berbew | edf19778991672acbff066ffcb59a9896acdceb9eff6c85a8d11707e604528cd

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edf19778991672acbff066ffcb59a9896acdceb9eff6c85a8d11707e604528cdN.exe
Size

89KB
MD5

b89a4fd8c852d2beaeecec0014b90950
SHA1

4584339cdb469af3aa3054db09252185d4e672b3
SHA256

edf19778991672acbff066ffcb59a9896acdceb9eff6c85a8d11707e604528cd
SHA512

58671de11625703356eabdeb2e337942a702eb9f34e50faaba4ab78306815fcfb10a879d61c8ac61babd72a43ed7565ad377e5de37fed1efd64ec478512248c9
SSDEEP

1536:knFWWzdoPf3CQHoo9ew+BkYJo6rjPABie6gH4rCKQh/JylcvJlExkg8F:u8Pf3CQHoo9eHaYqfYkH4uKY/glcxla4

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klljnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
5112	Jfcbjk32.exe
3816	Jianff32.exe
5088	Jlpkba32.exe
5048	Jehokgge.exe
3600	Jpnchp32.exe
3048	Jblpek32.exe
4888	Jmbdbd32.exe
1060	Kboljk32.exe
3716	Kiidgeki.exe
2752	Klgqcqkl.exe
3976	Kbaipkbi.exe
2052	Kikame32.exe
2032	Kdqejn32.exe
4784	Kebbafoj.exe
4012	Klljnp32.exe
1184	Kbfbkj32.exe
4564	Kipkhdeq.exe
1916	Kpjcdn32.exe
2268	Kbhoqj32.exe
2884	Kmncnb32.exe
5016	Kdgljmcd.exe
1928	Lmppcbjd.exe
2276	Lbmhlihl.exe
3944	Ligqhc32.exe
3112	Lpqiemge.exe
1568	Liimncmf.exe
4804	Ldoaklml.exe
1612	Lljfpnjg.exe
2532	Lgokmgjm.exe
3420	Lllcen32.exe
3988	Mbfkbhpa.exe
3168	Mdehlk32.exe
4724	Mplhql32.exe
4512	Miemjaci.exe
4092	Mgimcebb.exe
4336	Mmbfpp32.exe
988	Mdmnlj32.exe
3264	Menjdbgj.exe
3416	Npcoakfp.exe
3640	Ngmgne32.exe
1372	Nngokoej.exe
3292	Ncdgcf32.exe
1140	Ngpccdlj.exe
3500	Nphhmj32.exe
1624	Ngbpidjh.exe
4708	Nnlhfn32.exe
3300	Npjebj32.exe
2508	Nfgmjqop.exe
3608	Nlaegk32.exe
3444	Ndhmhh32.exe
1480	Nnqbanmo.exe
1896	Olcbmj32.exe
4584	Ogifjcdp.exe
5064	Ojgbfocc.exe
2304	Opakbi32.exe
4484	Ogkcpbam.exe
668	Ojjolnaq.exe
3460	Ognpebpj.exe
1516	Ojllan32.exe
552	Ogpmjb32.exe
4460	Olmeci32.exe
1632	Oddmdf32.exe
8	Ogbipa32.exe
3624	Pqknig32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dakipgan.dll	Kbhoqj32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Kikame32.exe	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Kiidgeki.exe	Kboljk32.exe
File created	C:\Windows\SysWOW64\Nlplhfon.dll	Kikame32.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jianff32.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Nffbangm.dll	Jlpkba32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Kbaipkbi.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Lmppcbjd.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Fhccdhqf.dll	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5680	5592	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edf19778991672acbff066ffcb59a9896acdceb9eff6c85a8d11707e604528cdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehokgge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlpkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll"	edf19778991672acbff066ffcb59a9896acdceb9eff6c85a8d11707e604528cdN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlpkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jehokgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 5112	1852	edf19778991672acbff066ffcb59a9896acdceb9eff6c85a8d11707e604528cdN.exe	82
PID 1852 wrote to memory of 5112	1852	edf19778991672acbff066ffcb59a9896acdceb9eff6c85a8d11707e604528cdN.exe	82
PID 1852 wrote to memory of 5112	1852	edf19778991672acbff066ffcb59a9896acdceb9eff6c85a8d11707e604528cdN.exe	82
PID 5112 wrote to memory of 3816	5112	Jfcbjk32.exe	83
PID 5112 wrote to memory of 3816	5112	Jfcbjk32.exe	83
PID 5112 wrote to memory of 3816	5112	Jfcbjk32.exe	83
PID 3816 wrote to memory of 5088	3816	Jianff32.exe	84
PID 3816 wrote to memory of 5088	3816	Jianff32.exe	84
PID 3816 wrote to memory of 5088	3816	Jianff32.exe	84
PID 5088 wrote to memory of 5048	5088	Jlpkba32.exe	85
PID 5088 wrote to memory of 5048	5088	Jlpkba32.exe	85
PID 5088 wrote to memory of 5048	5088	Jlpkba32.exe	85
PID 5048 wrote to memory of 3600	5048	Jehokgge.exe	86
PID 5048 wrote to memory of 3600	5048	Jehokgge.exe	86
PID 5048 wrote to memory of 3600	5048	Jehokgge.exe	86
PID 3600 wrote to memory of 3048	3600	Jpnchp32.exe	87
PID 3600 wrote to memory of 3048	3600	Jpnchp32.exe	87
PID 3600 wrote to memory of 3048	3600	Jpnchp32.exe	87
PID 3048 wrote to memory of 4888	3048	Jblpek32.exe	88
PID 3048 wrote to memory of 4888	3048	Jblpek32.exe	88
PID 3048 wrote to memory of 4888	3048	Jblpek32.exe	88
PID 4888 wrote to memory of 1060	4888	Jmbdbd32.exe	89
PID 4888 wrote to memory of 1060	4888	Jmbdbd32.exe	89
PID 4888 wrote to memory of 1060	4888	Jmbdbd32.exe	89
PID 1060 wrote to memory of 3716	1060	Kboljk32.exe	90
PID 1060 wrote to memory of 3716	1060	Kboljk32.exe	90
PID 1060 wrote to memory of 3716	1060	Kboljk32.exe	90
PID 3716 wrote to memory of 2752	3716	Kiidgeki.exe	91
PID 3716 wrote to memory of 2752	3716	Kiidgeki.exe	91
PID 3716 wrote to memory of 2752	3716	Kiidgeki.exe	91
PID 2752 wrote to memory of 3976	2752	Klgqcqkl.exe	92
PID 2752 wrote to memory of 3976	2752	Klgqcqkl.exe	92
PID 2752 wrote to memory of 3976	2752	Klgqcqkl.exe	92
PID 3976 wrote to memory of 2052	3976	Kbaipkbi.exe	93
PID 3976 wrote to memory of 2052	3976	Kbaipkbi.exe	93
PID 3976 wrote to memory of 2052	3976	Kbaipkbi.exe	93
PID 2052 wrote to memory of 2032	2052	Kikame32.exe	94
PID 2052 wrote to memory of 2032	2052	Kikame32.exe	94
PID 2052 wrote to memory of 2032	2052	Kikame32.exe	94
PID 2032 wrote to memory of 4784	2032	Kdqejn32.exe	95
PID 2032 wrote to memory of 4784	2032	Kdqejn32.exe	95
PID 2032 wrote to memory of 4784	2032	Kdqejn32.exe	95
PID 4784 wrote to memory of 4012	4784	Kebbafoj.exe	96
PID 4784 wrote to memory of 4012	4784	Kebbafoj.exe	96
PID 4784 wrote to memory of 4012	4784	Kebbafoj.exe	96
PID 4012 wrote to memory of 1184	4012	Klljnp32.exe	97
PID 4012 wrote to memory of 1184	4012	Klljnp32.exe	97
PID 4012 wrote to memory of 1184	4012	Klljnp32.exe	97
PID 1184 wrote to memory of 4564	1184	Kbfbkj32.exe	98
PID 1184 wrote to memory of 4564	1184	Kbfbkj32.exe	98
PID 1184 wrote to memory of 4564	1184	Kbfbkj32.exe	98
PID 4564 wrote to memory of 1916	4564	Kipkhdeq.exe	99
PID 4564 wrote to memory of 1916	4564	Kipkhdeq.exe	99
PID 4564 wrote to memory of 1916	4564	Kipkhdeq.exe	99
PID 1916 wrote to memory of 2268	1916	Kpjcdn32.exe	100
PID 1916 wrote to memory of 2268	1916	Kpjcdn32.exe	100
PID 1916 wrote to memory of 2268	1916	Kpjcdn32.exe	100
PID 2268 wrote to memory of 2884	2268	Kbhoqj32.exe	101
PID 2268 wrote to memory of 2884	2268	Kbhoqj32.exe	101
PID 2268 wrote to memory of 2884	2268	Kbhoqj32.exe	101
PID 2884 wrote to memory of 5016	2884	Kmncnb32.exe	102
PID 2884 wrote to memory of 5016	2884	Kmncnb32.exe	102
PID 2884 wrote to memory of 5016	2884	Kmncnb32.exe	102
PID 5016 wrote to memory of 1928	5016	Kdgljmcd.exe	103

C:\Users\Admin\AppData\Local\Temp\edf19778991672acbff066ffcb59a9896acdceb9eff6c85a8d11707e604528cdN.exe
"C:\Users\Admin\AppData\Local\Temp\edf19778991672acbff066ffcb59a9896acdceb9eff6c85a8d11707e604528cdN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\Jfcbjk32.exe
  C:\Windows\system32\Jfcbjk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\Jianff32.exe
    C:\Windows\system32\Jianff32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\SysWOW64\Jlpkba32.exe
      C:\Windows\system32\Jlpkba32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
      - C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        64⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2780
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        79⤵
        
        PID:372
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        84⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        93⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        105⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        112⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        113⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        114⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        118⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 420
        119⤵
        Program crash
        
        PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5592 -ip 5592
1⤵
PID:5656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
89KB

MD5
58578cf89397e5baf5642602c067bd68

SHA1
d8f01faada607fa50b997de138ff5f30cfe929f1

SHA256
4e26887c5c7838bbb62aeaf460cac68c056662750e3575643a26e0b580e4b85c

SHA512
93843442a19b92a535b820091f4cfaf9936b9882f176233a66b4056f0153a8ab06b3dbdf564ae171eb71c589e7bdaa4be00d10f2248aa9caaff4e82613064bf4

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
89KB

MD5
d4d042f89f97c2111a819096d8264b07

SHA1
aec1300f7032a35e043dcee4558d8b219e44f676

SHA256
6f0c00d3ac2f0b0e340b7454c9af53344f935296cd8b299d2bc1ee1ebf7e2dd5

SHA512
c518801226b47b06c3c709a0f9f36310b2fc04027bcb3274e39934267d4e50b52f89a8866cb2f71aa3da44e10ea12a33fb7b8ef3a0d22b9ae93a4daf3c258dad

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
89KB

MD5
a7cebea3c72d8c9955bf84e7767af954

SHA1
714eae44a01ba3f55a3b64517ea771961217f888

SHA256
19f1a1267acb9d8c5d12e931a7e5012dc17fea909abd64698368deabc8603024

SHA512
280c2d340eb73d65d8a213b6be4549d9758f91dddc4fe09911b96cd08ea7d9550b39162f7010e05b41e293d6d5e49380f13139e38c5b54b29e8666b9f2700db2

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
89KB

MD5
b364992196a87eb2c279a120723822a6

SHA1
e7defc3eaadae546ff10392b7ebe9ce273539734

SHA256
d2fe37d98858a01eb1c9feef7ae3bb48348b9a65bb7f541c9f4a509425ff0078

SHA512
a66d17004e3146409f5e4f4dc926e7bcd0e6a7ebe386881a3f98e05823d67fd387303849980065f5bc6b03ef9f95053901ba937d8cbb529230bfbb8b5417a896

Download Submit
C:\Windows\SysWOW64\Cdbinofi.dll

Filesize
7KB

MD5
af46df0086a883f37f70463501ca1f1b

SHA1
361bf61dcb18230357cd23a6618286efae9594c4

SHA256
6c8df196be934174e6143645dbb31cf674440cf40732c66d22d59b8dffd29e53

SHA512
62f61b910c0330aaad017568cda2dc0cb717f95929c6b1d2fbe51de1c6cce8d41983d4323b415a999837514f1baa132296a095cf5a94b5f415ac52d2cd7ef8eb

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
89KB

MD5
51f1812d45eb657f1b949afe35b79408

SHA1
5d25bd4f8933be323d842fc5576f3077f13dddef

SHA256
8220bed5f6961a0a3c9cbf237f872421e2a07b0972acee836ff4f6ef18a41a7f

SHA512
d0c1bd480fdbcc031af66722e97df8dc7ce2fa57777c9bdb86479f13677a1ffa512be4164030213f975d62ab49b707ec32399adcbb682c9bbe6a32cb7b9ccf9e

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
89KB

MD5
3587cd99ed7fb0eb79cd5716078aefed

SHA1
172e25f6ef63430389abbb05856c93214e54f06f

SHA256
f89f6ab854ab0eaf4e302f16add3b296c732ccfc3417026246a9f948422105a7

SHA512
a4be4c92bcb8feb210d12d2e4ca04353f694b7237744fea5ba24fcca716b4ac60b4ccb128c24a07607aa26360371b42e63a001fc9a41cbe602b0a2454a71f127

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
89KB

MD5
ce86053488a71d70489741a30e98852e

SHA1
b7877ee3b2e9aad55f7a66d5def072aaf83f4126

SHA256
ef66ef01abdf1aa0c6e46a5a44155bf5f897a10f1349fbff98c7b5daeb471c58

SHA512
b96bc81db43334d969564e167441039bd8e0b2917640c695e1d7873a79802fae389835ef21ef4143b0024ca4790134351d48118410555f4db787d97ba7ed25fd

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
89KB

MD5
681379ee12ad63976cbcb6b55f2f97fa

SHA1
30ba653e56ec791328190dcdd170a61a56de9ed7

SHA256
c4838cd15c9a574db8b7f5aa6b1ba0d8039ca16fb3950ac7b6d3fb86dce02f40

SHA512
d6e1824ae8600195b562d3f5d20b260f7c9b393ee96ae57ec67ea91cca934641c13ed5241896c0d3a673a50f6b7f99f615a36f5d6659946c9d9117db02bf5390

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
89KB

MD5
8b495558d5c8090b4ab8248ef871a887

SHA1
1c891ded820a5158bbb2145f7c9772c5fc6357d2

SHA256
db82c365e6e886876660d3722d9eedaee0e10a59293d5fd964a2afb76003c4c3

SHA512
21225082eab37d88bc9c4445c8ca6466e632e940d415548aba33bb749a97fedc7d3eabd9c746ffd9ab5f550561444caa7e9eed5a00e0ab57f45016e81e0adbd0

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
89KB

MD5
ef84dc605308e852f88bd33dc909edc2

SHA1
03e3ef7b45d546529f3afcc7f5a924a99338e1d3

SHA256
3c0d93acb2e391284d444943cadd8df1901351ad6e537d0be7e7a492ba8169f7

SHA512
0ea124e5b13f082d4542fa38c83b093f04a9b6c9d6d24f780492259583f55215b37bcb303a279eb1de22ae86634f8654063238bf43f9716dc2343a54ab54b717

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
89KB

MD5
3b3b8169a67b6d87444fa8e9c44bdd17

SHA1
72d88987170a33f0e093d2994352581d7df3bb10

SHA256
441a0288cdbc1aefed6929d04818b6ae3bef77602b7d2e2d366caef58c96f5c2

SHA512
1ae195d384534dddbf2f0a50d215acd3075973f5cd0fe496ff17086963b84796b0ee407ff6808b07858a32bf44775e7a9909313f8d55ead1b8572ee6fcb764fe

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
89KB

MD5
f01bb2aa5dd9ab15ebd6f77f26f68244

SHA1
17d81c6a10c6abfc3e84944ee9c7710059707266

SHA256
cdc30224ba170003f7e5675cfbefcc73681a4a3d473b01ab8ac77efab7693489

SHA512
fc34ee3d2bd8e4798f6e9374834b44e117c7fc59ae619f9ab34cf40e129f38835d7162e0052683898099d3f1539d14cf176c58888a2ebe0eb81a04c3ba73bb8d

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
89KB

MD5
f9332aac0025d912740d853967f7ce33

SHA1
a44f2f92facda5c6d2e5e0c2538651fc97493564

SHA256
a0ce61ce863f958ca0f746f8f094b0a445bbae0bae83c4e65cd2b9aa09307e50

SHA512
9ae7866c03cb69e8215e8dcc2d26d64fa6a20777a20176544a6285957b46482fd80fa399d93c6b9c8b7adbf3adc6455a081847d1c22d358746f1d31d86f6d01d

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
89KB

MD5
da465024fa40f9336ad3c30f8bb4688e

SHA1
35db745236a503d7304ea1109a0bd45d28c03435

SHA256
eba4cce51edc50af5942b5e209aaeee1c981287f16d009ca46003a060069f5ae

SHA512
3104f12e54c2fc92867c5ed0af787b47953d7ed95c0adc29f23daa51ffd336051a606eaee904a03612fd6d9a3925be67e53fbf7d2daba1b2c55799971d2335e7

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
89KB

MD5
adbdc991158cda8be49e90a43cce3404

SHA1
c9a3c5ad06ffb624561c32ad285388d2e48e4c92

SHA256
c22a7aae98fe54c6c9823483ccc6d7fbc492be97c823853deb247ec6e92dfd0c

SHA512
24e31fd57bd968c89f6f8ca6c7558370090144454c8abbffea1e61cf20fca0cff7531257460a1f8d10e787f7239b9b7978464328b5c9c89b875ea880ec129647

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
89KB

MD5
c6818192aedeb5a257df287cc0676ade

SHA1
d402a15c2444f0ecea0b4914bd01d10c214eb257

SHA256
a23fd44d185428e44f007001a84ea74e3cfdc480d73a5f1d7bf87bad350510b9

SHA512
1917c872da476f1b2b02db95b412dc2fa96dad377935b98c55b7fe1a38f8b3d4e02c7de601bdcdef0e287c6920515c870757dd3471aa075493f96f7b3779e002

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
89KB

MD5
eee5ef69482bbde1d355838a6de8e313

SHA1
db4dcf438c5a99b1e6b9997d82e2c0644ace3cbe

SHA256
31199641db1d1af24193fb8949d6b3d2c573e2cf69e1ce35ee243f6b398bfd65

SHA512
d2a639e8544ae3d72279e456ef94dd14b874720b16ca0a19d555934e53c61630323887e5c27ca85910a8281e167320a52de81f8e5a6690585e2bf581b0617d61

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
89KB

MD5
68bb93bceb1cf4cb4a6c168b3462ca6d

SHA1
ee236dca4e49fa640c828e38b3c237825af5bcaf

SHA256
5a99b734e9a2b7bbe1ffb666c14630e0ec885a8778ed10ce53164157e7a310b4

SHA512
f4220821736480dc301e4423310960b9231e285aa614028f05ad7954ceaf58e2e25ee80d040e413e8748442c22a361dd29ddc76579e51cf007848034ed87eac7

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
89KB

MD5
dd4a22e8339b5b313eead5d85dac3879

SHA1
5c38da0f5b2926291c7b34c1859ac78e5742b294

SHA256
025c2742d97f757f6f756b717156b564ca10bfb7d777475ca7b19de175ded623

SHA512
5027818c65b9f06c8fe28089cfc0b9b6d7aef1d977e3af51270c199d8303a016983329b289d1d998fd179da9c60ebc01f5efbe94bb3afbc433f56b9953011f99

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
89KB

MD5
79a9d2b7d01af9ce632d29fdf05df29d

SHA1
1e2fc38db5f2b2b9405bca4c27d688cdec68c12d

SHA256
26dc96869b5af3c195c4d05e404f95b58e3dd33ea046466b3a41f8e9b6e6f539

SHA512
bc4a6da500cecc439d85069bdfec0cf59bc46a1ec74489f205923e5f9bf9a04b1bb22a81c49f195d06c14bb1f2fc9e502f45f482d74834eb90b421f701d7f4e7

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
89KB

MD5
8b4aed63b94138c339c7fc6a4f9cd503

SHA1
92c89d494d5c6d62baf5e47fd7524fdf53bb46e7

SHA256
c3485dfad1368b7bf9e4ed7209a8307390977b364f9446fa1844a4dc19f03add

SHA512
79bde9e7e357aaeaf8f2b45a9646cb6a82d871777811d15a3074728521ee8fbe7b480fadd078d5be4b41a214258c80b34de7139a3c7eda137f790378440cce91

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
89KB

MD5
82437f055127664172a7027172250f0c

SHA1
0ae01f0179db6f07fb23945f7a26304deaf26ff0

SHA256
3c3867e322a5801b61ff97cead4e03ffcf857e2c91db530bd0021ba1f9fd7edb

SHA512
3b6106d0d1ca5c3c5d8c16f2557d74c06fe87749140ceb12d1fa7d3ec84a8e8b5ab78fdc1192a4bd878f56005114dfa6c152eca113db91d8750107291d867a82

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
89KB

MD5
e725cac56ed4111c4fec755998651489

SHA1
b1b5d75f3dbda502b9c7f85c3e5965c2660cda5c

SHA256
c272536be701d3a8a8c793aee64c22e881f2b2888cead956a309a076c489f4d4

SHA512
52f821abffe7a2050b8e94fa22420797c9e7db097c3c4a2203547f7533a13300fb40a0c2846548915c7805b5a62606f1919e71951586ff72a127eafeca29d959

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
89KB

MD5
89279334eb20b63109525a7e16d36feb

SHA1
e5c1eba9ca7c8f531d225aa4a4f34431afb12b97

SHA256
578f65538e7b332b29a31d7f1c608eb45c9f7667cac232460833383ae2b0d361

SHA512
0850798421111840ddf44228a00b0ff77e8a13820554be7aecbaab94dd74027957a51ca0c80193b6279b46b153bbecaff5b3d36056b253969628f3f39099dc0e

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
89KB

MD5
d25bd66dd5523f5b9e08ce4bbaf058ab

SHA1
1a7d675014dca642f002b0b76ca283306f65f766

SHA256
a4d23401adf4e6ca64e90c1f26443196364a9ae8b7b44f8b533d86b2317899df

SHA512
70176dd8cf0ced78c09bccbc6612ddfe265a280dead7e2867313e1b3d9dce007778800a79bfd28e139331f98aa5ca436bf60281eeb4be74c54b58f2546bab312

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
89KB

MD5
72cb0394ba864a9a31c739a3660c48a2

SHA1
f73b4b41c3232e41faebeb4a4df0d9d28e81db76

SHA256
56b188d1d9acfeb259c5eb8beebf702f80e54b91195c8c917e2330dbd81b9374

SHA512
5f8961389ad836f3c7c9986ee925b7cbd96a94386b74b217ec5661a149c6c1b2e8f767726deb1f85e806005284d69c963eea51969b8066ab7e0e97457444c609

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
89KB

MD5
07dc2ab76bc09b47b965ea3e44c99840

SHA1
a5835f71b8031b40ea0a88ee58c0d096108eff58

SHA256
9b26ddec35fa6b1e0064491a27bc55818a9d23b7d7b554eaa2d90c62cd87ffed

SHA512
cfe54837fa14c237361ff71c1070f48822dc0831abff4af17865aab4f3bcb6e7bb0671725466918853e3075e977f5d7a3f0c54e69b0cbed111168fc4e08fed65

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
89KB

MD5
41685fc7941b24f3673d3bf6821217d3

SHA1
8d4cb2aefadff7bddba97e072715884111dd90de

SHA256
c4e01a4275499c549adc6cc5d40ee32ff58b61e1c29080b5d1859ffa53ab5aa8

SHA512
ed44140c07c4dbf4fbf6126e95a7d41e7e927c658b2812e2b3d64ea8d58b35ad1fb4662869ab9989d8d41c041dc54fae42795e81e18eef6cbafd43a6e29b3ada

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
89KB

MD5
5812756013376f563f3379955346d3a3

SHA1
d1104414f3ce3d6f7bd9447a474653dbb93cd895

SHA256
5425f8698c71583c3b96bb82101e25f5fdea289f9e4c0cd52b2f8f572a7c402c

SHA512
ba9b15a52f54e51500a4fc9de9ccb4f4dc89cfa22d702133f5839db2bc317703f41923e3f15155f0fdd3d4074264e20cbc5694f299ae71613af2d4e116b4469e

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
89KB

MD5
e90905de001cd9c703dacd64d5db5326

SHA1
37dceaf3fc4e1ff4885ac012d33b0aaab3492589

SHA256
70a0a1aa396b421f2da6610abed0ac27a5261196f216a693382dbaa66288dc7e

SHA512
f471711464d9142d0e85863c99635f5cf61f79d365e52037ae0bec2a5c9bab0247f1123957546092b41799843e9d5d0f2f2eef11cd7e04ff7a38bffacdcad77e

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
89KB

MD5
19ff7fa58cda8466647dcf97271f50e8

SHA1
93ba8c20695f2685ce7cd381048cc23dfbeb8e53

SHA256
802a82afae7fef3c912477a8b4638f290d74b1a4f03853a46e962643bc581eb5

SHA512
82022da3b57bdfb7fc2a5bd0403dfc3234af116e66630b6593c5e5e618b4a336ffe499f457e83f173a8345e848362e6f61b9d65587accfc0469adc0b04669d54

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
64KB

MD5
1c273f4944e56621fa51ff47dd2b0002

SHA1
6291d470193ad988adb4745c852aa053b6fa4b77

SHA256
92ed0496eeaf85cab900b4db84f8bf52b5b345e64910aed5f11e6780b654bc33

SHA512
eb4e32ca6b528153cd5065e59b9788ff0942fd4bf8a12894ca117559392aae59940a324847397e7b35d1185af41cd5629199ee95cd00e0567a75599163f50a02

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
89KB

MD5
f1a7c53188ffc39128dcaff1a6f09277

SHA1
a7d9aaaeaef0eaac032b4e5909b7a4e2f6a933a5

SHA256
aa2ce554ebfe6e5b5c59e351c803f9bd83bbbe134270a8da1f81806182aaec71

SHA512
bf3686ccb1b579a2c949c7b0f99f2eb52527db6f6d09f4a2f5bf7f144987fb3704591d826d573a76398f271a5c4ddf3104e658cab4590401392748c4053b6790

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
89KB

MD5
68fc618037715020825f255f6ed22dbd

SHA1
6d1f55f6ebd49bb9e1be9ea0f7737d2f78668367

SHA256
027d2c774b4ecb3501f5174949a6d8800924e17ce3a88bd95d6cf973296cc481

SHA512
fa51f753f98f363296154a31c1e37944f6ee50e6ce0e94895bbde9fd27f7c27c389f6a120fe3a78731ce03d6b132749bdb250bca050dac55a29c5ff82dd98f51

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
89KB

MD5
18afcb4840a526799d06e21bd8546db9

SHA1
10f54c36975c04c064c72f54b3e36c2ce45b72fc

SHA256
f43d39f111c51ce386f47e8ee9e285f9ff9bbe7fba27f871657484b9827a8458

SHA512
a8a3019e748cc2443d6142aeac535e08de1d61913965e729dfbd38ec3b7673adaf160f449ffd488021c706ac1d30a782b658462126d9595b6746ff6859a39ab3

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
89KB

MD5
683a42c8ea88da1451c503d03eb0eecf

SHA1
55587f4ab31dc10992b59786a4e16440710b2429

SHA256
53442e552ddd3de884ed4db7de5ee621a7c8b109bebb07f61b6fceb20a570d68

SHA512
325c1a4b797f94a8edaa5faf917842b5fc0fd8b9a8f73ad8f8b8d77d316737d93a26266b78fc8f49678c2e9e8210d7b7e753da2266f00983b7f814c0dd58272b

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
89KB

MD5
3e3f9447274217e47033fcba7827c5c3

SHA1
d42c935b037738f8ac293252253df300a6dceb80

SHA256
198c83d6b6d5ad55c3d04f01bda0630544413bbb419f52e2a5576c878b7c9403

SHA512
cf33b59d94e5f8ccaec32a860f3b0f2bce2654f22c326ea1c0ab444f153a38d1d38b268cf5275cdb2ea355da73a536a1b0ec92a7c9127a050df86e3e7d860000

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
89KB

MD5
cdc7862ae1ae5f71d83f1f9d6b98e482

SHA1
1a5467d7aaf86c746980eb9256911915baccdff2

SHA256
1657cf5e1a9f096f723d747be4abdccfaeb385c7056d6af3729c12adfffe36f7

SHA512
444d2e7a355ec9fd2880f49ead8312e853d1444fdd831dff6efe5189348224937ec212ef97c5d70b0ef21c69a53a420ce64335a5c366e2ef920361f5111f1ef5

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
89KB

MD5
6ae888cc45583cdaa74ce0d7833df041

SHA1
c476d5987c630295e02f8ca863e24d62209438a0

SHA256
4a02403d0f3a8eaeb76538a188a363c843fda4e4423fb16fafb2a1af8af8c875

SHA512
6694a9f5b387b2f5cac6dd54a0afa1872fd118b195177dd273efaeef653c20c92e06f34b9d9e40759639001656dd31d3198e7d1a989b006f463a0cc4d7f20363

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
89KB

MD5
4b12225c4602db1a037516d50bddc40d

SHA1
5b916b6e4b490d8152277cabc303501ecdd1aa12

SHA256
3725250eaa9659e755958d0ae996e94680bfd9b1a11a90ef2e8cdd2eb015db88

SHA512
e2f8138916bdf8d236be5dab2160309acb8a63fcdb451a12907002d2313e3e72e1f0f6e914dcd5f03233dbf2aa2ce3ac1c0bf6f53dd9fa8d4fb92bf2e265a887

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
89KB

MD5
82d1b8fb9866a7ee8572f55045b1aeba

SHA1
984b72296427b5dc7eb8c7b1b4cbd8d9ce2e6e12

SHA256
1679853bdd0ea4eb01fb63dbb30a604d648f19092eb1b7dd25215637f218b2d6

SHA512
474dc1c30c60c1b8f4d598870c1fa86105fe3e6a22f8a8246fd2d29774a968160a2f3ea66032e3738c1694cdd3964af00c08fa80f2c45ab83acc6a5c4b10a3a4

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
89KB

MD5
4ca4023fd9b5b5b3a5e662a6af99281c

SHA1
a1db2334f796ea7998fe55e10324e739d19c1529

SHA256
4f4138f2bf379920a8e9bb0042b81016b3875d1236144ed7c7009b540ba9c4db

SHA512
85027fc99c07fc2dec6ef36d6432137413259372f25960799443763b4b8432a7b229b1bd0c1428dbad07799239f005f41f12790500f57bc3e2e870afaf394b3b

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
89KB

MD5
f325236974c58221e69d02c08406432d

SHA1
f71371f04ae7592db8716feae4374cb9f72bc6dc

SHA256
5a158ff472a40213d17493d08baac366bc649125bf73643962208fdcfc8efdf1

SHA512
fb53236cbd50ee551bcf925e9ff31a2f4e89cf57fb9da3da6b52c767073060234c6483b5a9d5be300994a848520d59b97dd925c4bc7f53e7b4578f53e5e3c00d

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
89KB

MD5
f194e8b5e6493f7a615d0857ee1d6ed8

SHA1
b9652d819dbc3f69c8fc4f2f40f548401f977cfe

SHA256
057e28bf852dc07141834042e95209cdd2e00b3484799fd479d5dcae6d3c4f60

SHA512
c844574f1c6a2cccef7a3df86682db3539762ce68241b57d25f5da5590a890a9852c3703ace1b96c61a28fc7c165fbb327000968b4e5c213e49e0cbfe923954e

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
89KB

MD5
3a2523903c2e3c4d681f202b0546ccc9

SHA1
e217c3678715beceafdcdba79fde5cb16fe40c54

SHA256
a44c625dca888870da002ef27eec9396039be53d688655354e2208a143f712db

SHA512
d2fa84c014144fff03cfc4c19a73be1289d48e8d3d4bb01f38ffcd3a3e746de76fdb16288e61e2e7e47d3043c8c8c88445b404461889c611c27f487f0818d812

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
89KB

MD5
32c8c201e5b7bb36d179b2fcb8affb37

SHA1
346b6c68d657f2cd9eab2f390b1e3744ee5d2c8e

SHA256
d605c59f964a92efd57b3ce2c022a3fa48f217413147738c04c6f57241b1d066

SHA512
6a795f930a93d760ffbda0512c09eaac13d0de6b043f0a59dfaa3f5c8e6772a923aca60d41bc48b549708f4fe8f26611d15f3d7a5e15c49649af322d036fa913

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
89KB

MD5
06ae22b825a7db63ac8ddbdc6979bd01

SHA1
703e1e53626abc86c7ffdcc1ada08fa579362f71

SHA256
ea91efd94e6c76736106ea1595ea2f958015e566b4d5b3146be54915c3d262c1

SHA512
0b10ba606608022c583816d92901946823da032fde3edad3a3c83b95de0a07f2cbbe5144828f2c25d52d31018ccd9cc095f476db49b0ce97fdcc66033a21fa87

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
89KB

MD5
a80285d1da255e29e079afc5b6052faa

SHA1
a19008db82fef68379b2548ce78489b4c72bbeb4

SHA256
c0b7457aed8b640d8406a0dc3cbed5e42153caaa924c50dfd26b7f8f8f78deac

SHA512
cc27cba05b57a824af1515ba8eb0a51d6e5adcfae1245cce61a0d7dab042c2adc5536c2afe77efd65067bd2037b68aceef1749dd3c754f57099e347ce082159f

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
89KB

MD5
99b5d93da7964380c00dca300aa9a8c0

SHA1
ce8983ce23f652430f71088f61f9d13f4619cb04

SHA256
a1c66450862f1d99168e6adeaa1f7cac54fa3e8b315c2e34fb1cbc136ccfc141

SHA512
0deec23cada95e7dd1da5217f251d14060d6cab38e994f0fa5f513608bf29bba4b7b3c59622b77ccddfc5afb02a65607d316efd160188aa5fd9197ba021786c3

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
89KB

MD5
d85e2cf51b7098c802e167e166144feb

SHA1
ccc0a43fa8fb1b3490da7d40b8694d7f5eb7dad4

SHA256
4807edef17882b0c73d1ab91fe951ff260a8630ef11f55b85c7e1b321c31786d

SHA512
d334d1ede688b5c3844c862f6807f5c74d3d7d9da79335909fdbd65e4a12d7ea7ea8cfc587e58a96d1ddbace087a87afc1cb20082531ffa454efcae057f23ab9

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
89KB

MD5
40c4ca814e513737c18917a0575c4271

SHA1
795ae3730aaa3b069819ead3d9a4130934a6c216

SHA256
783fb87481a41b2109945e48a80a4e6436efc2d12d0baef01e1ce4ac56353b42

SHA512
1d57a326e66baa6feea3be27072cfa0c34c6f4376a4110d972837cb4f5a3cc68eda26584204596113b3dab5f2948c59884a78ffd19da5fbb6c1fe313c9ad757b

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
89KB

MD5
12666ff4cb89080439f4a115ab44faea

SHA1
7b77379f1248a0902a212b2293daec52b82df6d4

SHA256
36ebe6a604629d83147819d8bd6c9fae65c4e2c61dc817a223d15ddb5fb475f9

SHA512
c67b0480d905f803be35f0e84317e88965c92052a345695a3a031bfdc6786065f361f0a05786f475f850918f2ebe572054a71aee1fd8c7b120169f82623e46ef

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
89KB

MD5
882a3c99a623fcc3e046c75dff772cc2

SHA1
5cf21cbf89353674244a2beabf588e18a1256038

SHA256
0499d23c784e7e9ede12509ed699059e56027c773ab5181649ca1af8825c1e1a

SHA512
031183abdc01de64c848d8472c9922691a1147bc178e4f6a2dd5d3c73a98ceadf8132278415b851b458e41f2e020b6527ace92f8bd159159912f1fdaa62930f4

Download Submit
memory/8-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/316-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/372-532-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/552-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/724-526-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/988-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1064-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1184-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1372-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1480-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-544-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1896-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3112-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-538-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3416-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3644-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3716-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3976-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4960-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-551-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads