berbew | ccdd359875ae5573ba8b4397b269e663e2a30739935897aa5b73a77ebd13daab

Analysis

max time kernel
94s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2024, 01:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccdd359875ae5573ba8b4397b269e663e2a30739935897aa5b73a77ebd13daab.exe
Size

94KB
MD5

5511590b45add607224826ccf5269571
SHA1

194387d5881fce322936c4e7fd32abb95260b803
SHA256

ccdd359875ae5573ba8b4397b269e663e2a30739935897aa5b73a77ebd13daab
SHA512

cca62741b20cc952c56068f4e9c79cdfd9b76387dee912a2c1a0294576c8c5e2aba869a2955b8dd45f2db079a0a8700fa1cc1f497c81331c79c46f180203ee56
SSDEEP

1536:XKBpmG9CAuA86wNViuwwN+3bWEepk195rE7BR9L4DT2EnINU:XKDNCv6wLjw4+3epE95rE6+oZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehokgge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jehokgge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jedeph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3512	Ibcmom32.exe
3448	Jmhale32.exe
4596	Jbeidl32.exe
3992	Jedeph32.exe
5076	Jlnnmb32.exe
2860	Jfcbjk32.exe
3940	Jmmjgejj.exe
4324	Jcgbco32.exe
3584	Jehokgge.exe
3120	Jpnchp32.exe
5052	Jblpek32.exe
936	Jifhaenk.exe
2224	Jcllonma.exe
1464	Kemhff32.exe
4664	Kpbmco32.exe
4424	Kbaipkbi.exe
1912	Kmfmmcbo.exe
4644	Kdqejn32.exe
8	Kfoafi32.exe
2856	Kimnbd32.exe
2816	Kdcbom32.exe
696	Kfankifm.exe
932	Klngdpdd.exe
3596	Kdeoemeg.exe
3948	Kefkme32.exe
4028	Klqcioba.exe
3164	Kdgljmcd.exe
4364	Lbjlfi32.exe
5080	Lmppcbjd.exe
2464	Ldjhpl32.exe
4812	Lekehdgp.exe
216	Lpqiemge.exe
540	Liimncmf.exe
368	Lgmngglp.exe
1208	Lpebpm32.exe
4948	Lebkhc32.exe
4848	Lingibiq.exe
1048	Mbfkbhpa.exe
3132	Mipcob32.exe
3884	Mpjlklok.exe
3844	Mmnldp32.exe
3400	Mdhdajea.exe
4648	Mlcifmbl.exe
3524	Mcmabg32.exe
5040	Mdmnlj32.exe
1556	Miifeq32.exe
2132	Npcoakfp.exe
1216	Ngmgne32.exe
1384	Nngokoej.exe
1716	Npfkgjdn.exe
4160	Ngpccdlj.exe
2832	Nnjlpo32.exe
2040	Ncfdie32.exe
3720	Nloiakho.exe
3440	Ndfqbhia.exe
3688	Ngdmod32.exe
2452	Njciko32.exe
912	Ndhmhh32.exe
4512	Nfjjppmm.exe
860	Nnqbanmo.exe
4384	Oponmilc.exe
4784	Olfobjbg.exe
3288	Opakbi32.exe
3300	Ojjolnaq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Fojhkmkj.dll	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Jedeph32.exe	Jbeidl32.exe
File opened for modification	C:\Windows\SysWOW64\Jmmjgejj.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Gnbinq32.dll	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Eiecmmbf.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Eifbkgjd.dll	Ibcmom32.exe
File created	C:\Windows\SysWOW64\Eeanii32.dll	Jmhale32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Lmppcbjd.exe	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Jehokgge.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Dmamoe32.dll	Jfcbjk32.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Kfoafi32.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Lpebpm32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Iaheeaan.dll	Jedeph32.exe
File opened for modification	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kbaipkbi.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Miifeq32.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Imllie32.dll	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Lmppcbjd.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Ndfqbhia.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5592	5388	WerFault.exe	213

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcmom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnchp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnnmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffbangm.dll"	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqgbjkm.dll"	Jblpek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkhie32.dll"	ccdd359875ae5573ba8b4397b269e663e2a30739935897aa5b73a77ebd13daab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mipcob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lebkhc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 3512	4300	ccdd359875ae5573ba8b4397b269e663e2a30739935897aa5b73a77ebd13daab.exe	83
PID 4300 wrote to memory of 3512	4300	ccdd359875ae5573ba8b4397b269e663e2a30739935897aa5b73a77ebd13daab.exe	83
PID 4300 wrote to memory of 3512	4300	ccdd359875ae5573ba8b4397b269e663e2a30739935897aa5b73a77ebd13daab.exe	83
PID 3512 wrote to memory of 3448	3512	Ibcmom32.exe	84
PID 3512 wrote to memory of 3448	3512	Ibcmom32.exe	84
PID 3512 wrote to memory of 3448	3512	Ibcmom32.exe	84
PID 3448 wrote to memory of 4596	3448	Jmhale32.exe	85
PID 3448 wrote to memory of 4596	3448	Jmhale32.exe	85
PID 3448 wrote to memory of 4596	3448	Jmhale32.exe	85
PID 4596 wrote to memory of 3992	4596	Jbeidl32.exe	86
PID 4596 wrote to memory of 3992	4596	Jbeidl32.exe	86
PID 4596 wrote to memory of 3992	4596	Jbeidl32.exe	86
PID 3992 wrote to memory of 5076	3992	Jedeph32.exe	87
PID 3992 wrote to memory of 5076	3992	Jedeph32.exe	87
PID 3992 wrote to memory of 5076	3992	Jedeph32.exe	87
PID 5076 wrote to memory of 2860	5076	Jlnnmb32.exe	88
PID 5076 wrote to memory of 2860	5076	Jlnnmb32.exe	88
PID 5076 wrote to memory of 2860	5076	Jlnnmb32.exe	88
PID 2860 wrote to memory of 3940	2860	Jfcbjk32.exe	89
PID 2860 wrote to memory of 3940	2860	Jfcbjk32.exe	89
PID 2860 wrote to memory of 3940	2860	Jfcbjk32.exe	89
PID 3940 wrote to memory of 4324	3940	Jmmjgejj.exe	90
PID 3940 wrote to memory of 4324	3940	Jmmjgejj.exe	90
PID 3940 wrote to memory of 4324	3940	Jmmjgejj.exe	90
PID 4324 wrote to memory of 3584	4324	Jcgbco32.exe	91
PID 4324 wrote to memory of 3584	4324	Jcgbco32.exe	91
PID 4324 wrote to memory of 3584	4324	Jcgbco32.exe	91
PID 3584 wrote to memory of 3120	3584	Jehokgge.exe	92
PID 3584 wrote to memory of 3120	3584	Jehokgge.exe	92
PID 3584 wrote to memory of 3120	3584	Jehokgge.exe	92
PID 3120 wrote to memory of 5052	3120	Jpnchp32.exe	93
PID 3120 wrote to memory of 5052	3120	Jpnchp32.exe	93
PID 3120 wrote to memory of 5052	3120	Jpnchp32.exe	93
PID 5052 wrote to memory of 936	5052	Jblpek32.exe	94
PID 5052 wrote to memory of 936	5052	Jblpek32.exe	94
PID 5052 wrote to memory of 936	5052	Jblpek32.exe	94
PID 936 wrote to memory of 2224	936	Jifhaenk.exe	95
PID 936 wrote to memory of 2224	936	Jifhaenk.exe	95
PID 936 wrote to memory of 2224	936	Jifhaenk.exe	95
PID 2224 wrote to memory of 1464	2224	Jcllonma.exe	96
PID 2224 wrote to memory of 1464	2224	Jcllonma.exe	96
PID 2224 wrote to memory of 1464	2224	Jcllonma.exe	96
PID 1464 wrote to memory of 4664	1464	Kemhff32.exe	97
PID 1464 wrote to memory of 4664	1464	Kemhff32.exe	97
PID 1464 wrote to memory of 4664	1464	Kemhff32.exe	97
PID 4664 wrote to memory of 4424	4664	Kpbmco32.exe	98
PID 4664 wrote to memory of 4424	4664	Kpbmco32.exe	98
PID 4664 wrote to memory of 4424	4664	Kpbmco32.exe	98
PID 4424 wrote to memory of 1912	4424	Kbaipkbi.exe	99
PID 4424 wrote to memory of 1912	4424	Kbaipkbi.exe	99
PID 4424 wrote to memory of 1912	4424	Kbaipkbi.exe	99
PID 1912 wrote to memory of 4644	1912	Kmfmmcbo.exe	100
PID 1912 wrote to memory of 4644	1912	Kmfmmcbo.exe	100
PID 1912 wrote to memory of 4644	1912	Kmfmmcbo.exe	100
PID 4644 wrote to memory of 8	4644	Kdqejn32.exe	101
PID 4644 wrote to memory of 8	4644	Kdqejn32.exe	101
PID 4644 wrote to memory of 8	4644	Kdqejn32.exe	101
PID 8 wrote to memory of 2856	8	Kfoafi32.exe	102
PID 8 wrote to memory of 2856	8	Kfoafi32.exe	102
PID 8 wrote to memory of 2856	8	Kfoafi32.exe	102
PID 2856 wrote to memory of 2816	2856	Kimnbd32.exe	103
PID 2856 wrote to memory of 2816	2856	Kimnbd32.exe	103
PID 2856 wrote to memory of 2816	2856	Kimnbd32.exe	103
PID 2816 wrote to memory of 696	2816	Kdcbom32.exe	104

C:\Users\Admin\AppData\Local\Temp\ccdd359875ae5573ba8b4397b269e663e2a30739935897aa5b73a77ebd13daab.exe
"C:\Users\Admin\AppData\Local\Temp\ccdd359875ae5573ba8b4397b269e663e2a30739935897aa5b73a77ebd13daab.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\SysWOW64\Ibcmom32.exe
  C:\Windows\system32\Ibcmom32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\Jmhale32.exe
    C:\Windows\system32\Jmhale32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\SysWOW64\Jbeidl32.exe
      C:\Windows\system32\Jbeidl32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3992
      - C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        41⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4160
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        64⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3004
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        70⤵
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        72⤵
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        73⤵
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        77⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        81⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        89⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        90⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        94⤵
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4304
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        99⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        100⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        104⤵
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        115⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        118⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        121⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        122⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        125⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        131⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        132⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 408
        133⤵
        Program crash
        
        PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5388 -ip 5388
1⤵
PID:5492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
94KB

MD5
0ca22961f6cb5e7c62d4cfbb6d5614fd

SHA1
7b6ee81e41713709643fd83e0aad2360bc6f963e

SHA256
381a296954e92bb513fdbc1e5c4df9ecd5e2690b34c9128da75ea1bc92f22b05

SHA512
39e1e5284dec4c2549a3442368265e1cdc305714a2b7ace7e7c3373f972a014af3268dbfe1da676407731192b4df1f3bf288baa102a0086352a4ae3edc7f0a40

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
94KB

MD5
7097e8c1f786ff328c6ccf7949b97200

SHA1
4f494e80f268d23b02c17ffece19ffdfd73cb7e8

SHA256
a94594f1db171de49d5c6e4cc2e1801de5ae3c2725cd104e14021eb29fef898e

SHA512
24e1a6eb3f526388bf1199a6c5722e6bc20a82d04e21abb399f39796507a6b272085cb3dedd92f7e7b687ef7a03269e462cbda5536ce76057fc21231db159c21

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
94KB

MD5
a86f805e890255f7b1ee01677d6c81de

SHA1
c49cdc37c1c8998b4858dbbbc88b54e975b37551

SHA256
d77d76c214c4cde356c5d10ec67b803113fb55f85a70db3b3b8d9d25a9ec15da

SHA512
21aa5ff7555d5da82f01821fc4923e69d718f8e4f582bf2ed8d8a50a16d16b99bbd45f6e472a0be43c454622d7d9030625246022e06dd0a39e86e412a9fe11d7

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
94KB

MD5
c23c1a5ffe602bf93860f6d85e74a2e4

SHA1
46c4bc7cf03d86149c1b3552d9e37cd7c8ad4ba0

SHA256
c9ae93a465d4a9aed5cd2c3d93ae343e64831b8350976a46eea4f3cf81624dfb

SHA512
8dd29587308adcfca2fa58e167e7807240a4dc0f9a86924697ecc8b730494a9c5e2de7d8c2e1411dd8220a76377d1f0f40422bc8816e320c6c70dcd59178d35b

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
94KB

MD5
4d00ca5fd7dbb57d7e20ca6a9a5ce721

SHA1
ee85094cc8bf9bebbefc98dddd40f022a9283b09

SHA256
7c139de18b7fb045ef75125805261935343e8ec4a441d4c89ec203b722ec737a

SHA512
329e229aacc91bba789319ac59e631b72ce1b60441b1d999aeb052eb3ec63951b1f0e9df990e2ff0e5b36e9095fa65509a348aeff1abb48dba5e166379fa0972

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
94KB

MD5
57dfe99291a714fa2e43e1abcdb32663

SHA1
349d7a0faa26b2b5192025261e3a616b2556c26b

SHA256
6d1a9c920eedef955f02c3651cd1d8da0271df64e87f34e634f59f3ae51b3210

SHA512
b17fbd3fee0f295c92037f65450d4c21f2ae58760f5668726c983386147bd6d9de122bf1156d2af9fd1bb2247fe49adfd12265b88c879c63f90903f40f75443b

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
94KB

MD5
f6d55572c621215e16b954ed2c7a1fa2

SHA1
fa74d90ff313b7d999c93db93b2fcbc826778476

SHA256
1cec038860627909828df0d1966ae19f1c3fc96a5c47596c0c976be0d75104f7

SHA512
f52c8e2b5274f3cac6e533097ecaff11e7c30304a80bb39a584f4d177db0dd4dbc94262f7c72cbe90d425ff79f3975c5f130c4884e988700a811a07aeda648f0

Download Submit
C:\Windows\SysWOW64\Iaheeaan.dll

Filesize
7KB

MD5
215f5bb73ac1569c9c35e5c6757497c5

SHA1
843b21ce4bd525eb6271672315e1b926b0a22d7a

SHA256
0f132a94f3e2f9c0283eb698c41831097e390df993db9a86d010ddf44ce5da2d

SHA512
8f3d02b8bc32a2ef31614cc46052a9ade40f756bbafefd6e29832e9d1fbff1ebeaf9ba239e927e0c2293a909d60a30f82254e1504ac54ab2961a631008a54787

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
94KB

MD5
1c8291d0549ffc82cd61f3dc59d4d3c5

SHA1
db7e17c938cb7129269a8cdcb769177cc550a95d

SHA256
229b76f0802f7e4ab69de1ef3533d80a7d54e1310833f610892ae3b43b37614e

SHA512
af9e99abb6b407d0f0b8736734c25838684cd3a14c5498a8c37dcfe9876f1ab3e02d565af0bda22d56b992a57e0fdb621428481206a03e12cfa926da15a7286e

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
94KB

MD5
836e11db08d47db0df3ce3c0487d60d7

SHA1
b8188c21047adc69c18bad44c4012f6916975b66

SHA256
961ccaf2eb1bc719291a9f2f895c7120eb44f7372aeac4f1f9f7910becef9990

SHA512
2bc3262fff2abda5450acfaa8447fdf6793a60632496cb0e1bb6404736d9e93d1bb406234aa0e46941bade6e0ca0fc93c842d60f9e9ea990df202f9764188634

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
94KB

MD5
252895ba82f92f84688bca20fd592574

SHA1
4a92a21c2ab55e8d716ef6e92d704049644f6649

SHA256
11665825a0b18834d50673803089d9d91ef30731d7550a36f76571a430b97ab5

SHA512
c183133c27b1a8ff916ccffb2e92e789841b5ecaaeee6de1816b402465063f496ca0b653c44be24a7761a50dd5146dcba1a96518c2b0ed96ef25f5dc3f3900cd

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
94KB

MD5
583d5af5adcad66111a5dda745fcf062

SHA1
e8145f4165e1276033632f6fbe474b2f4b752f11

SHA256
0d097dda2869ffcaba2a71e806d73754fb017180963c5160b1d7dc3c3aac18e6

SHA512
f2643cfb71c8806b48e43251c05d05c5bcc68fe0504b3b99e31b550864873e1fb020da9fa9c06ff1683b2d5cf5b8b7aeeeed622933d80d7f26d43638da60044f

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
94KB

MD5
55b7a28fe3b77a95bf3cfaae39df8c73

SHA1
121d9d37fd30d9408e65addb16956c1a92552b2b

SHA256
2254bd8ac62c54d24f623fb1007e15968df5bb228c3a437bfd41d039b58048c8

SHA512
4fb4520b5bfc9f74779a5a6ca8d2970be1e04ea931596b4a841198b9dcfdf909b74ca4c30232c341b598789b2ceb460f4390e41498aaca09425f3ef30acb775a

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
94KB

MD5
7445058d772962a43e7ca613e33ae361

SHA1
77e543fbd3083cd0a4381fba13dd2a7b83a77d04

SHA256
c6c6950e20b0982a5283cc60edda2fdc68d04d823e5307a0e1fc598246950ffc

SHA512
c1ecbff5bfbae4773c26d11f7eb9cd819612c893c7ee65b90f45e418b007501823c5af9e5832797c0da08c84f6f58a4080cfd3ad950faa3cf492947abd2a5897

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
94KB

MD5
09741c6cfa9107166a218148a97269e0

SHA1
50f806d0d6188a821682c8c8c30ed361db81b6c9

SHA256
21ae6bc267de26aa9820041472de372f0b7c532b0af91c3dde1f3590f1869336

SHA512
a7f019e28c76aa9ec0646d8549b20c100d98606edc35249ef3848583d93acbb0109777452beda6a4f9bdaecd1be444bf7e49e49de52f48f7a8a982c0a7b05a17

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
94KB

MD5
6b9b5c087372a2150521758d741ac8ae

SHA1
74a15fa19c7b26022e79c205a2c976ac69ae1b35

SHA256
703c5166628fe87a5853d173432cc2afc6dbb79b9de721b784cdfc55f0c2b55e

SHA512
bac1d3368cadcbcf01a006bc0303b4283a5ae28bd5fb844e3e9c945c2b7a2593d0aaa889a3f2496564c1d95eda9c403c3eaf043183f9f30cfa4766c0e92ffc59

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
94KB

MD5
fcc5bbf05a1421e3184bc388989decc5

SHA1
adae84a7fc8a4762ad835c602291efd71b6b35f6

SHA256
c79a3ea2e52302016ca0f1c55a8e2e10ddfa5d66150c340999d7186d3396e549

SHA512
41168282066dba70cdad564820858f209aaeee0ea126c1adf59bea63c8a56f433fb83fac71b04c408d7189ad7d0139e7baec39e33a9c04efc442aa7decc71ae6

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
94KB

MD5
1a40943de2ed58be04620b2f5b5b21c9

SHA1
3f5b92c6404e8cebdd571660493b18dc7fb2bc32

SHA256
79db7295e63a3ca47ca9b46668c8e6eb36e8230d7af14c51b0039d79d35cd647

SHA512
c5becf29540a49dbeafef77ed44efe41f71e0b83ac492f1c713c0986a3da389ce44c63810cca41171fc21a35e75ce22a14f22373f210ec8d5c3c0d211457fd4b

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
94KB

MD5
15b587bd3305d6358bcd58d86c76d72a

SHA1
33ec18cfcac83561ece1511ca5849b5ec2c3c2e3

SHA256
a458db2a6a65d914e43dc159428aad4f4325b026d797ca85622658c3cecbd811

SHA512
13432604d0d7968139008a5fe59b0c59f505f9120da2c654db541627f827fee168c327dea35a3537c045d964e725abe671b702112a72397420c8f8d5aebb456a

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
94KB

MD5
02e379082a3b7de8197b22f238cfd80a

SHA1
2ebb1d529448a25b0c32870cd4751c2eecbd5c84

SHA256
ebc79d80f4a4211e1b0b90e1b231c1e59927e56dc95bf6c05fc6411bddcf36be

SHA512
04dc61d6429a947d2c09028bc4ac91be0dadcd69519fddfc6a537b8090648715b65bd1aa3613bca3627ce0cc24d21fba60fb68481a3039112c2921189e261407

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
94KB

MD5
46eee6d38ed5bcee3364d88d9233c0ef

SHA1
5b68810b1f20c74b1d3c6996582907aa35f7caf4

SHA256
dd58af28fe4c89ff23bb92ffc92db6fd1acc6f30d844d5ceebcb0d9424198b17

SHA512
60a2bc3900edaa11cd395642168db7694c18533852181388a04c0d29df28441718941157c66d8bc709669f5aa0041603f1058a64e52d04732e9b39dc873d690d

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
94KB

MD5
b046767a7efde5e33c6cd9ea42699816

SHA1
166f65c4471050cc51a2d6612b63724eef07cb75

SHA256
17aa3af27edd23111db68ebfd2101071194539c2b8e5a0658d9c4c3f089c570c

SHA512
1144290bed8f51ac34b686dfc83fefecc1e32fcc5e62389c1c707cc7379c87c98d8a8709d2b248fcb5175f2bea5483c8031c6cc25d45230484c40848a5f5df09

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
94KB

MD5
f8232b66d450a44d0fb60992d00bd096

SHA1
b11cc3b1074c83562835d987b3f428b97bbbf934

SHA256
1af83a833baeb0ed575dd5d5b738ee1b368acaa9957162b33987d334c60abb1e

SHA512
5b74e8f55091bef6bda4be92c85e816a8852f49e90f9de19492d023a1558e80817967f73c98c97a64d7dae30e6cebe1e668f79982b2f135a2f4a928e71d31cf0

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
94KB

MD5
db47261068287120487212956e5fbe09

SHA1
b158767726ffe519321bf9dc7a2620b4441e9daa

SHA256
9089f276d27dec7e86282d2ada48f98318bfcd7c6e9ff018a6a65e747de9a8ef

SHA512
ab417ae4b3808d8be0950c4d928a4191ef383a6a5d80469a12f75092914a38ba1422515a655041240b92dbe8fbc21d209b570102435ed691f6d49f91115a2aae

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
94KB

MD5
9f95338a8a08b95eaf419ba3edf221a3

SHA1
27592618ca687106cdc4f84786f147e657b58697

SHA256
c7bf0186599fd7b02f39d709886a90a7a78dc10dcbaa379d77f3818318cb168b

SHA512
4c5f96d8c250df785193250dd77746862b012ae1aa5166288419d03d479b90227495a16a53facbc03d06c9ffce9c039b0d7e8c8dcc7b76487cc84e527b45722a

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
94KB

MD5
43a103e059e0b31e0a43e56e1be989be

SHA1
ceb0bc0d4d7766a7c862f4b81801d21e7b6cc82e

SHA256
bf6c46c87117966627222383c38776b1af94e16cfe7a50e54f02af2c0b6fc18e

SHA512
dc940a0b16fcb8d0176127171c8d588291b5a7e918903f99b48c0858bbe502abcefea6efd33bf7fbf175e3ecdce0dd83746e5db24e1eafae4e1898b81762cd41

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
94KB

MD5
c2e171741ea413333acc9a12a00f04a0

SHA1
01f0664077adb1738b79bf4ca51b93489dc83be8

SHA256
a35ed22dd170549ac8fd797a376f8398baef5215e84259e031806493abcb8dea

SHA512
ffca70621d1114229863013089aaaeb69cac979216da5f65dfb4531c568b6194d08c745ee3deca4ceeb5cc315c9cbe45b5f19f55a0ca23339da0a5fe2b50c3f7

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
94KB

MD5
377591e402e746f22aed3e4e8d257247

SHA1
a735a33d758fe62032f1ecd88ff8957741f14489

SHA256
d5ba62d813626b7ec6bc19b1e54051e5cbfdfdd3acc7117cd8e871c25a820818

SHA512
90f1c16c265ea774290ef9bf0741b92fa2859440d7d0b7e9733c6caf57886eb973895b6ec030555c92f6d681a8ea272717f899404c1f36b7090d3368349448bd

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
94KB

MD5
0e2206d695f6ea2f3a2d9987d36c7dd3

SHA1
c65792ddc54ca3ebfd7fd84559ddd19d30a5de91

SHA256
67bf7928fc09b749bf459362ae62d02bfcd68ee2c1f42c05fa3be77c536fb4de

SHA512
dae8efb2eed039cc589aadacf6ff8935beea8d2021d505e4e59d306ad08d5a72de4a0b7917d3965b1399c19c9069cec84041bfb5c8e019cdc690501fba6dab47

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
94KB

MD5
55ae2409916a40dc396885949c6f6e71

SHA1
102e382ed77d1eb6031e69239afd29fa652f8ec9

SHA256
78c400046c0f24467e898448ee2a3e2fe5025bd66f05fe06ae14edbbe1003118

SHA512
525bc5e6d7e2be9ff21c715071cac2df479e2427ad1b80aa6b3e947d8c6d2bed9201e4497161494934a1eb2f7f6d73ec0c74e93cfc920791f664cb8f0e7bd233

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
94KB

MD5
7e314b08813b1f97f61f3b86e4d5fb7b

SHA1
86bf4cf30b7a85c9def2244559cfce1911093136

SHA256
519f0385722f99d2a2a0bf267a505acb46040975c46c9f8965061e1108cc90c8

SHA512
563c1bdfc14785e175e1f88e36ef52fc31975612e9f3650653aa71a0446efb839a1d8859a0f4d8863512f3975fb596a0aaecd2cc8eb95660022a4a0d8d71b17c

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
94KB

MD5
bf88c5c4a1492816ee319d1745b14046

SHA1
3089defa15a7c72326a9bbde149dfb7139aa2cb1

SHA256
f9c3f107645409c3a0daa4554c558d64d6ea09810f1e2bfcffc08e214a0542b8

SHA512
5d418fb712e9e1d34552c0b679d388a6999bb0df517b09a4a240050ae9260fe011b4e493cfee5f60bbfd484913a757d9aea8f136c394a97bf8947ffe45eb3cd6

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
94KB

MD5
b2d652841c4718acd8dd7201e894d4aa

SHA1
d1d5a4323fb4642d9a2ae45f669636d3a61bafe0

SHA256
51164f6f455d7502db2bbc7cf6743aa6ac60d75820b4970b86b8ab0a957f2b4f

SHA512
603c625ac07ffccc0f7f3263fc8bd968f8dc324f1049a601b98c1e180e5dc2bb2f26f92082fad9ff2c252e750803e33cb16c22fb13d4ba300f4e7ed466d3e586

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
94KB

MD5
26cbcbaf17b09738f36d6536f20ccaea

SHA1
344d8452540e26161ab492344cfdff9bf3f4785e

SHA256
a803340811dd756690182d4858f8e1a4425c0f03585efb5ddd09d9a9b8a5592c

SHA512
6c4c5c90091c2dfb172b675035db24acd62598dda2650762df30a2e513c21d792677730f97fca6978709a14b5926dbc50177dc8346a8b2415c8bdf5f1f007004

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
94KB

MD5
0497b2efecfccea113cb3019834c4e78

SHA1
3637017bee61d05216c8c07adef66b29bdf7fde7

SHA256
66c77af327ab3fb548bc31cd781e9f7d94a61375173d89a887e17e7675aab06c

SHA512
2f91933bbc13ba27e1685c34ad2e1b717703eb70c6691e2fb9104eba30e411f4666a0c871e4a905c3554dbd5d40a400a85960d0b1cf50281c4357d61c52444c1

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
94KB

MD5
522b3380ba147a454a42a521558d9df9

SHA1
15b30d419c8ef927054bccd28f27e1c87dab2f39

SHA256
d6facdccefe8027a3f1b25a1d9441dee8de1815e481eca2f8e08602e5f666585

SHA512
500f5134e0bbdfae077e96c80a7c431ea521cbf2c86260cc659d9be3bb10bbe1766225f1a0bab5fbf00f32699c7cd035288416a0e1a3e205f32563d0ec2711f3

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
94KB

MD5
0970e1c52d493c700524b7a57502d2ab

SHA1
8d6417aed7e1c3508aa6af164400198580b8ba2b

SHA256
105545ed654c233fa751d6dd9428fbd7c18bd075929d7c149de4980759d578d7

SHA512
f5f0ecd3b177d9bb48beb597dbe36d285adb45d766d41ae36706bd89842f0d42bd9928d9e7f17d87b70bf94c92eaa34a702208d07a07b3c0b1cbb9888fb2ab27

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
94KB

MD5
e8e2b8f1740983ae7a836478c5b736fe

SHA1
b7d480f2955d174517475d6ec8df9e33653c0c66

SHA256
55c860882e07760e6f540cdf9e985c890fb9081a0ed13ba08fa3a093ae1ec11d

SHA512
58a9352a43539ebca4a3f3895fef5427ca0098e4268bd9437b37f3879c21ac1c643b2f4ed594fd2cb4376c7b61f53bed8d0bc6ea6664341a557831a1165bc439

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
94KB

MD5
f3e234587128ab78e8a6fd60308acc43

SHA1
bfc2bf94b2c31e9c7d6560246d041bcf87984f72

SHA256
0a4a4a05912129636231c97b70ba9969bf151fe808947cbb9845d7c369685791

SHA512
60e057808999821c3706885a1ae5ae724fa96a9f5c236bea021bbc95179976474495ccc96ec498dd84b8f1a60573cb70d437a651d11dec0b44d4245600b6649b

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
94KB

MD5
975e99a2dd944f0f53ece3699fd6cf96

SHA1
3a484d8237f96cd202353b489888aba348b6c327

SHA256
b8a6403ac8c122a231a577ceec80b1a2b0a8eb713628ab3956c1e5f0f5917c41

SHA512
edce457184595e6d0be47783203c10afc48d817eea497884fa376c94660654b5d66d762d104d8252fcaf6dff8fc582c279c6116782f1c8a49f9045f1f94b854c

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
94KB

MD5
e74d1fc941fefdaeefd1608375db5be0

SHA1
c9f69f8ba0d445a2721ac12823547ab69260a789

SHA256
a180902ea0d19cb38267ffc03baadba07b7a1550c190795c86d8bbf3a0ac8496

SHA512
58928a65d0967becdede6d4cd490a5a1d8ac6587182ece9ceb597c13cf8fd75b0202b25abe42f57cc2a9e0662f69c6f03494ec72f70e7e39a7cd010e148d85f5

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
94KB

MD5
a88de8606fae4c2e0e14ceaf6af34704

SHA1
067fc5115bfc22df3d9e2167f1023d996c02b70a

SHA256
6229068733b1b423c74a9c8668c1d742bb7eb6fdb43ac1e75015a527ebe5f883

SHA512
4080f214e4c0d4eb00a0b2ebcb0249fd8e6c04a08d9235c146210b7d678bd3db69ba491426735dc0959fcf949c5a6c5b465c4762f64545832649bb23c41c0800

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
94KB

MD5
482c8274da00b448f77451bd62358bb0

SHA1
3b78ff6229783ba40bc9129eefe704e0821bc8ef

SHA256
4de5036f500dbfeb82bce2fa057e8193bddcdb8b1a0fef022dc91c494208ea0e

SHA512
d85257bd7621a02426181deb2fa6214f844f3d260bd07932bce10400bd616ba39e1de828894efb3603bd72f24f0ce3233aa21d69e42d59419bbedb37672041a5

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
94KB

MD5
737da7dfaf6022ea6f6d9e2cf8a41a85

SHA1
02ca49d5b2f4a12ab47166788b062ea4fcda117e

SHA256
e2c6b8bbb6d92fd05c1b7444bd4a0b16b435cdc506ed66d268ab03bb9e20ec8f

SHA512
6d69d3b141958f1f9874f061e5816054766e4618efba973abf49ba733d302fa754c4b81beb0dad5b013441cb50b0d4050ce96e11b74721005e024a353494b147

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
94KB

MD5
af18263568e1c2f35f7e82ee2a3afb82

SHA1
3fc9b9ada07aac5c94af60b13bbaa711dd3e9db1

SHA256
42f1a76c9988b26f364dd0587c37dda4f96983879cdf9c37ebe8e5df392e0870

SHA512
cc5483f76d93cd97a834a3c3f1433a954091311a706b323d2d0e8d7d27dffcaba66fcdc6a4c2ed2dc963a49cd0c3044d4ba934dfd2b39cc589eee057467fbe46

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
94KB

MD5
9f27d83a2ced44ee8ab90ecb6daa83cf

SHA1
1f10be9261924e1e1d40eec7729365d180297bb4

SHA256
c0ec79934c2a1f65594f26e149bd74693a0a9f9ad88567e09b374c74e271712c

SHA512
6ee8b6d573a2858ef845871d47e7e33b77305fb76f0d542018058bc59a2f7411ca986cedd76e6ad5674d3000ad21f7b1cb267c9121d91f1f8102cd9b1f1d2017

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
94KB

MD5
1a816a028028bf1817ff76ab233f9b08

SHA1
b7178e2d36d9a1bbdf076709ec01558d622e263e

SHA256
78ad4f2f7fc47d29a9c73b948a47ca85f955302f81718576c11496e75a904e56

SHA512
ce1d9aa01b4c3ce63b15b723824a85e578d967d37047e42254e9c90eef31e89ea70b29e97225d1c0facbfe276dec4763757400f66898a7c8479524540417e796

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
94KB

MD5
b04ba71f67cf6668e2ce81ca316dd87d

SHA1
3f44e8c0e42a08fdfb25d9b04ca8b36e146a2fa4

SHA256
ad444a81ed5385b140e641b3338392a17727685c76910bbf45336b0c6c6977e4

SHA512
16d98281fdd9170bc6a3ed138d04e9cfd93189821c1ef66e82cf883deaa26a721863cc16d08e4bbee3e2f0698beacb6faf2ee6dc98e3a618e8269b84816ee887

Download Submit
memory/8-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/216-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/368-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/456-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/548-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/696-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/860-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/908-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/912-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/932-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/936-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1208-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1216-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1384-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1460-556-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1556-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1716-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1916-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1948-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-482-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2464-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2816-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3120-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3132-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3288-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3300-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3440-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3448-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3448-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3512-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3512-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3584-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3596-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3712-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3720-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3724-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3760-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3844-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3868-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3884-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3948-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4160-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4300-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4300-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4384-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4472-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4596-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4596-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4644-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4648-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4664-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4692-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4784-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4812-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4948-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5004-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5060-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads