berbew | 9899db030cc0d35bf943d78e7a38989371ce07293c4c0ddb9b8f1115ccc0091a

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9899db030cc0d35bf943d78e7a38989371ce07293c4c0ddb9b8f1115ccc0091a.exe
Size

163KB
MD5

04d2478afcc68de154249e0b7e193d2e
SHA1

b31e64aac1db45fce680c8706046a6647edec49b
SHA256

9899db030cc0d35bf943d78e7a38989371ce07293c4c0ddb9b8f1115ccc0091a
SHA512

7abe145205f6877e53b16d70e1dbd61e79a18ea19124348ca67f2a746f0c94883d4b5c7979a58faf3b844d3ae2ec3dc68f2bf1867af8fa07271085ee43e9158f
SSDEEP

1536:Pp0hsyCUXPoCQBrlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUA:ZdsCrltOrWKDBr+yJbA

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmhhehlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9899db030cc0d35bf943d78e7a38989371ce07293c4c0ddb9b8f1115ccc0091a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heocnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipknlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieolehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfqlnm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cf9-830.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
836	Hckjacjg.exe
2316	Hkfoeega.exe
1572	Heocnk32.exe
2384	Hcpclbfa.exe
3148	Hmhhehlb.exe
4684	Hfqlnm32.exe
4232	Hkmefd32.exe
4292	Iefioj32.exe
3296	Ipknlb32.exe
5012	Iehfdi32.exe
4656	Iblfnn32.exe
748	Imakkfdg.exe
4512	Ifjodl32.exe
4012	Ibqpimpl.exe
1680	Ieolehop.exe
3860	Icplcpgo.exe
1516	Jmhale32.exe
2968	Jbeidl32.exe
3084	Jedeph32.exe
536	Jfcbjk32.exe
4604	Jianff32.exe
3940	Jlpkba32.exe
1804	Jcgbco32.exe
1972	Jfeopj32.exe
1132	Jidklf32.exe
4832	Jcioiood.exe
3308	Jblpek32.exe
1908	Klgqcqkl.exe
2468	Kfmepi32.exe
4500	Kpeiioac.exe
1848	Kmijbcpl.exe
4436	Kfankifm.exe
4588	Kpjcdn32.exe
4264	Kfckahdj.exe
3716	Kmncnb32.exe
4812	Lbjlfi32.exe
1500	Liddbc32.exe
3312	Lpnlpnih.exe
3104	Lbmhlihl.exe
2532	Lmbmibhb.exe
2476	Lboeaifi.exe
1592	Lfkaag32.exe
1048	Liimncmf.exe
2284	Lmdina32.exe
1384	Lljfpnjg.exe
5052	Ldanqkki.exe
184	Lmiciaaj.exe
1824	Mbfkbhpa.exe
4268	Mipcob32.exe
4860	Mgddhf32.exe
4176	Megdccmb.exe
1944	Mlampmdo.exe
4164	Meiaib32.exe
2344	Mlcifmbl.exe
3692	Mcmabg32.exe
3744	Migjoaaf.exe
1876	Mlefklpj.exe
3056	Mpablkhc.exe
624	Nepgjaeg.exe
1912	Nngokoej.exe
1344	Ndcdmikd.exe
2500	Nloiakho.exe
2664	Ncianepl.exe
2712	Nggjdc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aglemn32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Imakkfdg.exe	Iblfnn32.exe
File created	C:\Windows\SysWOW64\Jfcbjk32.exe	Jedeph32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Lmdina32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Hmhhehlb.exe	Hcpclbfa.exe
File created	C:\Windows\SysWOW64\Icplcpgo.exe	Ieolehop.exe
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Hkfoeega.exe	Hckjacjg.exe
File created	C:\Windows\SysWOW64\Laapnj32.dll	Imakkfdg.exe
File created	C:\Windows\SysWOW64\Jbeidl32.exe	Jmhale32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dgdelcpg.dll	Jedeph32.exe
File created	C:\Windows\SysWOW64\Lbjlfi32.exe	Kmncnb32.exe
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Aoohalad.dll	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Liimncmf.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Ecnpbjmi.dll	Hkmefd32.exe
File created	C:\Windows\SysWOW64\Kfankifm.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Heocnk32.exe	Hkfoeega.exe
File opened for modification	C:\Windows\SysWOW64\Kfckahdj.exe	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5644	5416	WerFault.exe	212

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfqlnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imakkfdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmhhehlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifjodl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icplcpgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkfoeega.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedeph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmhale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefioj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iblfnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnpbjmi.dll"	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjqkei32.dll"	Iehfdi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjakkfbf.dll"	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiopcppf.dll"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmhhehlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfnhlp32.dll"	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfqlnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipknlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9899db030cc0d35bf943d78e7a38989371ce07293c4c0ddb9b8f1115ccc0091a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lbmhlihl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 836	640	9899db030cc0d35bf943d78e7a38989371ce07293c4c0ddb9b8f1115ccc0091a.exe	84
PID 640 wrote to memory of 836	640	9899db030cc0d35bf943d78e7a38989371ce07293c4c0ddb9b8f1115ccc0091a.exe	84
PID 640 wrote to memory of 836	640	9899db030cc0d35bf943d78e7a38989371ce07293c4c0ddb9b8f1115ccc0091a.exe	84
PID 836 wrote to memory of 2316	836	Hckjacjg.exe	85
PID 836 wrote to memory of 2316	836	Hckjacjg.exe	85
PID 836 wrote to memory of 2316	836	Hckjacjg.exe	85
PID 2316 wrote to memory of 1572	2316	Hkfoeega.exe	86
PID 2316 wrote to memory of 1572	2316	Hkfoeega.exe	86
PID 2316 wrote to memory of 1572	2316	Hkfoeega.exe	86
PID 1572 wrote to memory of 2384	1572	Heocnk32.exe	87
PID 1572 wrote to memory of 2384	1572	Heocnk32.exe	87
PID 1572 wrote to memory of 2384	1572	Heocnk32.exe	87
PID 2384 wrote to memory of 3148	2384	Hcpclbfa.exe	88
PID 2384 wrote to memory of 3148	2384	Hcpclbfa.exe	88
PID 2384 wrote to memory of 3148	2384	Hcpclbfa.exe	88
PID 3148 wrote to memory of 4684	3148	Hmhhehlb.exe	89
PID 3148 wrote to memory of 4684	3148	Hmhhehlb.exe	89
PID 3148 wrote to memory of 4684	3148	Hmhhehlb.exe	89
PID 4684 wrote to memory of 4232	4684	Hfqlnm32.exe	90
PID 4684 wrote to memory of 4232	4684	Hfqlnm32.exe	90
PID 4684 wrote to memory of 4232	4684	Hfqlnm32.exe	90
PID 4232 wrote to memory of 4292	4232	Hkmefd32.exe	91
PID 4232 wrote to memory of 4292	4232	Hkmefd32.exe	91
PID 4232 wrote to memory of 4292	4232	Hkmefd32.exe	91
PID 4292 wrote to memory of 3296	4292	Iefioj32.exe	92
PID 4292 wrote to memory of 3296	4292	Iefioj32.exe	92
PID 4292 wrote to memory of 3296	4292	Iefioj32.exe	92
PID 3296 wrote to memory of 5012	3296	Ipknlb32.exe	93
PID 3296 wrote to memory of 5012	3296	Ipknlb32.exe	93
PID 3296 wrote to memory of 5012	3296	Ipknlb32.exe	93
PID 5012 wrote to memory of 4656	5012	Iehfdi32.exe	94
PID 5012 wrote to memory of 4656	5012	Iehfdi32.exe	94
PID 5012 wrote to memory of 4656	5012	Iehfdi32.exe	94
PID 4656 wrote to memory of 748	4656	Iblfnn32.exe	95
PID 4656 wrote to memory of 748	4656	Iblfnn32.exe	95
PID 4656 wrote to memory of 748	4656	Iblfnn32.exe	95
PID 748 wrote to memory of 4512	748	Imakkfdg.exe	96
PID 748 wrote to memory of 4512	748	Imakkfdg.exe	96
PID 748 wrote to memory of 4512	748	Imakkfdg.exe	96
PID 4512 wrote to memory of 4012	4512	Ifjodl32.exe	97
PID 4512 wrote to memory of 4012	4512	Ifjodl32.exe	97
PID 4512 wrote to memory of 4012	4512	Ifjodl32.exe	97
PID 4012 wrote to memory of 1680	4012	Ibqpimpl.exe	98
PID 4012 wrote to memory of 1680	4012	Ibqpimpl.exe	98
PID 4012 wrote to memory of 1680	4012	Ibqpimpl.exe	98
PID 1680 wrote to memory of 3860	1680	Ieolehop.exe	99
PID 1680 wrote to memory of 3860	1680	Ieolehop.exe	99
PID 1680 wrote to memory of 3860	1680	Ieolehop.exe	99
PID 3860 wrote to memory of 1516	3860	Icplcpgo.exe	100
PID 3860 wrote to memory of 1516	3860	Icplcpgo.exe	100
PID 3860 wrote to memory of 1516	3860	Icplcpgo.exe	100
PID 1516 wrote to memory of 2968	1516	Jmhale32.exe	101
PID 1516 wrote to memory of 2968	1516	Jmhale32.exe	101
PID 1516 wrote to memory of 2968	1516	Jmhale32.exe	101
PID 2968 wrote to memory of 3084	2968	Jbeidl32.exe	102
PID 2968 wrote to memory of 3084	2968	Jbeidl32.exe	102
PID 2968 wrote to memory of 3084	2968	Jbeidl32.exe	102
PID 3084 wrote to memory of 536	3084	Jedeph32.exe	103
PID 3084 wrote to memory of 536	3084	Jedeph32.exe	103
PID 3084 wrote to memory of 536	3084	Jedeph32.exe	103
PID 536 wrote to memory of 4604	536	Jfcbjk32.exe	104
PID 536 wrote to memory of 4604	536	Jfcbjk32.exe	104
PID 536 wrote to memory of 4604	536	Jfcbjk32.exe	104
PID 4604 wrote to memory of 3940	4604	Jianff32.exe	105

C:\Users\Admin\AppData\Local\Temp\9899db030cc0d35bf943d78e7a38989371ce07293c4c0ddb9b8f1115ccc0091a.exe
"C:\Users\Admin\AppData\Local\Temp\9899db030cc0d35bf943d78e7a38989371ce07293c4c0ddb9b8f1115ccc0091a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\Hckjacjg.exe
  C:\Windows\system32\Hckjacjg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\Hkfoeega.exe
    C:\Windows\system32\Hkfoeega.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\Heocnk32.exe
      C:\Windows\system32\Heocnk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        27⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1848
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        59⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        65⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        78⤵
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        79⤵
        Drops file in System32 directory
        
        PID:3896
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        82⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        83⤵
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        87⤵
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        94⤵
        
        PID:952
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        95⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3448
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        98⤵
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        99⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        117⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        118⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        124⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        130⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 404
        131⤵
        Program crash
        
        PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5416 -ip 5416
1⤵
PID:5516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aglemn32.exe

Filesize
163KB

MD5
ef5f4d44823b7332da9e48141914d536

SHA1
e0751109eb4f1afc633bc3ae6dbdce97370313d7

SHA256
bb13074470d372a733d6a8a47cd8d545eb772c78e67788220bea19023ff1dae8

SHA512
227dd34bf8d444984c2e64bd299a6ec2f58951892fb92dcdd0a5bcb9e07238f2cf2b9408f74bf451d061366ac7b28936a137ed13706a33f2d381bb3a41bfeb21

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
163KB

MD5
590054f773fb9f9e1d38a5f702a735d6

SHA1
ae1cb9dcef59a18a60b9165400b6f99a78b22658

SHA256
1913d7c36c9c8dd39a9cea9e37329611fa88f91e0703516ca689f366ba820eb5

SHA512
e1dbea25a1ade378b92a557cdae66a436c0e8077e0baaf7467aaf7d7ca636c8cb700cb1d54ded23af9e6412a8defda00f0469aaddf28a4b7e7b0c340fcf4e6a2

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
163KB

MD5
bc9c5d82820f3902196b15e9dfc81c38

SHA1
ca5b91e95f0050eb5c820b27cc0c75aa030e4c26

SHA256
b3322490cfd76b9f08392d774839f2a4f53d8555667d735ab0bb5939aeee541b

SHA512
ea106e9f50b31c506cfd04708fc911e7aad12f4d0cc16046b9fa0db436cc569a9c1d3e2e4441306048878f36b29b4f672f6f3962b7f7a977a1e851c3790f77fc

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
163KB

MD5
f41b8be6563ffd7edc9942b543b21662

SHA1
f953a20090e7bc41b93c98e4b762590f7279cfcd

SHA256
b2cb9dc405b213c6288a236457303ac47c1a6c0d53ba335cf1b7d567503d22b2

SHA512
42f31e454d829a5ab53db57fbede0534f706304d180edb22f57e23bfaab57a74c7a6aefd5e1db73afaebcbd8d751860e5a4a0c782d9fdf2f23f1d94739bd9f3e

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
163KB

MD5
d7f4760c5c9b41ae04e379790463f7be

SHA1
a79dbcd9ec68341b34e1a797e2c7f2292d911bbd

SHA256
dcad3349a1c56db71f1c0e69573437cc56ed961434dfb9f0e43fa22d5f9fb14f

SHA512
b4f9990b09048cc9b8114a8327967512a47a0917c1ec731be5291c138bf6d862d84ca292d4c6e8fb45496cfd7ba2a49172c23703996bd35ec2a320fc5715a699

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
163KB

MD5
e8c666ed983cbfd1ef435c017d5486ad

SHA1
95c8c9a3294afc3509c800b1ba9d88793efd1b7e

SHA256
7b31b25c4175d8c701b1f9865cbc9918462334e72509b0f85df6d7abe1ba96c0

SHA512
4cb8ad4a0f5d4d1bbdaa5bca6aea9b6204048669d1d03960885038902a2931e545276739cab7d9301678fad64d0e5d83d632fcfea6d471c262762c81383ae3cb

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
128KB

MD5
11417fc12b080917c2d634e2c1f47de1

SHA1
57324b49f6acdbe24d98c02a403aac1bb092d5a2

SHA256
333a2e679b69b1c264da853ffb08cb781f469dd06759c37373a5de401b005ef2

SHA512
578d6442d540d4fbba003e804f420f4325176edd605d96e3bfff6f8ef208e46708aa60d3d7738dd4a32f205da73bb3c7c070ccde0be7af68a167e948ff6820e7

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
163KB

MD5
1a8414c1187e45b1c03cf38f23c8116b

SHA1
e930327ab22cdbb0acec3e7f044eae75c842ff2c

SHA256
c206daa4b2c357e30649d11c26978b953604d80c5b0591ca85339e4a3520641e

SHA512
e7f1651e424e8dc50717f7ae222ec6aa89e7821b689e39915d6567de3919ee958e0e5c3dcc6d8bbf0cbb7c70d643ff2b10e3aadeb141df7297feb93f41d62e34

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
163KB

MD5
781865df0c50a21aeb98311504d7ea16

SHA1
f99ff03704a93777dd45f064e1a3e86a284ddfa5

SHA256
f4ee414b6c8c5835c0993781b53f26f734e13b3ee7759f8a1dcaa83ab9975577

SHA512
b523bbb4413c9a569bcef3b1ac866f542d1c5338602543df97d34e0703169856dcf5568abc7dc5e688c561509729210738bf1add81590411501ea3308bfaffea

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
163KB

MD5
b38b5fdd8f328f06258547962332b77f

SHA1
62c514b075cfa6d2ed045c125597e4584bdc2fd1

SHA256
bd6000af292877276068991ec2df72ffe1d58edd3825133ad996dd7a072e0ff8

SHA512
2f8acc418e4fb699efec8e7dd0859b034081bd29fb4013b52dd2235056c1bff3dae4891dbf3875b598ad50537f479c9cf555a0da9b5804126aaeba57a20a0996

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
163KB

MD5
de192412e41bf553a35d5b15ed49af52

SHA1
aa5306f4d548aff1d80e597053be553e363ea93b

SHA256
6ad60f1bfa9d598a1e3374fb46a354fb5eef14b782572eae081be3f7afd92e06

SHA512
502747db239036a0bb91525332a4b069d2c495843d240600ea40ded48f5c5835d70c5170e9922f6ea44b3866f8e1791772e4af26468dbf164c9d493f8775c16e

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
163KB

MD5
d6f88fa0a1afe182eb49f7e4c95911df

SHA1
688c6a0c14592228fff9afaaf277af532722e00c

SHA256
c849b4ef88a8e44eb526af049acb6df153c55db3a67c8baa0cc445d1174098db

SHA512
e307e2bab0241fc459e832bad3c62ab5437ff553d95175525e5ed56353e18fe6810a006e0a4d65883143eca82fa1194a148610b7b2018ddd9fa3604fb4b556ce

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
163KB

MD5
acb3c5215fc7c69ddecafd263f24960d

SHA1
9c97711106935373714af9dba094ce83f09a6dba

SHA256
0c127159e76204b5636af2715cf04d84d822877e2b842425274c55dcbe05a798

SHA512
2b3b7f8db010f2bcb8cdadb14e0a8f808e1c7987f4c3ad7012651198802558fa6eb058cbe20fe628e98c8185365739df3a99886854e542d6b82ac78ead95b286

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
163KB

MD5
b8744ee1305644c44ff0a3cadb39524c

SHA1
eeddb39cec9344477cd3bc096bb3ec07ce9e31cc

SHA256
4bf616a8b2669c6c2f0e8198fda0b9856d12bd875d622726e484eeb46ecc50d8

SHA512
f3a4e1573adcb68acf00ecf1388e226718470cf6d4eb414dcc624f766e52d77642f4e50bd252126a02942b4ef21750990a95955072fd84292d2670c23d9f8435

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
163KB

MD5
5447494a074b9c6972722f4cbeacf322

SHA1
5f43eb7686cc9a56d2e7d92e2585accbc4446e54

SHA256
89ca891dde069a9c6f0ef62bb667f0516e5959317781660f25fa7cf4581ae5cf

SHA512
028b56bf868363de674f4f61ec8d4b6b68e7a1bb49eeec10f5101113296050b780809cf143e283f565f9afc4ff6f63fe6f28671b607d62aa198b9b7313ef2060

Download Submit
C:\Windows\SysWOW64\Hcpclbfa.exe

Filesize
163KB

MD5
412608e9e1ca68b3272e5fa47ba962c8

SHA1
7325fcf5d471c2526c3c67e20630a3b2687da12e

SHA256
87fc5b5eb96216149bd65023d40e5de8abad9f9a33bb1b88caaf0fccfff41dd6

SHA512
b2ea9aeb4fbfea0d6a4c1aefd1e7ec9faafd761628da75a88c4520522faf3c0868399f5c6b2e0f03e270614e9c81767b9437c9bc5f9d83ce8a26bbf03585c351

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
163KB

MD5
e306fcc4b0895c5656797c43381b3d6e

SHA1
be22cfef54914ac7b734e1ae23269eac7cd3b564

SHA256
3a53721ca55860f1366e0d401a397d0e5969c61e7a9745cc5f25d38ab9c12da1

SHA512
1113fff34749381c76950dcb8d1fa860a52999b17d8ae07947b7a238190b3720ccc6f4bf5dfd47c7d1b06ddb8359edbd716c92cea65abf26ea3d7da26bb82ccd

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
163KB

MD5
f7e36a6cea66e8eed0795e03a9338802

SHA1
bd0bb5729fa980e1e7085d3f460381eaca1e1c7c

SHA256
20c3103fc5cb0e14957b7b4e53911de788e00e51a5df5710646a1fdbe143868d

SHA512
f709c6e2b65bb15ecafc735bb652c95c03fe3f1ed245cedb140df437a9aac5165147becf692bfb6ec2dbe30ad5d61ed5ee5e38e34295d08ed7d0643ce7ca29cb

Download Submit
C:\Windows\SysWOW64\Hkfoeega.exe

Filesize
163KB

MD5
e7d084eaaf1917c81d903d3c7d9d54c7

SHA1
41adcefbba3b0c5d7f644250e532b231091dab14

SHA256
7c92842dbf668d8bd86132ae293f6a314199210f580ff1873b2605cc2dc83ad2

SHA512
8880cdc896b9abe0a54263403ae6eaf563cee439ed0870412124a42cc795c8d6e60a485d7833a3ab11da41a455463dd14950e2b3fd1441ccafde520e7912e700

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
163KB

MD5
39f6a1aefeba6a08fac1dd9bd54473d1

SHA1
e53fadf6102ecb8108c9a912b204718a74d76239

SHA256
726a2eadf7cd4b882c549e166ce7e4f451073a7523cc589271c76e3765d76e10

SHA512
6707fee9b82382c7786d09e038be0becbc350418e777ff8dc5b20682b9173dc588235aa98ce6676fb56768397271eaf0a441f4f5ee81da828b60c98fb690e70e

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
163KB

MD5
c52b9032c89d6984bcc5f10a46ed176a

SHA1
db7fad56c7bd55c1cbb3eca981d69d46958506db

SHA256
4a79aae6de301177c14a23b28b6fd4969357c244ebed2a442cae9e1c524a29aa

SHA512
cc9f92291e9085c1b891df25e47d9d356236865ce032ad3ae0959cebe2279cd6d5fbeb1f4778be4701970c38cd6481ff028d21d82afc3bddc5c942319c9b3187

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
163KB

MD5
d646c3da8674af176b584c2bb63cf45e

SHA1
15f2453786808361aecc44a696f3f1835d41706c

SHA256
6153991c92d50960e2154cf876c6fb5ae97d7da6ec0ef2a3fbcd000c9450f787

SHA512
b6afc571330524380191ad9a1146ba1d624b300c71e993bacddb3465ba3f127465d9ac8cf30d3366c3a128fd857c15456447c5380281d6c98337acb0a534f8ce

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
163KB

MD5
710f8068d9c4d4914ff52d5a7dadb89a

SHA1
c65632b2ee2c971c2ccd1d6912d6f24ac068b52c

SHA256
6e60a6bf3af3c0aa2ef4248b54b72c3cbe4eb09c88d91909015dbf6a8e812b48

SHA512
3c73995920c3404bc672fc02ed3d39a91365af09f07d8fd07fed323bae7c89acf147ac79ff6865221a822469002a3061ea1ffd4c06a1bf728a4a995cbdbaaede

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
163KB

MD5
fdee29b73196abc9bdd5e9927b53f7be

SHA1
c840efc8dc0d107c2155462938a0b95706b78af8

SHA256
50e05f8c611e6ad54f63d0e621bbf76934ec2f3cf92b979b65cfc0af07da308d

SHA512
1e6f840b1ea192dc46570caf9aadcf3cc817c07f07b812f88a33afb06aab094c27953db28109b1ad0d067f9bbfe89b6ea37bb2d20f0863d4bd0201440030c45e

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
163KB

MD5
cba4542990c6efd3c15b179cb49be95d

SHA1
66905c3c1e5e83e66493a2e2cf92af194b42efac

SHA256
230afcb5ceb9e39cfd53523906f06f3751bff4367273675de741ec61d1bbc44f

SHA512
cf297785695130fd3d5875c572f81560fdf57928d8b78619673c43a1691e5c8d59e6e23a2fb4aee5a45764049e0f5ad8e8bd8dc3258e83af775d137361880390

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
163KB

MD5
f8f7c9a99edbb4a80483173ec2b4ced4

SHA1
f9f91ef72fb508c3a16d19a5cb1fbfc52a9fdbeb

SHA256
1e3cdd71885f22cbd1a5e241ec369deccc48f55cb93b060f90a9c6d293329827

SHA512
a85cc7532f4378840038e44c596b9dde2f0d7ee5536347d456358d535b5b655415fca39e40137753801de08f93e3f39fe169019bd5092ea9590ca28687fd613c

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
163KB

MD5
b1fcf41b0876b64e1a11990a747ecbdb

SHA1
dc7254d9744a19a0387793a21a5509eee5eb4ee7

SHA256
65442f53d1323875f6cc2b7dc4cee02057069f2b4cb5c20adf4375c37093bb2b

SHA512
f4d099862965d1ff234d1ea4e6827a961a7abacff8c4ec57923c724777c36808cfddeb68b2d2bcf5ff2069c66fe391ed7921bb054efb0ee8ff78bd4db0c35f65

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
163KB

MD5
8b2a9eff97dac9b59528bfc8feaeee74

SHA1
51ececb166af66761063398c59496da1dff5eb98

SHA256
60e1d52972563f2cc91db18ac90bcc447da9a9c65cfa60170059a95ad6a1c07d

SHA512
1f9cf5290975064efe9273db20ee4d0ed7a1c4ed764bd36557af89e2b2a63938992f86a9374d4504aaa4f6c04ff84b26cc7e0f70b8da01b3d50bad3fda01000d

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
163KB

MD5
070d1b1c4ae3bfc0ef0a1dd6591c2ec7

SHA1
da4e2b5e8f6887d4ae83c95340c0720b4aa1ce23

SHA256
6f9f107ded1a096e7403fed3263502604f9514d88f77ddc5e171691b38af6c73

SHA512
bee56f358a511ca3181756f41e9bec16004e27565850bb15e930d8a224278eabb9f9bc723cbec7397c13a25a43acbe183730d33dc2904fa7b2efaa9e601b5568

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
163KB

MD5
414491788cf0926ba99ac268ff2a3888

SHA1
783207bc450e2f0390144b682cb6997920038609

SHA256
378170e1b566a83c5587d33c87c0a1954937117d715f70d8c184eade2b7db75a

SHA512
998868991c65c6a836cfb987bdcf3abb770f843c73eb303ed4af9a54d8cb38ee57262e26bd1a772789f47d62fc350627160d23cde7df0c907a891d009fc82eff

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
163KB

MD5
2d900dd5f4b34806c6a3afb974cbfa04

SHA1
85917440e40dfb3f0f456daf0ac711d889482e47

SHA256
d69d68499efa347e31e2d3639137a5fa12a11cf95edb0cffbca8fe0528cedccc

SHA512
5cc00412eec3239d9739830f6ac41a0cde0086a89036469aa5ed391399a5c15161c82e5230f15598dcced45f5cc061f6607a420ef711bf06927f8d2d10e32eb1

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
163KB

MD5
d163356f77dfbd65a52de759597b61cc

SHA1
b00614b91e537223778b972fd3a178cbbaa5537c

SHA256
b7b2579f8c948844c16772b100b27c67a9ba4501d55740913f76ba5af8385f1c

SHA512
792ca1beef220d9d60250b294db6caefcae564fc92aeb624dd8a685ce6130170c924ad44c52ea1ed4524315df94baaf646b827434d6a3006011cea68451789f5

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
163KB

MD5
276d502cdebe49f4fc82cea062c2e0c1

SHA1
1aaac6454063c267067174f44f2d41dbbc030db4

SHA256
76fe842cbb04d164a57f90daebd603efa055aabefe29da05e0d625557bc2b6a7

SHA512
d14b9bba45164a8202dd3216d5bfdaea97c45d871220a6ace4118da6cc504507c3d0bf3c1a084cc68a4286e1d8aa79e245ab86015d28eeaf685c6de136bc20e0

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
163KB

MD5
5f6a3a50efe0503b95d32c8bc4b9af26

SHA1
386d75431768a6be0b42b36ffc0d060fda7e185b

SHA256
a3840923245d36cabc51a28f997b4c1cb2e41cb5166ac7ec5c5500b94aec76b3

SHA512
56884833b6844cf1a492956daffe35543d02700b6f74ba16d8324b69967f7dd6f53b8aff8d1c11a1485d72629c0dda3028b95854ebcf789fd20493abc19cb8cc

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
163KB

MD5
cd037984b40c7dd57c359b3bd73eeba4

SHA1
6646c9130d6ea6cc822a123b6b1d2422debc43b7

SHA256
6b27dfecc2156616ca8f7db837ebe145e68bc326f565a3aff4a74cdf172d3a0d

SHA512
e6afa5be4865d6d885cdceebcd776a67687c9c2a599b0ef6b331175f090d7b91f972a128e0ad758ac2a69e601fa2d5a4a9ed626ae90eaab260deadcbd72c4baa

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
163KB

MD5
0513482d40e39493b1d45822522ebdfb

SHA1
68e646f56b44c52bfd16f034ceb6ba95b5f5505d

SHA256
956d6394787037cff45b18253d57785fccf57de316c78d9b126d737f0eb5b48a

SHA512
d916d2b8bee50af9911ca77b5e49792ffbcb3c5adb7b5044170ea0d70498a67788b900c2419820fc9bed74c8772b82800e42855b515381677d34d582b96ebf79

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
163KB

MD5
4f474b59ce888708c4d09fac05455bba

SHA1
608df9c49aaa88f50184cae62762463734bbc3b2

SHA256
4e3c227660fbb95cdf665c76e83971ce2487b3e57663fcf4f4e32b4e21bfe6cc

SHA512
adacb071473671d368d9ffe382918f9ac774b742411e0d742113b4e2a4873e22862c12ada717168fe878a6e6c53d70584ee4c37a1e558452325464c7bd05fbd8

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
163KB

MD5
144e1471d34ab5d6b89c62145d01d10b

SHA1
70d11e32fe0238a9d1b3289ca33d0ef9075a4352

SHA256
e791c53b380d27a4835b0baba03d6a9703605192e090047557f5863b5fdfc8e3

SHA512
2168cbb8ed7b19cbd83af192502db19095e54ec9666f8c539f3cb640aafe3c39648a59f85595e86f1457823df6e60161fa310d9deef617b06c9a8760a9e5e409

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
163KB

MD5
ceceffcec19a57e51fa6f37eeb6f3c11

SHA1
5f0fed94c08d5fa99df0d24fc325467c325af386

SHA256
c2f54fc8398362a41f27d0d89af5c63ec771e334fb24a086fad6bd8093b06097

SHA512
666f14650d624809797a659569b0c1e06fddd861f5e40dba9a26cc20427a40a1f141c51bd90c9a58bc8c92b47bec30c0343d828fe154dd234371de1b28261fbf

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
163KB

MD5
9d7167fd7a9c960eebbca10986354bc2

SHA1
16691891744a9592cbe009cfeef880668b1404b8

SHA256
f099701612adaa655e80c56adbdaaa6792c4a4f631d167146b58ca7246239d57

SHA512
59f367f4de99e1c0aa0df580ed7c1e1e887a1bae76665454c8ff7e0fdd0569bf51e5ca9b78a0705cd8c566a451212e2c91769830aebac6dee9a546ad3971d502

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
163KB

MD5
3e832f5a545fca21a985f98a85fbdc36

SHA1
c46272605ed0580e821588c3dd8f46f05ff04a7b

SHA256
85e310533677e13bd967aa0d3f967b30a629f0e251c65b4eff17c7d54839311b

SHA512
80a49d0b4f3310e318ce2fa1bb8eeb6503c4b78a100e09dedda01740aa15b647a5f753b642a031939dedc3500471e415b9c3b1bc870fa1b82bd4abc165651ff5

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
163KB

MD5
6ad1604b01ca9ce271a5794fe94fed3b

SHA1
bc1688d821a114d4dba11c7d3eff2b8dc15ef261

SHA256
c78e399786a96b7fc7c375eaaac5a4276af823ce63dcdfefc889b30fbe8ab48d

SHA512
598c6513c5ca100a658f9129794ce242cdba8b33cfe57aee8010cfc97e34861ad9100590de68ecaa6b9d680712521f0c8fc68720463396eddd65168d61521d57

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
64KB

MD5
2d759072766be87d32c394df9f9eefdd

SHA1
3a442e98b554d053fbe14bc94f774b2c54e0cd19

SHA256
c7f5365e2fd95cfc2372c7c25a12e13ec6acd135ad85bf1057adeef29ba9450f

SHA512
a2174f3452192535f4f0fd71a5e4c8026136414a5d8d961b7ad3bc4b938466146af4c866cd4071c3e9529efc3a48ff2428650bcbee2e34b4feae9e0c6c4a8b4f

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
163KB

MD5
cf8c6028a66c84eb3441fcf54a7cb6a4

SHA1
460fbda6014c19228bbd41cace633bd05054bf50

SHA256
cdf1a6d64c8ec86fd1a09a02b863c4ec44afa3f189ba0054e14a3a91d2b27dd4

SHA512
0b2ad6111100760374583c4be410a5bd53dd87c9ffd47e44bb883b73c170a88fbb1e3a79447c8394c73a17301fe915e03e1bbfc27d6e74d95e17c0783d4d8d6c

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
163KB

MD5
104d1141c05655a8be71ab4b6950f82b

SHA1
c4d3adc2af1d9394a3ff2b329fd4a910ce1ef62d

SHA256
e2c1caf6874ee6de9d4826f1eb89c9bfd64ef51551a2cf307f3e16500015bf65

SHA512
3a621f49a7391feb3f246b95719690f24e5ca61c977edc709f78d3448ebb50690ac70680c0b8dcb11ab4901cee0849145bfad4bbb4c402bf49c50c38ab53c24c

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
163KB

MD5
be6af27623185b84b1854af3c5272b59

SHA1
67467be3bd6774170ab44891e18d5946c991a1e8

SHA256
b59406ed8799c839ea994f2caad1807286d5cbc486ed0d1506bde15959355a41

SHA512
7e357d2ae6192d644be9fc14d4466fd3be8a0c3b2f8071d36225b504f0cc17a3f7ec42f76ee6ad45147dc9e935e8f7cd1383005a56e0f41bc93c38c8c408602f

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
163KB

MD5
eea83d058948e3c8cc5e24a1432a0613

SHA1
40fa0d0a5eb2b09349be33615ee671daf3cf2c1c

SHA256
3584d6e6497deb929449da92efdcdcb7b2500427be859edb5e39b335a19ab78b

SHA512
68d3236aa0fca4970fae00427d83f03bbb054c5f1a5ebb6c7d30ac8d74c2bf63957453546b656827fe3eeb5a86ff5a145952ee15bfdc6d59db6ece8b85c6df07

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
163KB

MD5
aee665a2636e76f8c1d4933810cd53ee

SHA1
e2d62295690cb63ec113eb4cbd9a505a2d993b35

SHA256
17144c35d5e1f1e64b3b57f8c2097d354776de5bf36c29e3dae9e932b3d7f25a

SHA512
b8ac7ac4f830acc367f984ed05204abafde91bf71f02a87b017754e9709b45c05eade9841ea711ceefce4c56f0990b35b2b489406c9f7e5ea250cc923ff67c94

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
163KB

MD5
92ef90bfea08d990b5c114838518457f

SHA1
ad7c5a8282034fae92e7db671872208da624bdcf

SHA256
4cadb4dc68a9eba504147f93c841e2ba59c94c86684407f5687e52c0d5ba0426

SHA512
eda016b65b8c9066e423604e3ef1ac0f3447fe85ea3a827f1d18f6655ea9f5a6f5595ddf3a6edbc3aea99d5332ae1f3bdd8ef1afad6cc8478da91b02b3f86fbb

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
163KB

MD5
7ae4809dd0c36bc3d2ee7c4bd2be274a

SHA1
35b2bbeaaf92aaf2c26583f4e67755b13b937b23

SHA256
90d88576c96d800a33dc513e90468cf870fe63a1f14a618a94d630ca798b1fde

SHA512
d3004d9a11d16b171e6f0af06857dd238172c9fb6ad8cfb3a432d597dd37bd2363f1aafc2298d4a5870096e2fffb160e43c324ce8cb660c7cacf0d6ab07e7def

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
163KB

MD5
4a09927c2390934dcf1fb5998e7081a2

SHA1
82bc921fbb155ad3448689114acdb27f85d89ddf

SHA256
ad872014cc392d0dce94444f978b8e53a942c23834b80bd9a657b0a506d5cfe3

SHA512
4a41d91dfc0c31018d585c1b87a023b1b144c51385822c0b33d7cffaf075aca93b7b92a6aff796b4c387472fba4ccfd789f0fc553c0b06d7dea1ebc4d95d877d

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
163KB

MD5
a0078bed87e1cd4cf396e83b36b6aa81

SHA1
3d11b2895d125f006aff2dbe0577be34eefbd486

SHA256
3ae9d2abe0640764ec8b09605876df0c0aba074da739b112df98fd42b03433fc

SHA512
ed0683ed340d1dc36b6294ca7536f39dee21991ea479be864cfd74b90f0aeaf08847f0de71a11288ffa4e1fbd9f2dfe7738f320545fcdb99c15bebbe429d8222

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
163KB

MD5
2610a0745f5caf02adace17faf4b9f89

SHA1
33bc5818d46535cf20a565d8b20ca066c24ca556

SHA256
827c681c1873a5681fa70e10b6322f5dd9650ba8ff509f066be5ad9a139f7d8f

SHA512
e7a8fd34e1551b7e6391a79c7a01ec2c273832a134e47388bfd0ae58d015c672cdb29422d119520cca830a96452f106d7119e1a7beb6dc8ecd8c16ae92dbe40c

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
163KB

MD5
c5c0de1fb209811a80b2a12b543dcbf6

SHA1
875aa48b590f7ca1d28678ed0746c2238e61e6c7

SHA256
59de4af3a1abdb3a43cda12cda13b370cf497e7f3894a12d043341e1eb003ae2

SHA512
695d14a0246e58d91a85d06c29c299db9bd147b407241724d5b4dad7d108adb13e36d5bb9456bea125e7826208703561c68e70a955f2e7ba26b3bebc0e5651cf

Download Submit
memory/184-1044-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/184-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/212-468-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/536-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/624-420-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/640-533-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/640-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/640-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/748-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/836-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/836-546-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/952-952-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1048-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1132-206-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1344-432-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1348-498-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1384-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-540-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1500-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1516-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1572-560-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1572-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1592-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1636-574-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1680-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1768-504-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1804-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1824-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1848-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1876-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1908-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1912-426-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1944-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-496-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1972-198-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2032-594-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2284-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-553-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2336-456-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2344-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2384-567-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2384-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2468-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2476-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2500-438-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2532-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2584-414-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2664-444-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2664-1010-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2712-450-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2968-1100-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2968-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-547-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3056-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3084-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3104-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3148-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3148-573-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3184-515-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3296-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3308-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3312-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3448-948-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3492-581-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3532-521-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-938-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3656-554-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3672-480-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3692-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3716-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3744-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3744-1026-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3860-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3896-527-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3940-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3968-486-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4012-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4164-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4176-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4232-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4232-587-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4264-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4268-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4292-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4292-593-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4368-474-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4436-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4472-462-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4500-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4512-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4588-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4604-173-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4656-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4660-561-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4684-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4684-580-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4708-534-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4832-212-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5012-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5052-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads