bbedlg32.exe
File created	C:\Windows\SysWOW64\Gofhhaoi.dll	Bdepfjie.exe
File created	C:\Windows\SysWOW64\Kejipb32.exe	Jlbefm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
536	4624	WerFault.exe	186

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnhbngf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbofbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Didnkogg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppkonp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcpphib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakdnqdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kppnmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfclbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lclfjehh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammlhbnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhihii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomclbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opibhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgjbcebq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbefm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflfag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdgmlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cccpnefb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkanob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klndbkep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqnceg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcqgnfbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nokfgbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcnaonnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnbgamnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbekejqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhbaijod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmljjgkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihmae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckkhocgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcpkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obbeimaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpndmlm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjdqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiocbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdncliaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgdeicjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjdkhmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnajk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbpajk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adpgkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ladpaakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmedbeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhkkhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfbigo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiojkffd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdeimhkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oijqpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmcad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpofhiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefika32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcbjjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipliajo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbjdken.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llidnjkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplfog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcdgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdepfjie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejipb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidbao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijjgdlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhfbhip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojmpe32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcepif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdeimhkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkggppbo.dll"	Didnkogg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mplfog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjdkhmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goknaj32.dll"	Nmljjgkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oilmfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omaffope.dll"	Banjkndi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkjbpk32.dll"	Cccpnefb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhmai32.dll"	Kpdghkao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ladpaakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiodmnil.dll"	Obbeimaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfegjjck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bipliajo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igdnkeof.dll"	Cmidknfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfcmbqp.dll"	Mhbaijod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmljjgkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmihlci.dll"	Omcpkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbaak32.dll"	Ofnajk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcepif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjcpphib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddcfahj.dll"	Pbpajk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdncliaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckmedbeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlggenhj.dll"	Klndbkep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjdkhmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooenm32.dll"	Nhnadidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lknqij32.dll"	Amaeca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aflfag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdjjaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccfmcedp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klndbkep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Appapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbcln32.dll"	Bdgmlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpofhiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofhhaoi.dll"	Bdepfjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jlbefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhihii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nokfgbja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppkonp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppphipgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhejh32.dll"	Adpgkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmikdq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgmoidqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfejgh32.dll"	Aihfhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opfebqpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pihmae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbofbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cccpnefb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ladpaakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llidnjkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddleaoo.dll"	Mjdkhmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mqnceg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfnhbngf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qbekejqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Appapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lclfjehh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojmemng.dll"	Nfpehmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcnaonnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmaahjld.dll"	Dkdkeaoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Digabjai.dll"	Kejipb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4748	4984	511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0.exe	82
PID 4984 wrote to memory of 4748	4984	511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0.exe	82
PID 4984 wrote to memory of 4748	4984	511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0.exe	82
PID 4748 wrote to memory of 1116	4748	Jlbefm32.exe	83
PID 4748 wrote to memory of 1116	4748	Jlbefm32.exe	83
PID 4748 wrote to memory of 1116	4748	Jlbefm32.exe	83
PID 1116 wrote to memory of 3776	1116	Kejipb32.exe	84
PID 1116 wrote to memory of 3776	1116	Kejipb32.exe	84
PID 1116 wrote to memory of 3776	1116	Kejipb32.exe	84
PID 3776 wrote to memory of 2448	3776	Kppnmk32.exe	85
PID 3776 wrote to memory of 2448	3776	Kppnmk32.exe	85
PID 3776 wrote to memory of 2448	3776	Kppnmk32.exe	85
PID 2448 wrote to memory of 1748	2448	Khkban32.exe	86
PID 2448 wrote to memory of 1748	2448	Khkban32.exe	86
PID 2448 wrote to memory of 1748	2448	Khkban32.exe	86
PID 1748 wrote to memory of 3708	1748	Kcqgnfbe.exe	87
PID 1748 wrote to memory of 3708	1748	Kcqgnfbe.exe	87
PID 1748 wrote to memory of 3708	1748	Kcqgnfbe.exe	87
PID 3708 wrote to memory of 2736	3708	Kpdghkao.exe	88
PID 3708 wrote to memory of 2736	3708	Kpdghkao.exe	88
PID 3708 wrote to memory of 2736	3708	Kpdghkao.exe	88
PID 2736 wrote to memory of 532	2736	Kimlqp32.exe	89
PID 2736 wrote to memory of 532	2736	Kimlqp32.exe	89
PID 2736 wrote to memory of 532	2736	Kimlqp32.exe	89
PID 532 wrote to memory of 4824	532	Kcepif32.exe	90
PID 532 wrote to memory of 4824	532	Kcepif32.exe	90
PID 532 wrote to memory of 4824	532	Kcepif32.exe	90
PID 4824 wrote to memory of 2816	4824	Klndbkep.exe	91
PID 4824 wrote to memory of 2816	4824	Klndbkep.exe	91
PID 4824 wrote to memory of 2816	4824	Klndbkep.exe	91
PID 2816 wrote to memory of 2344	2816	Lefika32.exe	92
PID 2816 wrote to memory of 2344	2816	Lefika32.exe	92
PID 2816 wrote to memory of 2344	2816	Lefika32.exe	92
PID 2344 wrote to memory of 4724	2344	Lidbao32.exe	93
PID 2344 wrote to memory of 4724	2344	Lidbao32.exe	93
PID 2344 wrote to memory of 4724	2344	Lidbao32.exe	93
PID 4724 wrote to memory of 2544	4724	Lclfjehh.exe	94
PID 4724 wrote to memory of 2544	4724	Lclfjehh.exe	94
PID 4724 wrote to memory of 2544	4724	Lclfjehh.exe	94
PID 2544 wrote to memory of 4492	2544	Lekbfpgk.exe	95
PID 2544 wrote to memory of 4492	2544	Lekbfpgk.exe	95
PID 2544 wrote to memory of 4492	2544	Lekbfpgk.exe	95
PID 4492 wrote to memory of 4192	4492	Lhkkhk32.exe	96
PID 4492 wrote to memory of 4192	4492	Lhkkhk32.exe	96
PID 4492 wrote to memory of 4192	4492	Lhkkhk32.exe	96
PID 4192 wrote to memory of 2984	4192	Ladpaakm.exe	97
PID 4192 wrote to memory of 2984	4192	Ladpaakm.exe	97
PID 4192 wrote to memory of 2984	4192	Ladpaakm.exe	97
PID 2984 wrote to memory of 1044	2984	Llidnjkc.exe	98
PID 2984 wrote to memory of 1044	2984	Llidnjkc.exe	98
PID 2984 wrote to memory of 1044	2984	Llidnjkc.exe	98
PID 1044 wrote to memory of 4580	1044	Mfbigo32.exe	99
PID 1044 wrote to memory of 4580	1044	Mfbigo32.exe	99
PID 1044 wrote to memory of 4580	1044	Mfbigo32.exe	99
PID 4580 wrote to memory of 1368	4580	Mojmpe32.exe	100
PID 4580 wrote to memory of 1368	4580	Mojmpe32.exe	100
PID 4580 wrote to memory of 1368	4580	Mojmpe32.exe	100
PID 1368 wrote to memory of 4780	1368	Mhbaijod.exe	101
PID 1368 wrote to memory of 4780	1368	Mhbaijod.exe	101
PID 1368 wrote to memory of 4780	1368	Mhbaijod.exe	101
PID 4780 wrote to memory of 2284	4780	Mbkfap32.exe	102
PID 4780 wrote to memory of 2284	4780	Mbkfap32.exe	102
PID 4780 wrote to memory of 2284	4780	Mbkfap32.exe	102
PID 2284 wrote to memory of 2800	2284	Mplfog32.exe	103

C:\Users\Admin\AppData\Local\Temp\511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0.exe
"C:\Users\Admin\AppData\Local\Temp\511003cdae4e1326da1ae2526939cd9e7fb15d846e7055654ec99a26db68a9e0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\Jlbefm32.exe
  C:\Windows\system32\Jlbefm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\Kejipb32.exe
    C:\Windows\system32\Kejipb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\SysWOW64\Kppnmk32.exe
      C:\Windows\system32\Kppnmk32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\SysWOW64\Khkban32.exe
        
        C:\Windows\system32\Khkban32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\SysWOW64\Kcqgnfbe.exe
        
        C:\Windows\system32\Kcqgnfbe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Kpdghkao.exe
        
        C:\Windows\system32\Kpdghkao.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Kimlqp32.exe
        
        C:\Windows\system32\Kimlqp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Kcepif32.exe
        
        C:\Windows\system32\Kcepif32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Klndbkep.exe
        
        C:\Windows\system32\Klndbkep.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Lefika32.exe
        
        C:\Windows\system32\Lefika32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Lidbao32.exe
        
        C:\Windows\system32\Lidbao32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Lclfjehh.exe
        
        C:\Windows\system32\Lclfjehh.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Lekbfpgk.exe
        
        C:\Windows\system32\Lekbfpgk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Lhkkhk32.exe
        
        C:\Windows\system32\Lhkkhk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Ladpaakm.exe
        
        C:\Windows\system32\Ladpaakm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Llidnjkc.exe
        
        C:\Windows\system32\Llidnjkc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Mfbigo32.exe
        
        C:\Windows\system32\Mfbigo32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Mojmpe32.exe
        
        C:\Windows\system32\Mojmpe32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Mhbaijod.exe
        
        C:\Windows\system32\Mhbaijod.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Mbkfap32.exe
        
        C:\Windows\system32\Mbkfap32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Mplfog32.exe
        
        C:\Windows\system32\Mplfog32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Mjdkhmcd.exe
        
        C:\Windows\system32\Mjdkhmcd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Mqnceg32.exe
        
        C:\Windows\system32\Mqnceg32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Mhihii32.exe
        
        C:\Windows\system32\Mhihii32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Nfnhbngf.exe
        
        C:\Windows\system32\Nfnhbngf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Njidcl32.exe
        
        C:\Windows\system32\Njidcl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Nfpehmec.exe
        
        C:\Windows\system32\Nfpehmec.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Nhnadidg.exe
        
        C:\Windows\system32\Nhnadidg.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Nqeiefei.exe
        
        C:\Windows\system32\Nqeiefei.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Nmljjgkm.exe
        
        C:\Windows\system32\Nmljjgkm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Nokfgbja.exe
        
        C:\Windows\system32\Nokfgbja.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Nomclbho.exe
        
        C:\Windows\system32\Nomclbho.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Ooopbb32.exe
        
        C:\Windows\system32\Ooopbb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Omcpkf32.exe
        
        C:\Windows\system32\Omcpkf32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Oijqpg32.exe
        
        C:\Windows\system32\Oijqpg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\Obbeimaj.exe
        
        C:\Windows\system32\Obbeimaj.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Ofnajk32.exe
        
        C:\Windows\system32\Ofnajk32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Oilmfg32.exe
        
        C:\Windows\system32\Oilmfg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Opfebqpd.exe
        
        C:\Windows\system32\Opfebqpd.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Oiojkffd.exe
        
        C:\Windows\system32\Oiojkffd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Opibhq32.exe
        
        C:\Windows\system32\Opibhq32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Ofbjdken.exe
        
        C:\Windows\system32\Ofbjdken.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Pmmcad32.exe
        
        C:\Windows\system32\Pmmcad32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Ppkonp32.exe
        
        C:\Windows\system32\Ppkonp32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Pfegjjck.exe
        
        C:\Windows\system32\Pfegjjck.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Pajkgc32.exe
        
        C:\Windows\system32\Pajkgc32.exe
        47⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Pfgdpj32.exe
        
        C:\Windows\system32\Pfgdpj32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Pjcpphib.exe
        
        C:\Windows\system32\Pjcpphib.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Ppphipgi.exe
        
        C:\Windows\system32\Ppphipgi.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Pbndekfm.exe
        
        C:\Windows\system32\Pbndekfm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Pihmae32.exe
        
        C:\Windows\system32\Pihmae32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Pcnaonnp.exe
        
        C:\Windows\system32\Pcnaonnp.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Pbpajk32.exe
        
        C:\Windows\system32\Pbpajk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Pijjgdlg.exe
        
        C:\Windows\system32\Pijjgdlg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Pcpndmlm.exe
        
        C:\Windows\system32\Pcpndmlm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\Qimfmdjd.exe
        
        C:\Windows\system32\Qimfmdjd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Qcbjjm32.exe
        
        C:\Windows\system32\Qcbjjm32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\Qbekejqe.exe
        
        C:\Windows\system32\Qbekejqe.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Qiocbd32.exe
        
        C:\Windows\system32\Qiocbd32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Qcdgom32.exe
        
        C:\Windows\system32\Qcdgom32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Ajoplgod.exe
        
        C:\Windows\system32\Ajoplgod.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ammlhbnh.exe
        
        C:\Windows\system32\Ammlhbnh.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Abjdqi32.exe
        
        C:\Windows\system32\Abjdqi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Ajalaf32.exe
        
        C:\Windows\system32\Ajalaf32.exe
        65⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Aakdnqdo.exe
        
        C:\Windows\system32\Aakdnqdo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Afhmggcf.exe
        
        C:\Windows\system32\Afhmggcf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4184
        
        C:\Windows\SysWOW64\Amaeca32.exe
        
        C:\Windows\system32\Amaeca32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Appapm32.exe
        
        C:\Windows\system32\Appapm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Aihfhb32.exe
        
        C:\Windows\system32\Aihfhb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Amdbiahp.exe
        
        C:\Windows\system32\Amdbiahp.exe
        71⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Aflfag32.exe
        
        C:\Windows\system32\Aflfag32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Ajhbbegj.exe
        
        C:\Windows\system32\Ajhbbegj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:316
        
        C:\Windows\SysWOW64\Adpgkk32.exe
        
        C:\Windows\system32\Adpgkk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Bjjohe32.exe
        
        C:\Windows\system32\Bjjohe32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Bmikdq32.exe
        
        C:\Windows\system32\Bmikdq32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Bbedlg32.exe
        
        C:\Windows\system32\Bbedlg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Bipliajo.exe
        
        C:\Windows\system32\Bipliajo.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Bdepfjie.exe
        
        C:\Windows\system32\Bdepfjie.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Bfclbfii.exe
        
        C:\Windows\system32\Bfclbfii.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Bdgmlj32.exe
        
        C:\Windows\system32\Bdgmlj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Bkaehdoo.exe
        
        C:\Windows\system32\Bkaehdoo.exe
        82⤵
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Bpnnakmf.exe
        
        C:\Windows\system32\Bpnnakmf.exe
        83⤵
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Bdjjaj32.exe
        
        C:\Windows\system32\Bdjjaj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Banjkndi.exe
        
        C:\Windows\system32\Banjkndi.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Cbofbf32.exe
        
        C:\Windows\system32\Cbofbf32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Cgjbcebq.exe
        
        C:\Windows\system32\Cgjbcebq.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Cdncliaj.exe
        
        C:\Windows\system32\Cdncliaj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Cgmoidqn.exe
        
        C:\Windows\system32\Cgmoidqn.exe
        89⤵
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Cabcfm32.exe
        
        C:\Windows\system32\Cabcfm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4276
        
        C:\Windows\SysWOW64\Cccpnefb.exe
        
        C:\Windows\system32\Cccpnefb.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ckkhocgd.exe
        
        C:\Windows\system32\Ckkhocgd.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Cmidknfh.exe
        
        C:\Windows\system32\Cmidknfh.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Ccfmcedp.exe
        
        C:\Windows\system32\Ccfmcedp.exe
        94⤵
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Ckmedbeb.exe
        
        C:\Windows\system32\Ckmedbeb.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Cagmamlo.exe
        
        C:\Windows\system32\Cagmamlo.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Cdeimhkb.exe
        
        C:\Windows\system32\Cdeimhkb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Cgdeicjf.exe
        
        C:\Windows\system32\Cgdeicjf.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\Cmnnfn32.exe
        
        C:\Windows\system32\Cmnnfn32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Ddhfbhip.exe
        
        C:\Windows\system32\Ddhfbhip.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Dkanob32.exe
        
        C:\Windows\system32\Dkanob32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Didnkogg.exe
        
        C:\Windows\system32\Didnkogg.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Dpofhiod.exe
        
        C:\Windows\system32\Dpofhiod.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Dghodc32.exe
        
        C:\Windows\system32\Dghodc32.exe
        104⤵
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Dkdkeaoj.exe
        
        C:\Windows\system32\Dkdkeaoj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Dnbgamnm.exe
        
        C:\Windows\system32\Dnbgamnm.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 424
        107⤵
        Program crash
        
        PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4624 -ip 4624
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adpgkk32.exe

Filesize
352KB

MD5
61a81fdc0f322708e1f9dc0989a6a5fc

SHA1
ba2336d2a46fa50cfc8938b82c710cb9baa09633

SHA256
6e8588231acaabc9a2bb54c2a474cd42a5112b3561678725ae0d0a96a44f032e

SHA512
55c78d8504659ee23ff88aac82873e9a0ad37fde977c2dfcf7bdfcea87705e9ac8bcb54127d6aefa60528167d30d00532f84de12f2562cec9f20aa5d09ca4bfe

Download Submit
C:\Windows\SysWOW64\Ajalaf32.exe

Filesize
352KB

MD5
bf59b628d8f5094a57f1a0c13faec8a5

SHA1
18ca6c1796df6e0ae5fe07e59223b01a7b7332f5

SHA256
01367cd6cc5b40fdbff0475b88d624ddef67cc1de3194a4f979c2d385c7d031f

SHA512
9a1c54367e00645efa7b17b16fcde03b01997645fe8271db7dc47bfb23aebdf9b042523074de0c2abca14d87e43306d1718eab7c931d069a7a5518683a4658e8

Download Submit
C:\Windows\SysWOW64\Amaeca32.exe

Filesize
352KB

MD5
404302e1cb8046c0157fb14571f9ce7e

SHA1
bb2f33e69dd41a87721db05cdec796bfd028dc54

SHA256
651e6dcb4f9ed98def7cd7a82a023bda8613fc2d336cdf745a52ea327e83e403

SHA512
00fb3d7e46f05a1cbf1a4541e0ac6e8d8df68991162ed2b17b4d2c62addeae08b02f66da8e997d96d5dea078757e21b9c226dd6eba4ab4944c512f274dd2d17f

Download Submit
C:\Windows\SysWOW64\Bbedlg32.exe

Filesize
352KB

MD5
3fc1500a4577c5c284c5cf5d9a940859

SHA1
defed4c0302953c08d24b22815ce8b2a97e324b1

SHA256
48463dbba70d2714ea90c13b0904f8e17bd4ad4174e3cb38e2a7abe5d41f142d

SHA512
77661e5eda3a9317a2427a6abd964b40a7334add51461ccdb4728243f284296436eb2626bdb7512880c5407ac5ddf799c3204203674b2356d34ababc0e2e5134

Download Submit
C:\Windows\SysWOW64\Bfclbfii.exe

Filesize
352KB

MD5
22ae980dc2f3658565f4d2fa901ca2e4

SHA1
11b7226b559bfe03e278416e2b67e2a8d84671d0

SHA256
bfb7a59ad3dabcf0668aab489e1ac9e98bf0242c3e692301dc0e671a28f213fe

SHA512
023de46d2f43d89ff7de434af0edb716650b78e76779ec4d4bd12dd084967169b74722975eaddc12c6cc8ff03b96c8de655fb14d9625e08a1d77524a40f6f5b2

Download Submit
C:\Windows\SysWOW64\Bpnnakmf.exe

Filesize
352KB

MD5
633bd8f854c5b91f1940fd434a7c2956

SHA1
45a7a89b044613f3eccc6c6322fe942b2adead9e

SHA256
ad0d83b220cf8da8ba12e699e825cdcabccc44c8fb9d48200835e0fce2ef1b7f

SHA512
84203a4241d461b7fda279f636334defbc74a46fc8aabbed4a24aaf39c05214951fbb34fee7397facdb6fc41f5f46d37b8509ede57d58132494103ef51747b91

Download Submit
C:\Windows\SysWOW64\Cagmamlo.exe

Filesize
352KB

MD5
64b7a6532f084ff50d64a49100f0511d

SHA1
111020e59c34554119c6b89ed9d299eaa6b1085b

SHA256
face3673726c42e432b17f0da9513976d60481db9a185b2616453ef73f427fb8

SHA512
0615dd74cbbcc427585d38c48819d74e405d69788dc4e9cc5dfd90f1f203ae125fa1b9335fb5455096d37095c1e0b8a258467893aac26aa34e2ae3925dc68b0a

Download Submit
C:\Windows\SysWOW64\Cccpnefb.exe

Filesize
352KB

MD5
458964768c097468a6bd12f268ae2e2c

SHA1
8cd67fc67a12ef51aeb550f2651217dae2645628

SHA256
8b369235945e7c7ba7b8ddc393af87ab3aff1aa116f688f36df08baa43d9e93a

SHA512
ee40c33821e0e19b4f7d305b2b1d20c15386b604acd730cef26b69f23e3f4187d68595df4b66ef57326d1a3fc0837696b65359c92ba8cce6c93ca8de2602942f

Download Submit
C:\Windows\SysWOW64\Cdncliaj.exe

Filesize
352KB

MD5
10f7a32370124805c96f680c1e694bda

SHA1
c8cb3c283056394440c31edd337ef405b6bc8474

SHA256
1ec0a322d7489ac0be4c9a4489948383cbac21e61df297a1d82c3d296f6d9b55

SHA512
e721eb35d8c31df875f579324c750685f7251a9b02bde507db6a6d7c8e0a026d66e247b8ed0f496ebcb167d8698027b20727e11cc4744fb901d778897a7167b6

Download Submit
C:\Windows\SysWOW64\Cmidknfh.exe

Filesize
352KB

MD5
b57bfe730937d5377a4f01a82609aeb0

SHA1
bba83d671ee1fe85d71d6c8277bfd8fd20222a81

SHA256
cd758986877dc322af68da1e2179301e2696b970ff66504bcad1d68ab8446e4c

SHA512
bb0f3a9dcb78e6409001314735cbc49b374d9676a331d72e2d185fd7f91fe50dea9b39421046280caabb2bb3ee08bcb406ed04db6348b695f922e9d52be65f7a

Download Submit
C:\Windows\SysWOW64\Cmnnfn32.exe

Filesize
352KB

MD5
46bc360dd44cdc4ce9ad98c1173f3776

SHA1
fd8373199eb062f4be9c2f8f81036033491f9180

SHA256
07d35a2a8542a18c1780b7ec193aaaa78a62641afaf2f4e80753ed3c45ad49f5

SHA512
d66c83e167c5c0b86141af953873ca444e2c510b9f9630a4dc9655bc5d68ba9a9fdb3d1972da661d62a1afd069b1d960ff9e7657995da5daba98888cb406a977

Download Submit
C:\Windows\SysWOW64\Dpofhiod.exe

Filesize
352KB

MD5
f7778a1f131331ecc9292c47ee9d51d4

SHA1
82124786037ffd75f2bdd3c4fdbdc42cdf760a3f

SHA256
321a238d32d302588249cea726adcdf02d185ee8d60be22c916e4b3008381b66

SHA512
87cb8cff8610ed5c0c41968f10655432e868f6b0096c77c596d3dba658762fbfc6f7055380892bf873cd4ad04eb025bdc5480f6b242e8fd24269e6f9cb6df962

Download Submit
C:\Windows\SysWOW64\Jlbefm32.exe

Filesize
352KB

MD5
e1f0be1daac4363007796bb320bfb240

SHA1
ac211decd00b3ca4b54a052b91716a130d0bf4e8

SHA256
d89138f15d3273c51c04698c85ba23823566cdf13dc4df3d8806a294e1633c5d

SHA512
6d2786e98ae851522f784c1164d3d443647cb918f0e52b340ec1f798d4e0e3b30e09dbd2c408d9f6e0af48f4f70800d6cb83e85be835e129914583edc857a998

Download Submit
C:\Windows\SysWOW64\Kcepif32.exe

Filesize
352KB

MD5
10863de22501c28897bac274690e708b

SHA1
f9fa7e2718357fbac0f8b250e4f30e279abee256

SHA256
7072c1220ea3c02e19448c37c69d668b7fa6eb536b5faeb3307688ce906698a5

SHA512
a60ee60b888ff8dd813c79992a5920c581047ab8bc4e55e1241f81de05a64fe0ca4b639e86be67baaac3a35fabc786f90ff1dd5750b3f4ada8839e4466951bd4

Download Submit
C:\Windows\SysWOW64\Kcqgnfbe.exe

Filesize
352KB

MD5
e43204e18f4695a47b85709189f594bc

SHA1
710e343fdf66552f67392a1932812f06662a69ab

SHA256
f477e7c4782c6bce3b3b25163f6c5dc6a8e9130509b26251485b6ca3ba8ae83d

SHA512
1383aa4fd4573dbc50376d176e28a953bcac9d99bfe47314c49722e65a5c522bfd7c39f00cd62c96a6bfae8dc690bb22017adf439f10fffc57a61e386efd9938

Download Submit
C:\Windows\SysWOW64\Kejipb32.exe

Filesize
352KB

MD5
6424be8d3b2203402f7f14a27bddf9bc

SHA1
25d63304a3ce53749aeb7833a6963a9426f52ec1

SHA256
c87d22574e4ecb3f742e2d5be9a3fb99b42d8a67b42388363692d36f299c0688

SHA512
733d30df2e9341367d2c1fbb8528b421a8ba09c42bed7938caf8e3302dfb7742844bc16f0413fc9512ded29a4543e7f9954efb071100a109927d282c90ef82cd

Download Submit
C:\Windows\SysWOW64\Khkban32.exe

Filesize
352KB

MD5
e15cbb07aaacc48dd6c3d74598c4427d

SHA1
c2bcbd8dc3221039a9aa9219a87c615b8cf51ed9

SHA256
d7a75bdae9a6a16d19e0a00f2aea5e487a6460ec41cf81a950480c900388e870

SHA512
236c4f3d5ea389deebfc9e4bc22a2a93772c42a571d27e98ef47cb9bbd63235727ac76a157022a96faf39862087fbb43ba4db787197a21f9f2f4f60c14daefa7

Download Submit
C:\Windows\SysWOW64\Kimlqp32.exe

Filesize
352KB

MD5
3820649595e541eafd0899caac2ef436

SHA1
2abcda7f6b90d757c3b7fc5c45630782d3fdfb6e

SHA256
967519d8bbb4fe594f257929e36148ac1449b36c3a1ec9a7430497e0686f5c60

SHA512
7908b09ad6ffbdd43a2cdc1d56f7d7e4afa8b246e65a3969c7470ce726aaff9ef464f8912ebd34ad542d66bf60290398f715d9559f2c12b947f721d359de8a56

Download Submit
C:\Windows\SysWOW64\Klndbkep.exe

Filesize
352KB

MD5
008b9373fbfc1299beeb58a72309ecea

SHA1
6db08a69edebb00aa421c1c80a0d605eb9883bc0

SHA256
16100fe8f0f2e2ece5a7e83925b3eb74d1d2a379cb6816135def3728ed7b2f90

SHA512
3485d7bd30895a96a4db63286136a9b5a4c00221b6e0f74f6cb82b21c4e62f94b6c9936d72fd0fef8b41754b5e73c1212e5601bbc7edcb450509313606181df8

Download Submit
C:\Windows\SysWOW64\Kpdghkao.exe

Filesize
352KB

MD5
9dbbf0bb69da2a6992c5661052e45da5

SHA1
7b0c6cf6782259a09ecd81398a4472e03fbcd891

SHA256
c5a58732bc9499d975b05de39ffb8c3631320f1e5d543fe7777d85b0e3643fe4

SHA512
5d294bec3140d7c5b3a39a37486338644305cc1f08febdb64ed250e93b9f8f6623fa65431d0c58e7112026bb6c179e4791500cd08f75f81e047d78c0496aff50

Download Submit
C:\Windows\SysWOW64\Kppnmk32.exe

Filesize
352KB

MD5
2a9e1450901410144ed676750dab5eb2

SHA1
f9aac5acb47ef3d7d246c36f7ee7d5bc5c9d50c5

SHA256
d1d9061bd03547fda994212f1a73d747c712522ddc3cd10f74180076d2c6319d

SHA512
3e770f67cbe8e90e8c278d33c1588eaceffee7a5fa6485605b2ae4865b43caab19191058757ed54fa286616ad6e4523ffe7a8be51847f893523b625d3c0d54ce

Download Submit
C:\Windows\SysWOW64\Ladpaakm.exe

Filesize
352KB

MD5
88d221097857e39891dade8cc627644d

SHA1
b671f7a00e4f0e878cc855e3c8108a6c3c0f5526

SHA256
eb9acd188f28072e475b2d33fffcf42584de764530f8e6f13549ceb2c8d89b2e

SHA512
71dda868fa428d17c209a2d23f06585a7094b4a83897b85b12bd3c70328f37b5fdf0f96c94474ceada7c650d55d30105acfe19dc3702c23a6b4baf8a99e49531

Download Submit
C:\Windows\SysWOW64\Lclfjehh.exe

Filesize
352KB

MD5
43f02d130d7db76d5d206cd0de7e11bd

SHA1
e0b16a971d67c4d46783aa70eec517614d24b085

SHA256
7670b6c1f45deea35eb688512528257a1d89895fe71af8bba73f82081de2d138

SHA512
de2001678a8ad28727c9869ca0ae6abccf0b3d7bc1c7269862b74b1eabaa5c49041df41ab208bba70a7ed4d06d7cdbbef466132d1e7c4ec4c8c2c3edf7dc6534

Download Submit
C:\Windows\SysWOW64\Lefika32.exe

Filesize
352KB

MD5
9ee7827829b89047aa4201a407393e14

SHA1
bbdccc06b4c87e2fd431353bd947f028b41e55eb

SHA256
963a1f87e19fd300644bc7247814cf591b234dc162360704eb3bd21c715cd29c

SHA512
d462775925ea0238006c3d8bd871e4513605f7dd9a3e6c25b563b0f7d45641f71d0e87b620fab91bd0cf00be585550ada6399b0d501d6fbb6d0c69cc695c61fc

Download Submit
C:\Windows\SysWOW64\Lekbfpgk.exe

Filesize
352KB

MD5
7ce9242875f52547a6ed5244ce0e6f42

SHA1
5ddcbe8303623ba7043f2e3db33ce1fb1611eab8

SHA256
b32fb7be66b8c18e0e3ed2502242581c359a0742364a357a5d2b95e70e7c4bd9

SHA512
328f202a6ec3d85272b8e1aa5d9909f335a9870a282e93b2b4b3b1a7d41151d0713faecd89f108aea3bb0ac8ff57875e367a1829ca955699c0c67740a95db5db

Download Submit
C:\Windows\SysWOW64\Lhkkhk32.exe

Filesize
352KB

MD5
d88b2f62522f77e6c229599eac0b095d

SHA1
20b14609a5a54a7ec35de6a6d6aa3218e9857d4f

SHA256
91fe831c2cd222e77256c71a3986efb29271a9e7574bbb976a1a6932361c5d45

SHA512
0dbd669a05ea363f12621fc45cf9b9dd9876bd27645812baac31c1545dca10dcc071c837dd6db4f71159c28e4023d2aec354e3543d6392d584da6ecc6a0fef1a

Download Submit
C:\Windows\SysWOW64\Lidbao32.exe

Filesize
352KB

MD5
c08fa64556081ac21bbd1b9715899f60

SHA1
40ecc9e86fc34307a839cc775d7441f37deeac35

SHA256
2f91dc485a44bad3f0d37b7e55f9fea32e986689c75dca296641957af54174cf

SHA512
7c4c3519e0686a06ef1fd9316297c39a0af89f8e62427291e2cb47427bf6d53ec285d9d991b5498946253ca614e576c4e7c602da00ddc1e65dec85793863325d

Download Submit
C:\Windows\SysWOW64\Llidnjkc.exe

Filesize
352KB

MD5
7bcf2b37bae6442893f616a102e20dbb

SHA1
8ef599dd7b641a92d1e406b0b155a4d3903cb373

SHA256
b55f41a19c26f736764d5a5f35e5feb9ace721db76f0b97875ee2b94e48b21c6

SHA512
57aa2cf72bbaf2e3a1ac1b06e91f6e0a540706f359d0a83adfeeb3826e93eb3ea39b2d96712b1d9632328e89cc88d92dd8d8671e3436a8eff7f20ad4b63cee42

Download Submit
C:\Windows\SysWOW64\Mbkfap32.exe

Filesize
352KB

MD5
f3752ebb323594ca073344a4c2a032e9

SHA1
0dbd1076cbc81c3107318686e9695e2039cad1bc

SHA256
843d31c85a919894cc4224c57235816f3eeeb0f82c471177637293e1915f4d10

SHA512
2636190ae8d3339da1c632cda18783776143e5a1b0e8984300a2cf45818d4a5d13a3d749e998dbd059f50feafac90e737110c7f24dfb0172dd08682cdcb44f4d

Download Submit
C:\Windows\SysWOW64\Mfbigo32.exe

Filesize
352KB

MD5
102050e209bb1563a98a3b971fdc3a8b

SHA1
4c34da8383257eb961bf051a9590b168f5e87d0e

SHA256
a96e0fd7be1fb3e688252edd69aed7c9fe70ff7a0c8e0c6af9be876c171a305c

SHA512
32778f39fda1a4ae1f42825972f8a6f943acb333447367b235d29f42b37e67e654041f9d5208664792529f70aec34caf16d15f115e9d05e869acf7f5530d4fa9

Download Submit
C:\Windows\SysWOW64\Mhbaijod.exe

Filesize
352KB

MD5
55a624f4c6b296ebae34386b58e81983

SHA1
c64588d594f7657dc075f30ce7140c4e8f830f62

SHA256
7e1d02278b442e006cf17de083e1b34044103b788fbf151c1da498ca0d7e3300

SHA512
b5c22e0c35d8011587f10ae94722fe64a43c896436379128012c273b8f7d10aff9e3311346c9506f71b7f3552dab2d6d45f3723dacca36a837002bbce58abd8a

Download Submit
C:\Windows\SysWOW64\Mhihii32.exe

Filesize
352KB

MD5
4a92c917827911a759d499c0f0357cbc

SHA1
ad25539a04454492f57a6212275d7f2034a7125e

SHA256
51a4c22795028e3b27ae8aa9a5d7f24024e4063fc0ee19577000a382dd472eb2

SHA512
4a892c3d64ce0c5831619b1f47ce3b66b0c8ab5046c9623744a848ee0ce970bbc596f53b25b5e5d32635ffc0ce984468fb29a5247773678fad92101f6e909e12

Download Submit
C:\Windows\SysWOW64\Mjdkhmcd.exe

Filesize
352KB

MD5
47eb58d1482407b026a9f2145865862e

SHA1
9b2bfdbc6af8a63843c73d0c3e9b2b3667fe12d5

SHA256
6cb3c024b6f797f0cec2924bd3dee5c4e107cc25f00614206b485f7257ee363f

SHA512
88c4b2c12c847b0c51fde1416ba44b0178b17fd19eccb932f51fa678b578f9947a9267ba291259838beb410074d00368631d2eba6494a0fc5c89eefd16e33705

Download Submit
C:\Windows\SysWOW64\Mojmpe32.exe

Filesize
352KB

MD5
c859e04b04c84e9af834fd75d1e62b45

SHA1
46434661bbb58801fc94c1e9761ea876dace4b0f

SHA256
2bba7050512e03c0bc999bb034a1048e02561e132a30a836e4a5b52dd0d48744

SHA512
aae215e88230cda2dba242d8274a0b38a017f4bd9d366bc6513e6d31be4724bf02bc556e6afee273c857834dcddbbb497804ac01da18bb768cad5328ca5f7942

Download Submit
C:\Windows\SysWOW64\Mplfog32.exe

Filesize
352KB

MD5
db887b37c7e39f862464c43b5780f24b

SHA1
6e2d328d8e13a2b7d61461cb449c06ae31e57400

SHA256
d15d163e7885d3db50ccb98bffcd106ae9bd195def4ade276ea2ba4e728ef4c4

SHA512
b43cc0629c6696aa81f2679439bc34562763a427d9c5232fa293c121c98ae1f91cc6c1eb849199c4bb00fe0da79f04d36911918b82e2c7d070b0fcf28bbd7965

Download Submit
C:\Windows\SysWOW64\Mqnceg32.exe

Filesize
352KB

MD5
241ecb51daa6adf47a3564738df669ea

SHA1
d41692483fdb56bfccdea45705feedc266a26e6f

SHA256
7b887fd5c8808ccf63005e1600890360a95f5030b4b622e6ecb724254cd6eb30

SHA512
c5b28db74afef7ba9bd6460e66377a907c023d2ebf839b73703e429b4e3b110a7dfed99098155e29867f990f54c114a242b395e0b8d2c48b017f0233afb59615

Download Submit
C:\Windows\SysWOW64\Nfnhbngf.exe

Filesize
352KB

MD5
471c5adb6e9959a2ada64579bbea6dfc

SHA1
210b1b9e50473f5136c9166b2787db34e0420345

SHA256
f4e20ce19ca890bd19fbedb9f907f7fcf83ea5461e176dd9555f036a96c9f8be

SHA512
c8605b434fe4222ceadba6bc04a4133e325594be6bdaedffc7f66d7525885a495a4cbd1853a5d641bad3a9c854803e38b00e041b8730182dc833e83bec769d35

Download Submit
C:\Windows\SysWOW64\Nfpehmec.exe

Filesize
352KB

MD5
5a4cc7aff070c6fe71f1f4e259fb40cc

SHA1
0e371d2bb1f9b00c3c6ec7376a39d86bb9bb3b25

SHA256
22736d99d44823b119e32071073853fdb88f6994aaa6d9c90d1b615c93cfc4a6

SHA512
5dddf8d2b1f752d26e10729ec5e750e29f3f5dd3c92f01ced19264483347dc36201945b7894f05338338485dbbb452ab9c62b8597f72bc3ff8e5feed7cd648d2

Download Submit
C:\Windows\SysWOW64\Nhnadidg.exe

Filesize
352KB

MD5
498f34eaa5a79118e0d71d79ef677af9

SHA1
ed2d3ffa9b09fd3e635375f2711e5ea695fa6041

SHA256
ffa89a75521c3c27a49a2e5a3ac844d81d87dde2b4744cecd911dfc33b2e48da

SHA512
582e82a9730a2406591a41262f6938c22313f26edd36ed18f32ed2ccfa50f48873385057e7c080a323c69528830600291c76d4a3011c999508b2bcf4c28db12b

Download Submit
C:\Windows\SysWOW64\Njidcl32.exe

Filesize
352KB

MD5
0c736ac91117a0ffae5cd19f3d44a8c7

SHA1
c955d878baa0951aa01cdd83413d33305434f060

SHA256
696a1fee07d024292f0044d6f89dcaf9720f8b418dc18fb4b3a5e2bf61e55818

SHA512
976a20811adaf8791e77ee4e3f046ba83342400aaed812f1ae4b53e32d8c8439067bd761353840ec692e6bc168b913364543466c72dbaad62acd1d5a256cbce4

Download Submit
C:\Windows\SysWOW64\Nmljjgkm.exe

Filesize
352KB

MD5
7a848adf3e7a8e15d316fa92068cb2bc

SHA1
f599a1a4e7fb92102821bd407e8a75aeaefb8a3a

SHA256
75c15050c934b16795be1e938fa00d67417a963119f313c14da008f30c751edb

SHA512
e4395a734f0c1fdbd420ca002105d51870c967995226f7281386e5337ef37d810bda6042549b01de0c96c936a1f98cedde60113df9f8e11776fe20dbaea22a9d

Download Submit
C:\Windows\SysWOW64\Nokfgbja.exe

Filesize
352KB

MD5
dd86d72063613fe85fe4bc7c48fbccf8

SHA1
73f37828b51ff434820c4fb0dd717b76cfce6e62

SHA256
a353a20fee9bcdc8e561f23f40292e649e5146970a6626084c4462433b8ddb1c

SHA512
6dbdde0fa3aa0b288c1798db5acff996e283cf1edc545744f0d9a301dc1dcc26078ac35959e084f9663782ad526dc9198d3ef0eedbccb923b19457011649d98b

Download Submit
C:\Windows\SysWOW64\Nomclbho.exe

Filesize
352KB

MD5
53079f40b77024a10341bdb8948f742c

SHA1
555f0ff08db908dac58e0d8611a6fe0ced0b62b8

SHA256
c0379630f74ade6c08c3fd37f4415f26aafdd6c4609667cce1bbd78a4b70dfea

SHA512
07a19eb78b7dcd49c99dc5bf265bb362cefd656f4d8e183a831644a6f678e102efbd07d9cb96029c920748c40e57762889c2da511be99f7619e75dadf7743402

Download Submit
C:\Windows\SysWOW64\Nqeiefei.exe

Filesize
352KB

MD5
52b7dc57e9a4961319b6ed2bd471ede5

SHA1
bef3b7b80eb507b7ee259ac79d52c884bff78624

SHA256
c66c8a789f44fd81dd369bae0a3cd2d13ddda76d1fe936da855f1b130695ab0e

SHA512
00dffeb406fd85102b5e47a9f421ae676fea6da02fa651e4bfe63ec3a8c49bfccdcdf2b3081f5fad3bcd2693a6f5ea490788900a9243d90d2ac53d65c8d08aac

Download Submit
C:\Windows\SysWOW64\Oilmfg32.exe

Filesize
352KB

MD5
c4b458703c94a0727ef3a71fa7786931

SHA1
933568f6bf01e4f187becc50a551a830731d0a3f

SHA256
7be43fd063fddbdecc1e1c210c7e71a21568deb48de788bc16996cb0d189f1fb

SHA512
f29d4e73e7a6eac375b01368ae4a6b51c1c07969f70ad86d0eccd6b5e150e93aee7f15d19090db9c1eef78d2e0d25271a7ce52b76cf45d0fff5b568dd5d28e45

Download Submit
C:\Windows\SysWOW64\Pajkgc32.exe

Filesize
352KB

MD5
69fd6815d9c9653e54cae9951594b862

SHA1
b7ccdfc4b755e958fb0ba6c57f60059f40029112

SHA256
1ce7b07c94d8cc3db0d14255e24418f88b445f9e58671741d23351a293149d5f

SHA512
904e4851d51daf9880e288152249ebd866bbab2901b2d3dfb1b3510133f408d5b1c3c8db529d27d302f077492cc7cb82de8a1052ec45774067fb0431e159bf2b

Download Submit
C:\Windows\SysWOW64\Pijjgdlg.exe

Filesize
352KB

MD5
1f834a3cb8d64ee561602dab6d50921f

SHA1
a76f5a22ee70ff9ffbedcc44db6bbf758af27cfb

SHA256
db60d7f7c3249156b29af0a755b3f40bbd4ea46e5d2869043691500e405af8af

SHA512
b920b0cf9514cf4e0487ff830c5bf5cf753cbddeb9714a04e813f12a730cf5e8be7cca99987ea86dbef488eace7080a94d146d04bf894e430214fa5653843eb0

Download Submit
C:\Windows\SysWOW64\Pkcajdkd.dll

Filesize
7KB

MD5
33218650e0cfe1ec6326c03a22723900

SHA1
58c6482c33f0efe9f97d8a43c56dfe6df9b7c90d

SHA256
8e749d0c8118f263842dc09f50fd26d1161ab7c2c1f5d5e66b62f8a42eca2c07

SHA512
9300c40dfe53f5681fe4194a7f9e06cdc264bbf90d21a9231e97f952ff20cf574cd7e29f28f19d9fcb8c0f346e62d9da4584f47eecef462b92b422d5804f79bc

Download Submit
C:\Windows\SysWOW64\Qbekejqe.exe

Filesize
352KB

MD5
6d0fb72d6a2bbec5c9d1a04d311bb696

SHA1
c9d94b3a8b69f5ac550c8deb211de2a4981bdc26

SHA256
ed88f21813a4712da7361543f3ac9567c0d15c03287ae16b5879f05f7bd926ae

SHA512
627ddac313599d1ffec391b84794a1896d247622309b97e1e7520616b860302245e1f78d740f1878e7244ae6abef2e04a17e7b80e6825aa2a0de971abfc728d2

Download Submit
C:\Windows\SysWOW64\Qimfmdjd.exe

Filesize
352KB

MD5
d58e7ca23c80c60bc7a121f266086bcd

SHA1
3ae270d7df248f52e7e4c38c5968a20cf7d9cfbe

SHA256
daec63eb2cfbdccaa9fd40e943d0c3ac07996d465d7f4427df391e91d8ca7a2f

SHA512
00c801b90c4f60529ff5a488da8209b7e0f867c6569daffda490537b6a0f84b9ac3fe278a29365582fecbdf987e2070915b57d40691f59b32ba5e79a8738ebcf

Download Submit
memory/224-262-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/316-496-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/396-255-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/440-388-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/532-63-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/624-294-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/688-346-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/808-280-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/904-184-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/920-286-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/948-352-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1028-584-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1044-135-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1116-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1116-558-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1144-231-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1248-597-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1364-452-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1368-151-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1376-191-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1612-552-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1616-454-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1748-39-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1748-579-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1824-394-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1888-310-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1896-545-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1960-368-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1984-532-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2004-207-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2020-442-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2220-298-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2248-490-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2284-167-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2324-268-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2344-87-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2448-572-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2448-32-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2468-228-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2544-104-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-593-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2760-436-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2800-175-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2816-79-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2832-316-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2856-538-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2876-566-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2920-418-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2964-334-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2976-247-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2984-127-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3132-274-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3220-484-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3288-358-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3384-376-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3516-370-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3588-412-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3596-328-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3708-586-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3708-48-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3776-23-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3776-565-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3924-304-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4092-508-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4104-240-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4112-526-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4184-460-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4192-119-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4252-514-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4296-216-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4344-520-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4360-466-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4368-382-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4392-322-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4444-559-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4492-111-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4496-200-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4532-424-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4580-143-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4600-478-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4700-573-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4724-95-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4744-472-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4748-551-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4748-7-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4768-340-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4780-159-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4824-71-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4848-587-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4904-504-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4984-544-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4984-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5004-400-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5012-406-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5060-430-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads