berbew | 334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
Size

352KB
MD5

808e310a971007781627d0dc31f6595c
SHA1

7b4f88029bb44176d4890ffc79f1270422b4a29e
SHA256

334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40
SHA512

429429050a9aa61160f5f89d8f6db3e571a765ff74cbe893c694bbf197c3ad5e3fce3e6d44a037269a6ceb037bfdaa3b284604d13963cded3d72b734aee20b1d
SSDEEP

6144:Y+MLd47gVO3pr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMBhpNFdFf5N:prCZYE6YYBHpd0uD319ZvSntnhp352S7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdeimhkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nocpfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niegehno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmopgdjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pamhmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klkhml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpidfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbnjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khbibm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfplap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajcigf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhfne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pijjgdlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcpphib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpgoinaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajcigf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakmen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdeaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojecok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obbeimaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmoidqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khmogmal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Momjed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aikbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aflfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cikkeppa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Didnkogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcpphib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbpajk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajoplgod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdclgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpljbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lplmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdeimhkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjbhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqolldmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqolldmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aapnip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfdemopq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqhfkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooopbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmdkpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjemfhgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cikkeppa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpofhiod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfknodh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pckdin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adpgkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjjohe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Keocjbai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfifngd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjqckikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidlmcdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aidlmcdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omhifeqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojljpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjemfhgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojljpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmhbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbljmflj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgmoidqn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3108	Jhfifngd.exe
3164	Kifepang.exe
3336	Kppnmk32.exe
3280	Kbnjig32.exe
2160	Khkban32.exe
4012	Keocjbai.exe
4336	Khmogmal.exe
2840	Kafcpc32.exe
1392	Kimlqp32.exe
3612	Klkhml32.exe
2204	Khbibm32.exe
440	Lajmkbcg.exe
4604	Lplmhj32.exe
1724	Lehfqqjn.exe
3240	Lclfjehh.exe
1700	Lemolpei.exe
3420	Lhkkhk32.exe
2920	Lfplap32.exe
2100	Llidnjkc.exe
4180	Mafmfqij.exe
1432	Mhpeckqg.exe
2960	Mfdemopq.exe
916	Momjed32.exe
1568	Mlqjoiek.exe
3912	Mhgkdj32.exe
400	Mbppmoap.exe
1604	Nocpfc32.exe
4360	Nhldoifj.exe
4744	Nfpehmec.exe
2164	Ncdeaa32.exe
3036	Nqhfkf32.exe
2560	Njpjdkig.exe
2200	Nomclbho.exe
848	Nfgkilok.exe
4432	Niegehno.exe
1268	Ooopbb32.exe
1796	Ojecok32.exe
1232	Oqolldmo.exe
2472	Ocmhhplb.exe
5080	Oijqpg32.exe
3520	Oodimaaf.exe
4424	Obbeimaj.exe
2648	Omhifeqp.exe
4768	Ocbacp32.exe
2576	Ojljpi32.exe
688	Oiojkffd.exe
2948	Ocdnhofj.exe
1372	Ojnfei32.exe
3756	Pmmcad32.exe
2740	Pcfknodh.exe
3376	Pjqckikd.exe
2352	Pmopgdjh.exe
4656	Pcihco32.exe
516	Pjcpphib.exe
216	Pamhmb32.exe
4796	Pckdin32.exe
3828	Pjemfhgo.exe
1880	Paoebbol.exe
4008	Pbpajk32.exe
2800	Pijjgdlg.exe
4548	Ppdbdo32.exe
1016	Pfnjqikq.exe
2004	Qmhbmc32.exe
2104	Qpgoinaa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dghodc32.exe	Ddjbhg32.exe
File created	C:\Windows\SysWOW64\Niioeimq.dll	Llidnjkc.exe
File created	C:\Windows\SysWOW64\Oqolldmo.exe	Ojecok32.exe
File opened for modification	C:\Windows\SysWOW64\Pcihco32.exe	Pmopgdjh.exe
File opened for modification	C:\Windows\SysWOW64\Aahhia32.exe	Ajoplgod.exe
File created	C:\Windows\SysWOW64\Oiieag32.dll	Cagmamlo.exe
File created	C:\Windows\SysWOW64\Hodmpq32.dll	Cgdeicjf.exe
File created	C:\Windows\SysWOW64\Oodimaaf.exe	Oijqpg32.exe
File opened for modification	C:\Windows\SysWOW64\Ppdbdo32.exe	Pijjgdlg.exe
File created	C:\Windows\SysWOW64\Hgaacahp.dll	Ppdbdo32.exe
File created	C:\Windows\SysWOW64\Dcidobif.dll	Bffihe32.exe
File created	C:\Windows\SysWOW64\Jedbjneh.dll	Cpljbi32.exe
File opened for modification	C:\Windows\SysWOW64\Digkqn32.exe	Dghodc32.exe
File created	C:\Windows\SysWOW64\Kppnmk32.exe	Kifepang.exe
File opened for modification	C:\Windows\SysWOW64\Mlqjoiek.exe	Momjed32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbacp32.exe	Omhifeqp.exe
File created	C:\Windows\SysWOW64\Pbkefkqi.dll	Pijjgdlg.exe
File opened for modification	C:\Windows\SysWOW64\Cmidknfh.exe	Ckkhocgd.exe
File created	C:\Windows\SysWOW64\Djdeeb32.dll	Cmidknfh.exe
File created	C:\Windows\SysWOW64\Kffdnh32.dll	Jhfifngd.exe
File created	C:\Windows\SysWOW64\Lhhpffdk.dll	Lfplap32.exe
File created	C:\Windows\SysWOW64\Niegehno.exe	Nfgkilok.exe
File created	C:\Windows\SysWOW64\Lbpllpmk.dll	Niegehno.exe
File opened for modification	C:\Windows\SysWOW64\Bjmlme32.exe	Badgdold.exe
File created	C:\Windows\SysWOW64\Bpidfl32.exe	Bjmlme32.exe
File created	C:\Windows\SysWOW64\Cagmamlo.exe	Cgaidd32.exe
File created	C:\Windows\SysWOW64\Gkggppbo.dll	Dmpjlm32.exe
File created	C:\Windows\SysWOW64\Aahhia32.exe	Ajoplgod.exe
File opened for modification	C:\Windows\SysWOW64\Bffihe32.exe	Bbjmggnm.exe
File opened for modification	C:\Windows\SysWOW64\Llidnjkc.exe	Lfplap32.exe
File opened for modification	C:\Windows\SysWOW64\Pmopgdjh.exe	Pjqckikd.exe
File opened for modification	C:\Windows\SysWOW64\Bmbnjo32.exe	Bfhfne32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnfn32.exe	Cgdeicjf.exe
File created	C:\Windows\SysWOW64\Fmejibbn.dll	Didnkogg.exe
File opened for modification	C:\Windows\SysWOW64\Lhkkhk32.exe	Lemolpei.exe
File created	C:\Windows\SysWOW64\Llidnjkc.exe	Lfplap32.exe
File created	C:\Windows\SysWOW64\Jnaalnce.dll	Nomclbho.exe
File created	C:\Windows\SysWOW64\Qddcfahj.dll	Pbpajk32.exe
File created	C:\Windows\SysWOW64\Opejfjch.dll	Bakmen32.exe
File opened for modification	C:\Windows\SysWOW64\Dpofhiod.exe	Dmpjlm32.exe
File opened for modification	C:\Windows\SysWOW64\Aikbnb32.exe	Aflfag32.exe
File created	C:\Windows\SysWOW64\Bakmen32.exe	Bffihe32.exe
File opened for modification	C:\Windows\SysWOW64\Cdclgh32.exe	Cmidknfh.exe
File created	C:\Windows\SysWOW64\Dnbgamnm.exe	Digkqn32.exe
File created	C:\Windows\SysWOW64\Ppedgp32.dll	Cdncliaj.exe
File created	C:\Windows\SysWOW64\Cpeead32.dll	Cpedajgo.exe
File opened for modification	C:\Windows\SysWOW64\Kppnmk32.exe	Kifepang.exe
File opened for modification	C:\Windows\SysWOW64\Kbnjig32.exe	Kppnmk32.exe
File created	C:\Windows\SysWOW64\Eckbob32.dll	Kbnjig32.exe
File created	C:\Windows\SysWOW64\Fholda32.dll	Ocdnhofj.exe
File created	C:\Windows\SysWOW64\Pckdin32.exe	Pamhmb32.exe
File created	C:\Windows\SysWOW64\Mgmddk32.dll	Aikbnb32.exe
File created	C:\Windows\SysWOW64\Digabjai.dll	Kifepang.exe
File opened for modification	C:\Windows\SysWOW64\Kafcpc32.exe	Khmogmal.exe
File created	C:\Windows\SysWOW64\Dmpjlm32.exe	Didnkogg.exe
File opened for modification	C:\Windows\SysWOW64\Kifepang.exe	Jhfifngd.exe
File created	C:\Windows\SysWOW64\Necgdk32.dll	Mhgkdj32.exe
File created	C:\Windows\SysWOW64\Nqhfkf32.exe	Ncdeaa32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdnhofj.exe	Oiojkffd.exe
File created	C:\Windows\SysWOW64\Qfqgfh32.exe	Qpgoinaa.exe
File created	C:\Windows\SysWOW64\Mbbpjgfm.dll	Cmnnfn32.exe
File created	C:\Windows\SysWOW64\Mafmfqij.exe	Llidnjkc.exe
File created	C:\Windows\SysWOW64\Iljnongi.dll	Oijqpg32.exe
File created	C:\Windows\SysWOW64\Fgmfbj32.dll	Omhifeqp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5376	5192	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjdqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjohcdab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjbhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqolldmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijjgdlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjjlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdeaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcdgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffihe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnbgamnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njpjdkig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omhifeqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojnfei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplmhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhgkdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomclbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmhhplb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aikbnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbjmggnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajcigf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llidnjkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlqjoiek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjemfhgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdncliaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dghodc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgkilok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojecok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Appapm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kifepang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmopgdjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmpjlm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdbdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbnjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnjig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khmogmal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmcad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagmamlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajmkbcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obbeimaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfknodh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdlfgicm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mafmfqij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apndjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflfag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Badgdold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiojkffd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pamhmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aapnip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Momjed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpehmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhkkhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aahhia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adpgkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpidfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpofhiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cikkeppa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kafcpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmhbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmoidqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjjohe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmidknfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lehfqqjn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lemolpei.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfdemopq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pamhmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pijjgdlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfqgfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhfifngd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqqnfpqb.dll"	Kimlqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lehfqqjn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llidnjkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmpjlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhmggcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhejh32.dll"	Adpgkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgnlcdn.dll"	Bbjmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhfne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbodjj32.dll"	Nfpehmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcfknodh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccfqg32.dll"	Cgmoidqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcdgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblanggg.dll"	Cgaidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Didnkogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llidnjkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niegehno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhpboedn.dll"	Ooopbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oodimaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnfhcjq.dll"	Njpjdkig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfgkilok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaacahp.dll"	Ppdbdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aapnip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lehfqqjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlqjoiek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neelfb32.dll"	Nocpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmhpilh.dll"	Nqhfkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpidfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffihe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhkkhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddcfahj.dll"	Pbpajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmabfe32.dll"	Afjjlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbnjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqhfkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjqckikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgfbied.dll"	Pjemfhgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbpjgfm.dll"	Cmnnfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klkhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aahhia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adpgkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kellfi32.dll"	Bdlfgicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhpeckqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbljmflj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbnjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagmamlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khkban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khbibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhhpffdk.dll"	Lfplap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmhbmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjjohe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjohcdab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffihe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjmdlap.dll"	Mlqjoiek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oodimaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcfknodh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbpajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdnhofj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmomhoc.dll"	Ojnfei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Paoebbol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpopgj32.dll"	Bmbnjo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3108	2124	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe	82
PID 2124 wrote to memory of 3108	2124	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe	82
PID 2124 wrote to memory of 3108	2124	334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe	82
PID 3108 wrote to memory of 3164	3108	Jhfifngd.exe	83
PID 3108 wrote to memory of 3164	3108	Jhfifngd.exe	83
PID 3108 wrote to memory of 3164	3108	Jhfifngd.exe	83
PID 3164 wrote to memory of 3336	3164	Kifepang.exe	84
PID 3164 wrote to memory of 3336	3164	Kifepang.exe	84
PID 3164 wrote to memory of 3336	3164	Kifepang.exe	84
PID 3336 wrote to memory of 3280	3336	Kppnmk32.exe	85
PID 3336 wrote to memory of 3280	3336	Kppnmk32.exe	85
PID 3336 wrote to memory of 3280	3336	Kppnmk32.exe	85
PID 3280 wrote to memory of 2160	3280	Kbnjig32.exe	86
PID 3280 wrote to memory of 2160	3280	Kbnjig32.exe	86
PID 3280 wrote to memory of 2160	3280	Kbnjig32.exe	86
PID 2160 wrote to memory of 4012	2160	Khkban32.exe	87
PID 2160 wrote to memory of 4012	2160	Khkban32.exe	87
PID 2160 wrote to memory of 4012	2160	Khkban32.exe	87
PID 4012 wrote to memory of 4336	4012	Keocjbai.exe	88
PID 4012 wrote to memory of 4336	4012	Keocjbai.exe	88
PID 4012 wrote to memory of 4336	4012	Keocjbai.exe	88
PID 4336 wrote to memory of 2840	4336	Khmogmal.exe	89
PID 4336 wrote to memory of 2840	4336	Khmogmal.exe	89
PID 4336 wrote to memory of 2840	4336	Khmogmal.exe	89
PID 2840 wrote to memory of 1392	2840	Kafcpc32.exe	90
PID 2840 wrote to memory of 1392	2840	Kafcpc32.exe	90
PID 2840 wrote to memory of 1392	2840	Kafcpc32.exe	90
PID 1392 wrote to memory of 3612	1392	Kimlqp32.exe	91
PID 1392 wrote to memory of 3612	1392	Kimlqp32.exe	91
PID 1392 wrote to memory of 3612	1392	Kimlqp32.exe	91
PID 3612 wrote to memory of 2204	3612	Klkhml32.exe	92
PID 3612 wrote to memory of 2204	3612	Klkhml32.exe	92
PID 3612 wrote to memory of 2204	3612	Klkhml32.exe	92
PID 2204 wrote to memory of 440	2204	Khbibm32.exe	93
PID 2204 wrote to memory of 440	2204	Khbibm32.exe	93
PID 2204 wrote to memory of 440	2204	Khbibm32.exe	93
PID 440 wrote to memory of 4604	440	Lajmkbcg.exe	94
PID 440 wrote to memory of 4604	440	Lajmkbcg.exe	94
PID 440 wrote to memory of 4604	440	Lajmkbcg.exe	94
PID 4604 wrote to memory of 1724	4604	Lplmhj32.exe	95
PID 4604 wrote to memory of 1724	4604	Lplmhj32.exe	95
PID 4604 wrote to memory of 1724	4604	Lplmhj32.exe	95
PID 1724 wrote to memory of 3240	1724	Lehfqqjn.exe	96
PID 1724 wrote to memory of 3240	1724	Lehfqqjn.exe	96
PID 1724 wrote to memory of 3240	1724	Lehfqqjn.exe	96
PID 3240 wrote to memory of 1700	3240	Lclfjehh.exe	97
PID 3240 wrote to memory of 1700	3240	Lclfjehh.exe	97
PID 3240 wrote to memory of 1700	3240	Lclfjehh.exe	97
PID 1700 wrote to memory of 3420	1700	Lemolpei.exe	98
PID 1700 wrote to memory of 3420	1700	Lemolpei.exe	98
PID 1700 wrote to memory of 3420	1700	Lemolpei.exe	98
PID 3420 wrote to memory of 2920	3420	Lhkkhk32.exe	99
PID 3420 wrote to memory of 2920	3420	Lhkkhk32.exe	99
PID 3420 wrote to memory of 2920	3420	Lhkkhk32.exe	99
PID 2920 wrote to memory of 2100	2920	Lfplap32.exe	100
PID 2920 wrote to memory of 2100	2920	Lfplap32.exe	100
PID 2920 wrote to memory of 2100	2920	Lfplap32.exe	100
PID 2100 wrote to memory of 4180	2100	Llidnjkc.exe	101
PID 2100 wrote to memory of 4180	2100	Llidnjkc.exe	101
PID 2100 wrote to memory of 4180	2100	Llidnjkc.exe	101
PID 4180 wrote to memory of 1432	4180	Mafmfqij.exe	102
PID 4180 wrote to memory of 1432	4180	Mafmfqij.exe	102
PID 4180 wrote to memory of 1432	4180	Mafmfqij.exe	102
PID 1432 wrote to memory of 2960	1432	Mhpeckqg.exe	103

C:\Users\Admin\AppData\Local\Temp\334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe
"C:\Users\Admin\AppData\Local\Temp\334874c8efca5fd5c0f783275ff42df451a6db1c3c79da3cf2957358db2e5a40.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\Jhfifngd.exe
  C:\Windows\system32\Jhfifngd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\Kifepang.exe
    C:\Windows\system32\Kifepang.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\SysWOW64\Kppnmk32.exe
      C:\Windows\system32\Kppnmk32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Windows\SysWOW64\Kbnjig32.exe
        
        C:\Windows\system32\Kbnjig32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Windows\SysWOW64\Khkban32.exe
        
        C:\Windows\system32\Khkban32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Keocjbai.exe
        
        C:\Windows\system32\Keocjbai.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Khmogmal.exe
        
        C:\Windows\system32\Khmogmal.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Kafcpc32.exe
        
        C:\Windows\system32\Kafcpc32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Kimlqp32.exe
        
        C:\Windows\system32\Kimlqp32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Klkhml32.exe
        
        C:\Windows\system32\Klkhml32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Khbibm32.exe
        
        C:\Windows\system32\Khbibm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Lajmkbcg.exe
        
        C:\Windows\system32\Lajmkbcg.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Lplmhj32.exe
        
        C:\Windows\system32\Lplmhj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Lehfqqjn.exe
        
        C:\Windows\system32\Lehfqqjn.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Lclfjehh.exe
        
        C:\Windows\system32\Lclfjehh.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Lemolpei.exe
        
        C:\Windows\system32\Lemolpei.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Lhkkhk32.exe
        
        C:\Windows\system32\Lhkkhk32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Lfplap32.exe
        
        C:\Windows\system32\Lfplap32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Llidnjkc.exe
        
        C:\Windows\system32\Llidnjkc.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Mafmfqij.exe
        
        C:\Windows\system32\Mafmfqij.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Mhpeckqg.exe
        
        C:\Windows\system32\Mhpeckqg.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Mfdemopq.exe
        
        C:\Windows\system32\Mfdemopq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Momjed32.exe
        
        C:\Windows\system32\Momjed32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Mlqjoiek.exe
        
        C:\Windows\system32\Mlqjoiek.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Mhgkdj32.exe
        
        C:\Windows\system32\Mhgkdj32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Mbppmoap.exe
        
        C:\Windows\system32\Mbppmoap.exe
        27⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Nocpfc32.exe
        
        C:\Windows\system32\Nocpfc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Nhldoifj.exe
        
        C:\Windows\system32\Nhldoifj.exe
        29⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Nfpehmec.exe
        
        C:\Windows\system32\Nfpehmec.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Ncdeaa32.exe
        
        C:\Windows\system32\Ncdeaa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Nqhfkf32.exe
        
        C:\Windows\system32\Nqhfkf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Njpjdkig.exe
        
        C:\Windows\system32\Njpjdkig.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Nomclbho.exe
        
        C:\Windows\system32\Nomclbho.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Nfgkilok.exe
        
        C:\Windows\system32\Nfgkilok.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Niegehno.exe
        
        C:\Windows\system32\Niegehno.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Ooopbb32.exe
        
        C:\Windows\system32\Ooopbb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Ojecok32.exe
        
        C:\Windows\system32\Ojecok32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Oqolldmo.exe
        
        C:\Windows\system32\Oqolldmo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Ocmhhplb.exe
        
        C:\Windows\system32\Ocmhhplb.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Oijqpg32.exe
        
        C:\Windows\system32\Oijqpg32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Oodimaaf.exe
        
        C:\Windows\system32\Oodimaaf.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Obbeimaj.exe
        
        C:\Windows\system32\Obbeimaj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Omhifeqp.exe
        
        C:\Windows\system32\Omhifeqp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Ocbacp32.exe
        
        C:\Windows\system32\Ocbacp32.exe
        45⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Ojljpi32.exe
        
        C:\Windows\system32\Ojljpi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Oiojkffd.exe
        
        C:\Windows\system32\Oiojkffd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Ocdnhofj.exe
        
        C:\Windows\system32\Ocdnhofj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Ojnfei32.exe
        
        C:\Windows\system32\Ojnfei32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Pmmcad32.exe
        
        C:\Windows\system32\Pmmcad32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Pcfknodh.exe
        
        C:\Windows\system32\Pcfknodh.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Pjqckikd.exe
        
        C:\Windows\system32\Pjqckikd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Pmopgdjh.exe
        
        C:\Windows\system32\Pmopgdjh.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Pcihco32.exe
        
        C:\Windows\system32\Pcihco32.exe
        54⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Pjcpphib.exe
        
        C:\Windows\system32\Pjcpphib.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\Pamhmb32.exe
        
        C:\Windows\system32\Pamhmb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Pckdin32.exe
        
        C:\Windows\system32\Pckdin32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Pjemfhgo.exe
        
        C:\Windows\system32\Pjemfhgo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Paoebbol.exe
        
        C:\Windows\system32\Paoebbol.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Pbpajk32.exe
        
        C:\Windows\system32\Pbpajk32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Pijjgdlg.exe
        
        C:\Windows\system32\Pijjgdlg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Ppdbdo32.exe
        
        C:\Windows\system32\Ppdbdo32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Pfnjqikq.exe
        
        C:\Windows\system32\Pfnjqikq.exe
        63⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\Qmhbmc32.exe
        
        C:\Windows\system32\Qmhbmc32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Qpgoinaa.exe
        
        C:\Windows\system32\Qpgoinaa.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Qfqgfh32.exe
        
        C:\Windows\system32\Qfqgfh32.exe
        66⤵
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Qmkobbpk.exe
        
        C:\Windows\system32\Qmkobbpk.exe
        67⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Qcdgom32.exe
        
        C:\Windows\system32\Qcdgom32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Ajoplgod.exe
        
        C:\Windows\system32\Ajoplgod.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Aahhia32.exe
        
        C:\Windows\system32\Aahhia32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Abjdqi32.exe
        
        C:\Windows\system32\Abjdqi32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Aidlmcdl.exe
        
        C:\Windows\system32\Aidlmcdl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:324
        
        C:\Windows\SysWOW64\Apndjm32.exe
        
        C:\Windows\system32\Apndjm32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\Afhmggcf.exe
        
        C:\Windows\system32\Afhmggcf.exe
        74⤵
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Ajcigf32.exe
        
        C:\Windows\system32\Ajcigf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Appapm32.exe
        
        C:\Windows\system32\Appapm32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Afjjlg32.exe
        
        C:\Windows\system32\Afjjlg32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Aihfhb32.exe
        
        C:\Windows\system32\Aihfhb32.exe
        78⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\Aapnip32.exe
        
        C:\Windows\system32\Aapnip32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Aflfag32.exe
        
        C:\Windows\system32\Aflfag32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\Aikbnb32.exe
        
        C:\Windows\system32\Aikbnb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Adpgkk32.exe
        
        C:\Windows\system32\Adpgkk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Bjjohe32.exe
        
        C:\Windows\system32\Bjjohe32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Badgdold.exe
        
        C:\Windows\system32\Badgdold.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Bjmlme32.exe
        
        C:\Windows\system32\Bjmlme32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Bpidfl32.exe
        
        C:\Windows\system32\Bpidfl32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Bjohcdab.exe
        
        C:\Windows\system32\Bjohcdab.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Bbjmggnm.exe
        
        C:\Windows\system32\Bbjmggnm.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Bffihe32.exe
        
        C:\Windows\system32\Bffihe32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Bakmen32.exe
        
        C:\Windows\system32\Bakmen32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3340
        
        C:\Windows\SysWOW64\Bbljmflj.exe
        
        C:\Windows\system32\Bbljmflj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Bfhfne32.exe
        
        C:\Windows\system32\Bfhfne32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Bmbnjo32.exe
        
        C:\Windows\system32\Bmbnjo32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Bdlfgicm.exe
        
        C:\Windows\system32\Bdlfgicm.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Cgjbcebq.exe
        
        C:\Windows\system32\Cgjbcebq.exe
        95⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Cmdkpo32.exe
        
        C:\Windows\system32\Cmdkpo32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1380
        
        C:\Windows\SysWOW64\Cdncliaj.exe
        
        C:\Windows\system32\Cdncliaj.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Cgmoidqn.exe
        
        C:\Windows\system32\Cgmoidqn.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Cikkeppa.exe
        
        C:\Windows\system32\Cikkeppa.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Cpedajgo.exe
        
        C:\Windows\system32\Cpedajgo.exe
        100⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Cccpnefb.exe
        
        C:\Windows\system32\Cccpnefb.exe
        101⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Ckkhocgd.exe
        
        C:\Windows\system32\Ckkhocgd.exe
        102⤵
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Cmidknfh.exe
        
        C:\Windows\system32\Cmidknfh.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Cdclgh32.exe
        
        C:\Windows\system32\Cdclgh32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3684
        
        C:\Windows\SysWOW64\Cgaidd32.exe
        
        C:\Windows\system32\Cgaidd32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Cagmamlo.exe
        
        C:\Windows\system32\Cagmamlo.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Cdeimhkb.exe
        
        C:\Windows\system32\Cdeimhkb.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:388
        
        C:\Windows\SysWOW64\Cgdeicjf.exe
        
        C:\Windows\system32\Cgdeicjf.exe
        108⤵
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\Cmnnfn32.exe
        
        C:\Windows\system32\Cmnnfn32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Cpljbi32.exe
        
        C:\Windows\system32\Cpljbi32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:996
        
        C:\Windows\SysWOW64\Dckfnd32.exe
        
        C:\Windows\system32\Dckfnd32.exe
        111⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Didnkogg.exe
        
        C:\Windows\system32\Didnkogg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Dmpjlm32.exe
        
        C:\Windows\system32\Dmpjlm32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Dpofhiod.exe
        
        C:\Windows\system32\Dpofhiod.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:612
        
        C:\Windows\SysWOW64\Ddjbhg32.exe
        
        C:\Windows\system32\Ddjbhg32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Dghodc32.exe
        
        C:\Windows\system32\Dghodc32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Digkqn32.exe
        
        C:\Windows\system32\Digkqn32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Dnbgamnm.exe
        
        C:\Windows\system32\Dnbgamnm.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 412
        119⤵
        Program crash
        
        PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5192 -ip 5192
1⤵
PID:5328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adpgkk32.exe

Filesize
352KB

MD5
72e9d647dbfd213dab0ebf8e6680aef0

SHA1
5727038d82299559403e97db3040e5b5f09f1def

SHA256
78a6cbabd35189b3066bf3c858264be6917a91b3d5df1febfe1099b94acc9114

SHA512
59681c19fa889056c1184a5786e72466df7a2147df099a5e55fc0cb04a3ad5cde64386db727428ba3fdbe88986127f5506a8754e172ed248853738f82aea89d6

Download Submit
C:\Windows\SysWOW64\Afjjlg32.exe

Filesize
352KB

MD5
7056585305b746ddcda5a67aeb267720

SHA1
9557a04c5a47036730b2a66a0e4f69d8fb93f331

SHA256
8a21b61f705c43dbb1bf92781c9578f66cd94c27a725c038904a03682c976725

SHA512
a7271d518f6ded5476edbd530c8ecf94eac87ca8691ec4b67207b3e6b7de4075c091b31405c646c55745a5e938ce1e933cc684812fe25c5c9f2099a0e2ae0c19

Download Submit
C:\Windows\SysWOW64\Bakmen32.exe

Filesize
352KB

MD5
586e035b36b42b308fedf5953b5af542

SHA1
37ac25215fc0e30d861356a8c34dd20852ae9ade

SHA256
49e8fad6a69805e6f87e4a8b7b3b570ce22c0c24eb8c7061f88d66852a36fd58

SHA512
02e81ce8dca52934bd80568ed19fa6239d29862d9aac0e0e62ea87a139857ba41c255a5c52186112e965e7aaeb2bfcc03679b0af1dc65547e29967903099a1ad

Download Submit
C:\Windows\SysWOW64\Bmbnjo32.exe

Filesize
352KB

MD5
ee5ae61686410f6cfe0eeee8e9857a4a

SHA1
17ad3b5ce76c27e69b107f64c172b68b5eedf73a

SHA256
65ed1ed1727215b7250f21a9d2ce2777d1259d14b0d6f549efc4750cb6781f5b

SHA512
779d9ce75d2193d1d63b794324ae6119c1b9b394d9458b53dea25259969123ea5b8e944e7742c42f19dbcde5ba509a6b40efcc4c1e663d403168bac81fafa0cc

Download Submit
C:\Windows\SysWOW64\Bpidfl32.exe

Filesize
352KB

MD5
e34755d340cd7fd0d6ccdf254995f3df

SHA1
785d8404ac06383394df2f0b1c7a6eee22d80033

SHA256
ddb2d821ed325e2051a143cf6e00de30fdeb900de380db57a4124e1332952305

SHA512
a1a90922a9be96890ffcbff70e9a366c9bf540de984b4ecf1f69b40aa4656c44f3d5dfb56cc8ba6f0dea14b2f1dfbb8ca267fa8a83c985a7c569cb0e224805d9

Download Submit
C:\Windows\SysWOW64\Cdclgh32.exe

Filesize
352KB

MD5
d6335cc42ddf95bee620962603f8b8ac

SHA1
4833abdb5abc76222301acf582a18d0a9d6c6908

SHA256
f7e36080773df4075a31d5830edb8ac8ad627bd3d187c58cb9ce0011857b4775

SHA512
53e953ffb7a87167f2322b559d8135db12af21868e282336bbba8f0780d4bfccb8393a58d197b57b32af27a865dcba4a789203fe400bab3dd5d29324b3241904

Download Submit
C:\Windows\SysWOW64\Cmdkpo32.exe

Filesize
352KB

MD5
0f9a2bc54a0f7496c2740777690b625c

SHA1
3bf374f6145c9d116fad3ad0f1e65366d456f6ac

SHA256
ff421e3878d03d8809116db6f9f139af66dcfddd5391d9d96e029baf65118fca

SHA512
c8ac64884334c022a011b1ad93ff4787aa727aeabdfb09b85f39a1301674a71d5e264274c762a82942f0839cd9f4972ed1d89df4c53da8a84e604dbc7205784f

Download Submit
C:\Windows\SysWOW64\Dckfnd32.exe

Filesize
352KB

MD5
e51f74898d6f6aab93f44a7d0eaad6de

SHA1
a2f6f8b2f8a0681bdf7cf45825a9a5262925918f

SHA256
cab331ce00829e90e6e1e479d775e8a7548b63f08c36c9ba4978ae687b75a763

SHA512
64d5032e22baac8d9d807b086fa2a753993c2976ac0c6239c34abb2569472ce5c90eeb6b0eaddaa99f850174cc437cf648b68089c3319a6886a1462f05525973

Download Submit
C:\Windows\SysWOW64\Dmpjlm32.exe

Filesize
352KB

MD5
7d6ed81de93080c55548c5b5b41e260d

SHA1
3fa1a187ea6d3c5de5b5093d8535fb743b6e8ccf

SHA256
617b725fa6a9b1af94dca0ab04c14fbbf7c7fcd375bba4e790044528d8dc2e04

SHA512
49d01c14192ce17a40518f0e05fe387778563dec0763e0d25157e4706aca2bfad1d6e67f65debbc15fb32c0ef9f997aa770e009ba5c1a918f70c088a4b16e055

Download Submit
C:\Windows\SysWOW64\Dnbgamnm.exe

Filesize
352KB

MD5
fbb6cca8c0d2bdc6e2f841e735f0b490

SHA1
604e18d50283e4cadd585dbc83bd38d2f6b109e5

SHA256
a51791bf5f7943c3efb6a8855af92fe1b5fd100fda8e28193d57b807ddb18c30

SHA512
56d575373a658a49e823d0484fda12c3361c4de36d4c6c3f13f516b5d1f9c54f0e4aca8305ee94cabaf716f67cb5432cdb0b3b8205a20c3ddc431520f9e7c4cb

Download Submit
C:\Windows\SysWOW64\Eckbob32.dll

Filesize
7KB

MD5
37dec92b2b2fdfad6fc9963f5a47d342

SHA1
f855ebd2419425469f0426a850d80cd047e7e2f6

SHA256
53cea9c533d72a5f6445b9e0c0026a7ca974622144b1d1eec2fe17ff63176eff

SHA512
a393a7c4598197c763c62af5c0ba18cb5f347225526bbb3421b4b7dcac1a3238e651dd9edd0b97f56850a108a2b244440b6d8de92f89d5f196e3a23a2a5fdbec

Download Submit
C:\Windows\SysWOW64\Jhfifngd.exe

Filesize
352KB

MD5
63f94590e9622ef5fee5375652b0e72d

SHA1
44f60c3ee90a7e8895675a928180d4e0971a9e98

SHA256
129a295f85f1eebbfcfd914fe6ca1d0374dd40fa7641ea9ce6b7114f688e028e

SHA512
043dca33465a86c068e782b74f93893a455a2b24740dae27115336a165c972dca71ccdd2607685331884b0458f6f73abd7de43ec5c7f7819c08aedafbbe6902f

Download Submit
C:\Windows\SysWOW64\Kafcpc32.exe

Filesize
352KB

MD5
d037d8d02d9e84c5df3dcaf00237d0f9

SHA1
06f3da236f75c018ba19ea877d773a925e32fa84

SHA256
1cc8ad3faedd4992992d925600cd2f86a6de08b839fae8288827f6236b0f6869

SHA512
61766b7542f5179bf75557661fb4a69088348f7fedfa90b368a4d385780e78f0b9727bda28cb5ad91f2296d57f1c1eff2ed1b56817660aa5011e611486822e8d

Download Submit
C:\Windows\SysWOW64\Kbnjig32.exe

Filesize
352KB

MD5
925b869185046e5ac60868148a15067d

SHA1
096f44aaa57301c3bcb00d71dec260f0a069b4bf

SHA256
55865adc4507be680f2940c2bf0ef1b561fd5eddf006634a869f805a66d4cdf3

SHA512
f86b691aaa76f99b3a57c89f0859b0b4e4215c3d54b2b1b52d3ba8fe1bccbe76558902e860429daf38c66ec09dacf28031a18acf9d0945a3c9b16d5cef6d48f6

Download Submit
C:\Windows\SysWOW64\Keocjbai.exe

Filesize
352KB

MD5
fa27e0d8d6475be75768a0dbc4bf7c07

SHA1
57dbd1c4b0f803f3cd13babf36c9e9518598ff1a

SHA256
1693bd3d09404de96b3b86a1ae6cb3b06fc0887998dcdad0d664f6b65c45c714

SHA512
07b73b0ab7428c099ee063df3a44d16bb9e9ea3e2f5e49bca7d633b87a7be9b3dfa98b05e738ac6d4eb46c603cd2cf7ef42b2052553e69501d5af0e23d77a682

Download Submit
C:\Windows\SysWOW64\Khbibm32.exe

Filesize
352KB

MD5
a8bbe771f0d6bbaa28bea840fa9d7c19

SHA1
827f9e1329eed2eea5d529a6e6bda6d514cce662

SHA256
2cb0ebe08717c0d139c402654b56c7cd99e7257c2932ca784524bc5c6fb3abfb

SHA512
c9fbb5b79a4e684dcae8451f67bd6d6d8bba97ff60b09840f1f723864c8fce57cd10ba5da753d1320c753f237d62d66c6c33e87b0cb0c0c5a509d4ae7310ca53

Download Submit
C:\Windows\SysWOW64\Khkban32.exe

Filesize
352KB

MD5
657daf4a25f249e25945002feb5f90fd

SHA1
97fc56fcb0969764fd1f62005fa5ca119583a701

SHA256
7e0ba33bf9aed7f3b4feebbd52f73f81acdc816fa996aed8c1f2adac0197fbf9

SHA512
7de691ca3398b954cb2e2433ad32f519c746b4984019313c0cb13e1f84da21691ba8c4e84bfcef101f6f9c51b55773593155b9fd6311c4aee74bc6bc3b0241b9

Download Submit
C:\Windows\SysWOW64\Khmogmal.exe

Filesize
352KB

MD5
2e71d6c5f0e244e9032b8db47ff9bd7a

SHA1
5c539f60fad5027798e6b03da99a78aa542bb487

SHA256
d05ac9293b495d0ba528299a5738c606579cc9ae25fa5cb6872c2fda456329a0

SHA512
88d6e28d498adcca5b6b6b4b3da4c8b3aa906e82f9f00f3197afb3f09f90d82dbad76cf2de711147b47972aa36877fbf685e0657a41a8ac9c5e0d343eedd12e5

Download Submit
C:\Windows\SysWOW64\Kifepang.exe

Filesize
352KB

MD5
c934a3e673ca9cac41b2166a8628a00a

SHA1
0a35039fc5558c3d283b98d805350a781d09406d

SHA256
9ab3783298a4570b14b097f5850f4e7f7729a68c574c660629d2d696fdb16a38

SHA512
ab77ebc26d57de8b99556a5f969d5f4900d6b06923335007bd756298278784b2790ec22c0831355ba2db3b886df662f11738d715cc459a5aaf6735b453613a64

Download Submit
C:\Windows\SysWOW64\Kimlqp32.exe

Filesize
352KB

MD5
075a6b887facf1f456f4c59ebbfe72bd

SHA1
822875bb9a7403db764d57d68d9592c5be118836

SHA256
6eef86183e4741873a39b8b5e2c1f60651ef80ad649561aa5ef4bdf84278e025

SHA512
4c65c60040865054a5dc0117930bdd95a81d955791ed041f807dd649b4cc39e3fe97e21050d8d670db9b6df0d0606a895de42bb0d1d38fec7340deb7b75a57e8

Download Submit
C:\Windows\SysWOW64\Klkhml32.exe

Filesize
352KB

MD5
6697982af3918c613724d54cd0bdbafa

SHA1
f56ef93d1fd9ba37bae99c2c8493d47a85159bb8

SHA256
1218372aafcef13c41af8fb7f33eb8b4ab7976a057427a109c8d8ef49c677978

SHA512
e4053b939caad2175e3a7a00db17de2788f17847c94c0777792066dcdc0af00d7bf2138d1f496bd75d525732a02c2370b1ca1a1ed8bfc61c13c44f21085a0f64

Download Submit
C:\Windows\SysWOW64\Kppnmk32.exe

Filesize
352KB

MD5
8ade25c0f62f5eb3ab3dd117f1dee161

SHA1
7f78aea15ea15faf3eb5e12f97414489f2df4a3f

SHA256
7546814cf8bdf5e897dba039237ca2c8efc1cff362189a84e4231de7a43f2a77

SHA512
d8661ce6bad5764bb59d22e7891c8c209ae377eb597e4815fcbb60655fb341c59f755a8307673299ee491256df2addca13bf56565251f593fa46301757080e45

Download Submit
C:\Windows\SysWOW64\Lajmkbcg.exe

Filesize
352KB

MD5
8dada5cde0ca59eff5a521dca8f9562c

SHA1
ac695d92c036549e10e4f133075a300e81c09780

SHA256
a1c8cbbf6d7eddd33c41b363e686e1b50cfeaff9009eb2a17dd7956bbcf82321

SHA512
c284cff233d5da1ac67f0c0c765e4abeda98c3d4b617c953ee87c695ecfbf6fd9dd7c19d7cc3b19e2acdcd1b2f974f8bca44736e724c30b32d615193753c4dd6

Download Submit
C:\Windows\SysWOW64\Lclfjehh.exe

Filesize
352KB

MD5
02b565c49594b50e232befde54ca354f

SHA1
3a0d2e1a95f9a771c2366faebe031fb1bb6f7349

SHA256
f5095b9e110b5d9f8c4a60d62395a0276917025424d0f164da2ff4f918e01661

SHA512
06285cf789a0adc06fbd44c6346d3191b55734978eddeacab1e40da36aabcd1653cf6b4d6fbefe6d19fc8de8516afe435e5b3cd4c20e1b0976f931346f443550

Download Submit
C:\Windows\SysWOW64\Lehfqqjn.exe

Filesize
352KB

MD5
57020c87df620877ecb6ba468b61ed6f

SHA1
15770b16c6e3473e12be88b1b53cb8375bbec941

SHA256
8ab7db33517ab4f6c306a6fa28caf44f2243392608d27f6dfac75eca0c5cc891

SHA512
8be5552d9d3e82ea41396ea985ba936ff84fd4a4dc97d26fc0dba368a0eabb84610f1a59a84f11552b8f0a8cbb85be54c1ef9fb1ab755c9553be8447fc64a778

Download Submit
C:\Windows\SysWOW64\Lemolpei.exe

Filesize
352KB

MD5
cffee20781434af4f8202eef6484aa0a

SHA1
753be586fa9e5541cdb71ddac13e33edd6d4e695

SHA256
cf84146a0c7f7b53c455aee7bbc653f1403e36feb6e2885a09d3fe15274c1f99

SHA512
30ec760fd790481460e527703e0e1a3838e25f1be3f47413b9d948c23e660e0f3f43e2e394b318192c7188d9ce4af110a117cc5c2e1e379332212af0f3597783

Download Submit
C:\Windows\SysWOW64\Lfplap32.exe

Filesize
352KB

MD5
7baeeca2301a883b0e08903f2b547b27

SHA1
7da332f7c1c8c786b3b1f3efa7d3cac84ab4ceb0

SHA256
af5cb387f76433ed61a8aa972edb3bd5b5ff0888a4b56f466936919bd0dcbd39

SHA512
fb98a8d14ec39b52255fb9c0a34b76d24eedf185a0be5776fa9c3a32d8d8425ad82b4192c89c115f515f9ea31199165fe2992897bf5668ddcc1237b4be3711fd

Download Submit
C:\Windows\SysWOW64\Lhkkhk32.exe

Filesize
352KB

MD5
f45da7b411701b03b19ac419ad46685a

SHA1
a62291188366b1d282e575deda1bae7d91e96b8c

SHA256
e298ff327b7bea24b6f3c04460c9732c1cdd3f975c48e8576362eae6a2547091

SHA512
00e7d3d9c8242f4d6cb1ea2542a14f4856ee5390c1644ddab2f3939c9838f2a346b40beead9126f896f270f323e1ecb13dc84a04b8539ceb702fb1fedc26f4cc

Download Submit
C:\Windows\SysWOW64\Llidnjkc.exe

Filesize
352KB

MD5
c94c8a58c03a0e1f84b20b7b24dddf90

SHA1
837852091f91b4bec5b29d6881cc97ecfddb2a1b

SHA256
04e90fb70f6c5b69eecc7ef6f1c217facfb7b5ac5f1d9f18f7328f7fd2017f42

SHA512
9ab1808472a0b2960b0e9331277d478d0258b4a75d0f3631ea3281b7ae1545b4ce4dd84e363bd9b1e53755d4e43a2868ddff798ab0387f5d83d7821422f8cfc3

Download Submit
C:\Windows\SysWOW64\Lplmhj32.exe

Filesize
352KB

MD5
8a7036b5925ff56a29cad2df9a5c54f1

SHA1
316bfefab11d04d166cec4f2bb837414fd4ba7df

SHA256
509da03fecc85edcba4b760497aea9938880d8d124335a7d2fa86237232a5a29

SHA512
94a1aa4cc4da7ada568854ee0bcb65db5b1ad06dbbcec0ad2d568d7cef4fba61ba021d5573f6bb8f34872e37e8028c82e81bc409ab906a28e21713aa6181e2da

Download Submit
C:\Windows\SysWOW64\Mafmfqij.exe

Filesize
352KB

MD5
f8f0cf7d5ebcc475f506d8f9bfc1135c

SHA1
eb74231ed43c05beb18df88f2679d05a90a45ae4

SHA256
e684555c4d8106fb91f6db18175aa5b3ab4e31c8bd2a552e247d871b44611c4d

SHA512
a04765face2ae2e83014bfebf1525b8f1a55fa03ba9a2e2fdee711c965402a5b600e5c3ce102b088b67ec36115a5f01141989b49ae9b45bbab0a67cb03b43078

Download Submit
C:\Windows\SysWOW64\Mbppmoap.exe

Filesize
352KB

MD5
44ae734962aefce1a5494008623fbc86

SHA1
289cac1466555cf5466b9a098816b148e9b9dd84

SHA256
cce524f920a61f7d413d3e6a3d39616109b33f554000c0d68822d98df25348e5

SHA512
b2cb83128674ddd589292f66f1b39eda5be3fbb908844642662c57507c253294be17d3051e9554588f8cb3c9f7a75141938cc42451d7b19873cbf95b66c178f5

Download Submit
C:\Windows\SysWOW64\Mfdemopq.exe

Filesize
352KB

MD5
020528146c112ac916fb33d219434b8b

SHA1
d7136945d7fd6540f5ce8ce7af785b2427d544a7

SHA256
f131ee5a0509785830ba6de26c7106b9ca5e75711d9f396b601860e21baa4060

SHA512
9fd55104df4a87923b795cd0cd9f71ceda4a532b10fc85b9bc1456a329c4633916a860cc16e12915bbf9b812417df925347f9d24fc1bcd7a553265f07e9b53ac

Download Submit
C:\Windows\SysWOW64\Mhgkdj32.exe

Filesize
352KB

MD5
c87b383d6c610c48cee092e7ef06973c

SHA1
035d8c1b44ce1878ef2b3e3126ff38474cfcc3a0

SHA256
117354cd6ca8af53d50b3b4f9c5b50ec061e508c2cbc37c1f3181e9539ebaaba

SHA512
f8589084040b6aa9d72cff198bab7a1bf458c4547f6bdeabe57209798702ed00df09495931f7fcb34fef30b8983c986753354d87af8c9a558f658cfbb5418338

Download Submit
C:\Windows\SysWOW64\Mhpeckqg.exe

Filesize
352KB

MD5
b9b701a082203cb97469f9018227838b

SHA1
09898fe968cf30a8b818a416a4064430bdb8729e

SHA256
04fb328b6ef92c8fa96e37ed9d72344a0846d12a8bfc6009023c78fa9614c756

SHA512
93b01d74f8426544f05a2a28b1e4b45a70e55e724e116d964db47c62e8496f848032aee977f5cba7ab2217f99ecf6b4ff997cf9c7a28c6678496f8ae12172c9d

Download Submit
C:\Windows\SysWOW64\Mlqjoiek.exe

Filesize
352KB

MD5
a41fa88c7d0f5f3c93165ff0bcbc1bea

SHA1
7e381018ce5b01ccb17b24d2348ce2fc6f819d12

SHA256
9ae7e235e5e8ef7b40faf3aeaaffa416540aa7f107d0d8cfe6cb96522af8d782

SHA512
45b8ab912783c92573b5207a3515de9c7c3cf149f3e45c5bc4f5bfed46cb2eefe381c03b935c6cb44371afb22d13f550819dd418e4a513dfff2da58c4afa3445

Download Submit
C:\Windows\SysWOW64\Momjed32.exe

Filesize
352KB

MD5
8a7539f8c3441fcfc8b1a578141baa36

SHA1
d4b53de89669d41dde8b18bf9cfca2dd2f7c26c5

SHA256
ee9b474e9fc068f53ba38dde0baf2ff80ed382891fc144d89a5fbeae5cff0e45

SHA512
84762ed1b5234ee549e085a2b2caa191825313acb9c2c1ee145c7aaaa5441afc67330c16cd833ee57259a0d84722f96ee643e8e7f6a86541e41d18603d6a4e6c

Download Submit
C:\Windows\SysWOW64\Ncdeaa32.exe

Filesize
352KB

MD5
3dfb939e5e15ed104bb4c15696cbe4e8

SHA1
dc6665173a81c4b6df16f71c652b431a84871b8e

SHA256
a5828b077d6815c6b4917f596eee00a68c163b50ad0124e536840099680387dd

SHA512
6c47303c6fb014096c94fe8d47f791690d086e97fe88317f06ea131a181b1fb13e81a82692aab2b6b1eac7d1e5f20a5e2584dd09f1eff4866b684f21cb1910bd

Download Submit
C:\Windows\SysWOW64\Nfpehmec.exe

Filesize
352KB

MD5
302467d444c03cfb7a25b9ff767449be

SHA1
171fffa6bae6c8541bf6855781a2572ec35c75f7

SHA256
b484d6f3b3eb6a20ff129f81b6017d85bfc1d62f506aa86e87c85cd20b96c6f4

SHA512
6e3d15b7532a9b84a7970b89a80f14ab08f7e9ccdbb9dfc7e0de7f00495a0728bd17a7ac3d8341505c9b0c0267c5f34e4803dc47b09046af1a092bd64974f612

Download Submit
C:\Windows\SysWOW64\Nhldoifj.exe

Filesize
352KB

MD5
80a58054d0dd7bb7e7aeca4b975a1c5e

SHA1
e80092e273d6c2b7a968d81ec5780497ba61b99a

SHA256
38fd6a1412fd067c8b3c74a2c9283e4dc0cebfe798e1b3bc5ab3d8a52316e3a4

SHA512
eeba5172a065e1e377b9bf92c0342f83c8878d3e77270f64a33f30b357efe54cf1bad0cce2b0daf9aa7810b5f50ca5287faf31eca66d03b91258093cbc030530

Download Submit
C:\Windows\SysWOW64\Nhldoifj.exe

Filesize
352KB

MD5
f90e3cb52342ce4e6d6bf958f02c4017

SHA1
6554fe89e8b96f77bc01954f730c45eddc436c34

SHA256
a303a4fd6c02d19a3007c290750cc260caae83d965df18f23736a565fd0c4ff2

SHA512
ffbfb25c6ede54a23df4e05e0bcface0af78ae746a9595ec84f3bad9cac652b508af6cdcc3cc74f8dae97987627de4175a7f1fe17a3b69f70f6d1315ef0e142f

Download Submit
C:\Windows\SysWOW64\Njpjdkig.exe

Filesize
352KB

MD5
611c9593613487dba9761ccd520a6bd8

SHA1
fbd492015cd71cb89a56ca1c75455265a14cb930

SHA256
eb9a03c36033d6e0db37b8098765f972cca59d3d3f1bba746b43bde68ad2bb06

SHA512
7744ce43b6d37dd9da5d44ffa5a32b3a97a90415c48fac544bd3a45a18ccdf99820e1182c481e5f250daa3016f4b3d175c46177475cd1d5b70abe2da0cb172f8

Download Submit
C:\Windows\SysWOW64\Nocpfc32.exe

Filesize
352KB

MD5
3ba67736853f7a9cf54845da99be07d8

SHA1
0ea7634cc1879938df9efa86798e3cfc739b2afc

SHA256
346fa7ec1a500071d92699c554f3ee6fc8d9b6bcc078d6a499e47088e17961e3

SHA512
e6a85c3b715a29b1ed8c641d4bc57759933ff5533a6aecafa752dd943ec7ab6070d52f9d04f69f219950c4e4a4241c0843b31b5666a578c53074d6e6fe29667e

Download Submit
C:\Windows\SysWOW64\Nqhfkf32.exe

Filesize
352KB

MD5
b771976bd78274bcb6bd9fc5d4e2b6e9

SHA1
8ba3162ad527be3385aa8f2f472fd2a4699b1ad0

SHA256
091e2a2b5fd0b52f49c3c9defa6a1fa9945ecb8a12dbbf988f3680a9c84c7e32

SHA512
1b5d31ace6755bbd74804302d40e53edf845c80b82fae5411323e65af1131c583a71e66dcf3863e36151515cba527c77aaf610734adbeb0075ca2d68d1cc264b

Download Submit
C:\Windows\SysWOW64\Obbeimaj.exe

Filesize
352KB

MD5
2efc4dfdba4033bd471796b65760b2fb

SHA1
d43acc361798715bf6654ea57a483e1ed6c1e730

SHA256
fe0a9a752f20274aaadc1908db71a4e051f4ea0a52b1bbc0df8fd06fb8df9421

SHA512
55a13f15c76623b1d867fd74b1ee5c9a2a3c5899dbe9b01f40d433540972a9de78fa421a8249ad44d9751093df0426fd69efcfcdff9a1495c5c277a349c5f295

Download Submit
C:\Windows\SysWOW64\Ocmhhplb.exe

Filesize
352KB

MD5
720d8ff91609e8490c109bd241f44175

SHA1
32c2ed0852362554b9a313e4a65b5d34d6b3f261

SHA256
ee912f276c0fcc5b10149605c1ab784765c469dd34732218c5a704e22f331a67

SHA512
7a1f44e2533cfcbbe6ed55b5cd6c482e06d50cb156d2a64f7ad75ca58eb32c7bf130fa0cc2bac73f62c0e9b3ac1d4fc5d318d571884804557c523e6120a91067

Download Submit
C:\Windows\SysWOW64\Ooopbb32.exe

Filesize
352KB

MD5
1d9e3bec57fba058540a94c95c7f24c6

SHA1
5eff3e0d57ce5146644fc60a121beb93dc926a17

SHA256
ea89f7f6db4f2fba14151d68a609cca8433c566c52a4cc84f0baec3989dbd67e

SHA512
55e263930310aa0d6f48af56d033348008e2e3a88a4428b163bdbfa97c1afe29709ada9c63e7ed52203fc768d2564ad5ef79c0c6296882b516ebe90d50969b2f

Download Submit
C:\Windows\SysWOW64\Pckdin32.exe

Filesize
352KB

MD5
54dca9d0bef252f4c5185d1042b3551e

SHA1
cc4f01a2d9ca0682741fc4313d4f3084372afdb9

SHA256
00f1ee15e34230157cfa4b21ccddd365fd297680e793d85fd5a86b8649ff9f55

SHA512
3119fd944f19562062133010e382a1b35dc426c5650f4cf890834b5b50af7483239455471abf44fe3e45b4131dccf1a85b172eade261e5ea676b62a677b8f1e5

Download Submit
C:\Windows\SysWOW64\Pmopgdjh.exe

Filesize
352KB

MD5
3ab36c73144e62d25667383660d0c6dd

SHA1
bf8eb81b0d6f62e73a7a73f0727564b3fa9fb043

SHA256
b44e8a1f4d51d972774d7335fcb202bc6d9f2bba4367b29c1f57a9535e0b8a81

SHA512
95a99aca639dd0302756ef57d7842f50a7b9728b9bc6155275cad3e6ef52bf0e3b02309dc14846b6d3f39a5cedff6e65ca197e34cc7e556bdf5cf8dfb6ce10ae

Download Submit
C:\Windows\SysWOW64\Qmkobbpk.exe

Filesize
352KB

MD5
33780bebcbb6513179922651c96e2ce9

SHA1
efbbd8f687ca3c46dfa8d0d97512655021e2d971

SHA256
9523875095dad49532c2c1a207813499a7cc0998fd8193b05e752446b227d1e2

SHA512
61ba8693486fddac21b89f34e26bc4e4bbbaadae3f8410282c0b38453c5fdb8264fd47adb080f355c1ede174f0e74a17eecffb4493afa80f6e5aaf742379bf7c

Download Submit
C:\Windows\SysWOW64\Qpgoinaa.exe

Filesize
352KB

MD5
99356f78521bb2701271c9596fbd90cd

SHA1
e02c0c12cbc6e3ce7bf3cee8a33dd704c914c211

SHA256
e583982d15a3d3ab7166627b0fafd5f4cbc57a8955ce2e747fb60c1fe736adc6

SHA512
80fd3e92e024c5a0270c61eeae554aa7de42096172f7f65c2e87d482ddfed780a2f162964ed9b0583cde02cd186bc0d2cf11a426854fac9091be6a56956b6678

Download Submit
memory/216-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/324-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/400-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/440-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/516-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/540-566-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/688-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/740-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/848-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/916-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1012-598-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1016-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1232-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1268-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1372-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1392-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1432-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1568-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1580-587-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1604-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1700-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1724-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1748-529-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1796-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1812-573-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1880-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2004-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2100-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2104-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2112-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2148-552-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-579-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2164-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2200-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2284-580-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2472-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2560-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2576-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2740-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2800-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2808-559-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2920-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2948-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2960-181-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3080-545-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3108-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3108-551-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3164-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3164-558-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3240-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3280-572-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3280-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3336-565-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3336-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3376-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3420-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3440-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3520-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3612-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3628-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3756-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3764-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3828-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3912-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3940-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3964-484-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3972-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4008-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4012-586-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4012-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4028-538-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4180-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4288-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4336-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4336-593-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4360-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4392-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4404-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4424-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4432-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4540-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4548-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4604-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4656-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4744-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4768-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4796-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5080-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads