berbew | 2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233N.exe
Size

93KB
MD5

7e3e109ae271b5d80efc698987af5f20
SHA1

9786092c584353e96d87049769faf1889fd79428
SHA256

2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233
SHA512

afb720ba3d8d4cdabddb9f5616c8e8d58b4c6f055feed8d3e95f87a820d6bf481d83c47d5c8c894bfab0b69bc45fa0b0deeed33466936e16c0bcc120206fca4a
SSDEEP

1536:O3z7EYO8hWbYEl3A5NaOKgWNcOXBroABew96QJb1DaYfMZRWuLsV+1Z:ODoCWbYyGNKgAVhbgYfc0DV+1Z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nocpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omcpkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Appapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adpgkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khifln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbpajk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baiqpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgdeicjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keappapf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhpeckqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbkfap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjohcdab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcglj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oijqpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njkail32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqqpjgio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njkail32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcglj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdclgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mafmfqij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiohfpfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klndbkep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mohpjejf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Momjed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplfog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moacqdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obbeimaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgdmjpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aificcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpgqgjel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caijfljl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppphipgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oodimaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakdnqdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpidfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kihbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnjniid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhgkdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lefika32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhbbegj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaajdckb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjbnbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nicjph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piagafda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhfne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiohfpfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjdkhmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqjbqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pifple32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcbjjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aidlmcdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apekklea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljfogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbndekfm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjbhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcjide32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmgpoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ammlhbnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capgpnbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdqpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khmogmal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Badgdold.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2948	Jhfifngd.exe
180	Jopabhna.exe
3776	Kaonodme.exe
2576	Khifln32.exe
3492	Kocnhhlo.exe
1176	Kaajdckb.exe
1960	Kihbeald.exe
964	Kpbjbk32.exe
4824	Kacgjc32.exe
2140	Khmogmal.exe
2108	Koggcg32.exe
2288	Keappapf.exe
4528	Khpllmoj.exe
4604	Kpgdmjpl.exe
1724	Kahpebej.exe
5088	Kiohfpfl.exe
1576	Klndbkep.exe
672	Lefika32.exe
372	Lcjide32.exe
4848	Lpnjniid.exe
2860	Ljfogo32.exe
5048	Locgof32.exe
4620	Ljiklonb.exe
4408	Ladpaakm.exe
3252	Ljkhbnlo.exe
744	Mohpjejf.exe
1236	Mafmfqij.exe
4184	Mhpeckqg.exe
1012	Mojmpe32.exe
5092	Mbhilp32.exe
4356	Mhbaijod.exe
2384	Momjed32.exe
1424	Mbkfap32.exe
2324	Mjbnbm32.exe
3132	Mplfog32.exe
1964	Mjdkhmcd.exe
920	Mhgkdj32.exe
212	Moacqdbl.exe
4092	Mfkkmn32.exe
1536	Nqqpjgio.exe
3480	Nocpfc32.exe
2676	Nhldoifj.exe
3580	Nmgpoh32.exe
3108	Njkail32.exe
704	Nfbanm32.exe
688	Nokfgbja.exe
4064	Nicjph32.exe
4256	Nqjbqe32.exe
2568	Nfgkilok.exe
2740	Oqlofeoa.exe
4900	Ockkbqne.exe
3336	Ojecok32.exe
4128	Omcpkf32.exe
4088	Ooalga32.exe
4192	Oijqpg32.exe
540	Oodimaaf.exe
8	Obbeimaj.exe
1368	Oilmfg32.exe
4780	Opfebqpd.exe
3636	Ocbacp32.exe
4856	Oiojkffd.exe
1180	Oqfblcgf.exe
4496	Ocdnhofj.exe
3508	Piagafda.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kaajdckb.exe	Kocnhhlo.exe
File created	C:\Windows\SysWOW64\Nocpfc32.exe	Nqqpjgio.exe
File created	C:\Windows\SysWOW64\Nicjph32.exe	Nokfgbja.exe
File created	C:\Windows\SysWOW64\Badgdold.exe	Bjjohe32.exe
File opened for modification	C:\Windows\SysWOW64\Cgjbcebq.exe	Cbofbf32.exe
File created	C:\Windows\SysWOW64\Jehnpp32.dll	Kiohfpfl.exe
File created	C:\Windows\SysWOW64\Ofamgchd.dll	Ladpaakm.exe
File created	C:\Windows\SysWOW64\Oljcip32.dll	Qbggkiob.exe
File created	C:\Windows\SysWOW64\Lknqij32.dll	Aificcbj.exe
File created	C:\Windows\SysWOW64\Apekklea.exe	Amfooafm.exe
File created	C:\Windows\SysWOW64\Pnhejh32.dll	Adpgkk32.exe
File created	C:\Windows\SysWOW64\Pcigff32.dll	Badgdold.exe
File opened for modification	C:\Windows\SysWOW64\Bdlfgicm.exe	Bmbnjo32.exe
File created	C:\Windows\SysWOW64\Kellfi32.dll	Cbofbf32.exe
File created	C:\Windows\SysWOW64\Djdeeb32.dll	Cpgqgjel.exe
File opened for modification	C:\Windows\SysWOW64\Keappapf.exe	Koggcg32.exe
File created	C:\Windows\SysWOW64\Klndbkep.exe	Kiohfpfl.exe
File created	C:\Windows\SysWOW64\Difbepij.dll	Mbhilp32.exe
File opened for modification	C:\Windows\SysWOW64\Nicjph32.exe	Nokfgbja.exe
File opened for modification	C:\Windows\SysWOW64\Ocbacp32.exe	Opfebqpd.exe
File created	C:\Windows\SysWOW64\Ajapoogl.dll	Pbbnpj32.exe
File created	C:\Windows\SysWOW64\Cefhip32.dll	Aidlmcdl.exe
File created	C:\Windows\SysWOW64\Hmidnd32.dll	Cagmamlo.exe
File created	C:\Windows\SysWOW64\Egegihlf.dll	Kpbjbk32.exe
File created	C:\Windows\SysWOW64\Mahfflab.dll	Keappapf.exe
File created	C:\Windows\SysWOW64\Mohpjejf.exe	Ljkhbnlo.exe
File created	C:\Windows\SysWOW64\Oodimaaf.exe	Oijqpg32.exe
File created	C:\Windows\SysWOW64\Bmmiandi.dll	Paaahbmi.exe
File created	C:\Windows\SysWOW64\Baiqpo32.exe	Bjohcdab.exe
File opened for modification	C:\Windows\SysWOW64\Jopabhna.exe	Jhfifngd.exe
File created	C:\Windows\SysWOW64\Pcgfjiai.dll	Lcjide32.exe
File created	C:\Windows\SysWOW64\Okfkbcef.dll	Qcbjjm32.exe
File created	C:\Windows\SysWOW64\Hbbqkplf.dll	Bmkhip32.exe
File created	C:\Windows\SysWOW64\Menogiid.dll	2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233N.exe
File opened for modification	C:\Windows\SysWOW64\Khifln32.exe	Kaonodme.exe
File opened for modification	C:\Windows\SysWOW64\Lpnjniid.exe	Lcjide32.exe
File created	C:\Windows\SysWOW64\Oijqpg32.exe	Ooalga32.exe
File created	C:\Windows\SysWOW64\Opfebqpd.exe	Oilmfg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmopgdjh.exe	Pjqckikd.exe
File created	C:\Windows\SysWOW64\Dmabfe32.dll	Afjjlg32.exe
File created	C:\Windows\SysWOW64\Nikpidbp.dll	Bdepfjie.exe
File opened for modification	C:\Windows\SysWOW64\Ciioopad.exe	Cgjbcebq.exe
File created	C:\Windows\SysWOW64\Ppedgp32.dll	Cpcglj32.exe
File opened for modification	C:\Windows\SysWOW64\Mfkkmn32.exe	Moacqdbl.exe
File created	C:\Windows\SysWOW64\Nlcfjg32.dll	Nhldoifj.exe
File created	C:\Windows\SysWOW64\Bpdnde32.dll	Njkail32.exe
File created	C:\Windows\SysWOW64\Nqjbqe32.exe	Nicjph32.exe
File created	C:\Windows\SysWOW64\Jicnaean.dll	Pihmae32.exe
File opened for modification	C:\Windows\SysWOW64\Apekklea.exe	Amfooafm.exe
File created	C:\Windows\SysWOW64\Jgdjkb32.dll	Bkaehdoo.exe
File created	C:\Windows\SysWOW64\Omaffope.dll	Bdlfgicm.exe
File created	C:\Windows\SysWOW64\Dghodc32.exe	Ddjbhg32.exe
File opened for modification	C:\Windows\SysWOW64\Kahpebej.exe	Kpgdmjpl.exe
File created	C:\Windows\SysWOW64\Nokfgbja.exe	Nfbanm32.exe
File created	C:\Windows\SysWOW64\Qafkca32.exe	Qjlcfgag.exe
File created	C:\Windows\SysWOW64\Bfhfne32.exe	Bdjjaj32.exe
File opened for modification	C:\Windows\SysWOW64\Mafmfqij.exe	Mohpjejf.exe
File created	C:\Windows\SysWOW64\Mjbnbm32.exe	Mbkfap32.exe
File opened for modification	C:\Windows\SysWOW64\Nokfgbja.exe	Nfbanm32.exe
File opened for modification	C:\Windows\SysWOW64\Pmcibc32.exe	Pihmae32.exe
File created	C:\Windows\SysWOW64\Olfilcpm.dll	Bpidfl32.exe
File created	C:\Windows\SysWOW64\Kihbeald.exe	Kaajdckb.exe
File opened for modification	C:\Windows\SysWOW64\Kihbeald.exe	Kaajdckb.exe
File opened for modification	C:\Windows\SysWOW64\Lefika32.exe	Klndbkep.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5752	5664	WerFault.exe	217

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbnjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgdeicjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfbanm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbggkiob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ladpaakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbhilp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khmogmal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpeckqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkanob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjbhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khifln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefika32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgkilok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkhip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caijfljl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahpebej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klndbkep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfblcgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmopgdjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbpajk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjohcdab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgdmjpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjdkhmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagmamlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjqckikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bideda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apekklea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Capgpnbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaajdckb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjbnbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ablafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhbbegj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpggpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnjniid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qafkca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqjbqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhfbhip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhgkdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oodimaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdjjaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njkail32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpidfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdepfjie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kihbeald.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfkkmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqqpjgio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaidd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaonodme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplfog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nokfgbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dghodc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljiklonb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Momjed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adpgkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcjide32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Appapm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihmae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdqpbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moacqdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooalga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aapnip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdgmlj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofcgjakk.dll"	Kocnhhlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbpajk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcbjjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefhip32.dll"	Aidlmcdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkhip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcjide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljkhbnlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaddkd32.dll"	Mhgkdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nicjph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbggkiob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bakmen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocnhhlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keappapf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbkfap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apkhdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgjbcebq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgmoidqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehnpp32.dll"	Kiohfpfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niioeimq.dll"	Mohpjejf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbkfap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ooalga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmihlci.dll"	Ooalga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjqckikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ammlhbnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblanggg.dll"	Cgaidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacgjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhbaijod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhbaijod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiflofgh.dll"	Mjbnbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppkonp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgjbcebq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Menogiid.dll"	2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Locgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbddcd32.dll"	Mhpeckqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goknaj32.dll"	Nfbanm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoeidjd.dll"	Ocdnhofj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piagafda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbofbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmaahjld.dll"	Dghodc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jopabhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpbjbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqqpjgio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgkilok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oodimaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbpajk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paaahbmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnjniid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obbeimaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmaacp32.dll"	Oiojkffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mplfog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfbanm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjllkfe.dll"	Oodimaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbhpocn.dll"	Piagafda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Badgdold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjohcdab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekcnlhjn.dll"	Cgjbcebq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhheiima.dll"	Capgpnbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caijfljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achqckch.dll"	Mhbaijod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aificcbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Capgpnbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgdeicjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcjide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcgfjiai.dll"	Lcjide32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2948	4616	2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233N.exe	82
PID 4616 wrote to memory of 2948	4616	2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233N.exe	82
PID 4616 wrote to memory of 2948	4616	2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233N.exe	82
PID 2948 wrote to memory of 180	2948	Jhfifngd.exe	83
PID 2948 wrote to memory of 180	2948	Jhfifngd.exe	83
PID 2948 wrote to memory of 180	2948	Jhfifngd.exe	83
PID 180 wrote to memory of 3776	180	Jopabhna.exe	84
PID 180 wrote to memory of 3776	180	Jopabhna.exe	84
PID 180 wrote to memory of 3776	180	Jopabhna.exe	84
PID 3776 wrote to memory of 2576	3776	Kaonodme.exe	85
PID 3776 wrote to memory of 2576	3776	Kaonodme.exe	85
PID 3776 wrote to memory of 2576	3776	Kaonodme.exe	85
PID 2576 wrote to memory of 3492	2576	Khifln32.exe	86
PID 2576 wrote to memory of 3492	2576	Khifln32.exe	86
PID 2576 wrote to memory of 3492	2576	Khifln32.exe	86
PID 3492 wrote to memory of 1176	3492	Kocnhhlo.exe	87
PID 3492 wrote to memory of 1176	3492	Kocnhhlo.exe	87
PID 3492 wrote to memory of 1176	3492	Kocnhhlo.exe	87
PID 1176 wrote to memory of 1960	1176	Kaajdckb.exe	88
PID 1176 wrote to memory of 1960	1176	Kaajdckb.exe	88
PID 1176 wrote to memory of 1960	1176	Kaajdckb.exe	88
PID 1960 wrote to memory of 964	1960	Kihbeald.exe	89
PID 1960 wrote to memory of 964	1960	Kihbeald.exe	89
PID 1960 wrote to memory of 964	1960	Kihbeald.exe	89
PID 964 wrote to memory of 4824	964	Kpbjbk32.exe	90
PID 964 wrote to memory of 4824	964	Kpbjbk32.exe	90
PID 964 wrote to memory of 4824	964	Kpbjbk32.exe	90
PID 4824 wrote to memory of 2140	4824	Kacgjc32.exe	91
PID 4824 wrote to memory of 2140	4824	Kacgjc32.exe	91
PID 4824 wrote to memory of 2140	4824	Kacgjc32.exe	91
PID 2140 wrote to memory of 2108	2140	Khmogmal.exe	92
PID 2140 wrote to memory of 2108	2140	Khmogmal.exe	92
PID 2140 wrote to memory of 2108	2140	Khmogmal.exe	92
PID 2108 wrote to memory of 2288	2108	Koggcg32.exe	93
PID 2108 wrote to memory of 2288	2108	Koggcg32.exe	93
PID 2108 wrote to memory of 2288	2108	Koggcg32.exe	93
PID 2288 wrote to memory of 4528	2288	Keappapf.exe	94
PID 2288 wrote to memory of 4528	2288	Keappapf.exe	94
PID 2288 wrote to memory of 4528	2288	Keappapf.exe	94
PID 4528 wrote to memory of 4604	4528	Khpllmoj.exe	95
PID 4528 wrote to memory of 4604	4528	Khpllmoj.exe	95
PID 4528 wrote to memory of 4604	4528	Khpllmoj.exe	95
PID 4604 wrote to memory of 1724	4604	Kpgdmjpl.exe	96
PID 4604 wrote to memory of 1724	4604	Kpgdmjpl.exe	96
PID 4604 wrote to memory of 1724	4604	Kpgdmjpl.exe	96
PID 1724 wrote to memory of 5088	1724	Kahpebej.exe	97
PID 1724 wrote to memory of 5088	1724	Kahpebej.exe	97
PID 1724 wrote to memory of 5088	1724	Kahpebej.exe	97
PID 5088 wrote to memory of 1576	5088	Kiohfpfl.exe	98
PID 5088 wrote to memory of 1576	5088	Kiohfpfl.exe	98
PID 5088 wrote to memory of 1576	5088	Kiohfpfl.exe	98
PID 1576 wrote to memory of 672	1576	Klndbkep.exe	99
PID 1576 wrote to memory of 672	1576	Klndbkep.exe	99
PID 1576 wrote to memory of 672	1576	Klndbkep.exe	99
PID 672 wrote to memory of 372	672	Lefika32.exe	100
PID 672 wrote to memory of 372	672	Lefika32.exe	100
PID 672 wrote to memory of 372	672	Lefika32.exe	100
PID 372 wrote to memory of 4848	372	Lcjide32.exe	101
PID 372 wrote to memory of 4848	372	Lcjide32.exe	101
PID 372 wrote to memory of 4848	372	Lcjide32.exe	101
PID 4848 wrote to memory of 2860	4848	Lpnjniid.exe	102
PID 4848 wrote to memory of 2860	4848	Lpnjniid.exe	102
PID 4848 wrote to memory of 2860	4848	Lpnjniid.exe	102
PID 2860 wrote to memory of 5048	2860	Ljfogo32.exe	103

C:\Users\Admin\AppData\Local\Temp\2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233N.exe
"C:\Users\Admin\AppData\Local\Temp\2467e4ad399c0c18df2b3529d8ba8c97441b86c31141ccf6430ed42b825d4233N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\SysWOW64\Jhfifngd.exe
  C:\Windows\system32\Jhfifngd.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\Jopabhna.exe
    C:\Windows\system32\Jopabhna.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:180
  - - C:\Windows\SysWOW64\Kaonodme.exe
      C:\Windows\system32\Kaonodme.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\SysWOW64\Khifln32.exe
        
        C:\Windows\system32\Khifln32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\Kocnhhlo.exe
        
        C:\Windows\system32\Kocnhhlo.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Kaajdckb.exe
        
        C:\Windows\system32\Kaajdckb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Kihbeald.exe
        
        C:\Windows\system32\Kihbeald.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Kpbjbk32.exe
        
        C:\Windows\system32\Kpbjbk32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Kacgjc32.exe
        
        C:\Windows\system32\Kacgjc32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Khmogmal.exe
        
        C:\Windows\system32\Khmogmal.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Koggcg32.exe
        
        C:\Windows\system32\Koggcg32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Keappapf.exe
        
        C:\Windows\system32\Keappapf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Khpllmoj.exe
        
        C:\Windows\system32\Khpllmoj.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Kpgdmjpl.exe
        
        C:\Windows\system32\Kpgdmjpl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Kahpebej.exe
        
        C:\Windows\system32\Kahpebej.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Kiohfpfl.exe
        
        C:\Windows\system32\Kiohfpfl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Klndbkep.exe
        
        C:\Windows\system32\Klndbkep.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Lefika32.exe
        
        C:\Windows\system32\Lefika32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Lcjide32.exe
        
        C:\Windows\system32\Lcjide32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Lpnjniid.exe
        
        C:\Windows\system32\Lpnjniid.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Ljfogo32.exe
        
        C:\Windows\system32\Ljfogo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Locgof32.exe
        
        C:\Windows\system32\Locgof32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Ljiklonb.exe
        
        C:\Windows\system32\Ljiklonb.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Ladpaakm.exe
        
        C:\Windows\system32\Ladpaakm.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Ljkhbnlo.exe
        
        C:\Windows\system32\Ljkhbnlo.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Mohpjejf.exe
        
        C:\Windows\system32\Mohpjejf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Mafmfqij.exe
        
        C:\Windows\system32\Mafmfqij.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\Mhpeckqg.exe
        
        C:\Windows\system32\Mhpeckqg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Mojmpe32.exe
        
        C:\Windows\system32\Mojmpe32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Mbhilp32.exe
        
        C:\Windows\system32\Mbhilp32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Mhbaijod.exe
        
        C:\Windows\system32\Mhbaijod.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Momjed32.exe
        
        C:\Windows\system32\Momjed32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Mbkfap32.exe
        
        C:\Windows\system32\Mbkfap32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Mjbnbm32.exe
        
        C:\Windows\system32\Mjbnbm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Mplfog32.exe
        
        C:\Windows\system32\Mplfog32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Mjdkhmcd.exe
        
        C:\Windows\system32\Mjdkhmcd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Mhgkdj32.exe
        
        C:\Windows\system32\Mhgkdj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Moacqdbl.exe
        
        C:\Windows\system32\Moacqdbl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Mfkkmn32.exe
        
        C:\Windows\system32\Mfkkmn32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Nqqpjgio.exe
        
        C:\Windows\system32\Nqqpjgio.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Nocpfc32.exe
        
        C:\Windows\system32\Nocpfc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Nhldoifj.exe
        
        C:\Windows\system32\Nhldoifj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\Nmgpoh32.exe
        
        C:\Windows\system32\Nmgpoh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\Njkail32.exe
        
        C:\Windows\system32\Njkail32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Nfbanm32.exe
        
        C:\Windows\system32\Nfbanm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Nokfgbja.exe
        
        C:\Windows\system32\Nokfgbja.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Nicjph32.exe
        
        C:\Windows\system32\Nicjph32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Nqjbqe32.exe
        
        C:\Windows\system32\Nqjbqe32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\Nfgkilok.exe
        
        C:\Windows\system32\Nfgkilok.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Oqlofeoa.exe
        
        C:\Windows\system32\Oqlofeoa.exe
        51⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Ockkbqne.exe
        
        C:\Windows\system32\Ockkbqne.exe
        52⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Ojecok32.exe
        
        C:\Windows\system32\Ojecok32.exe
        53⤵
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Omcpkf32.exe
        
        C:\Windows\system32\Omcpkf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Ooalga32.exe
        
        C:\Windows\system32\Ooalga32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Oijqpg32.exe
        
        C:\Windows\system32\Oijqpg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Oodimaaf.exe
        
        C:\Windows\system32\Oodimaaf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Obbeimaj.exe
        
        C:\Windows\system32\Obbeimaj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Oilmfg32.exe
        
        C:\Windows\system32\Oilmfg32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Opfebqpd.exe
        
        C:\Windows\system32\Opfebqpd.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ocbacp32.exe
        
        C:\Windows\system32\Ocbacp32.exe
        61⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Oiojkffd.exe
        
        C:\Windows\system32\Oiojkffd.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Oqfblcgf.exe
        
        C:\Windows\system32\Oqfblcgf.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\Ocdnhofj.exe
        
        C:\Windows\system32\Ocdnhofj.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Piagafda.exe
        
        C:\Windows\system32\Piagafda.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Ppkonp32.exe
        
        C:\Windows\system32\Ppkonp32.exe
        66⤵
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Pbikjl32.exe
        
        C:\Windows\system32\Pbikjl32.exe
        67⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Pjqckikd.exe
        
        C:\Windows\system32\Pjqckikd.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Pmopgdjh.exe
        
        C:\Windows\system32\Pmopgdjh.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Pfgdpj32.exe
        
        C:\Windows\system32\Pfgdpj32.exe
        70⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Pifple32.exe
        
        C:\Windows\system32\Pifple32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:220
        
        C:\Windows\SysWOW64\Ppphipgi.exe
        
        C:\Windows\system32\Ppphipgi.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5112
        
        C:\Windows\SysWOW64\Pbndekfm.exe
        
        C:\Windows\system32\Pbndekfm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:324
        
        C:\Windows\SysWOW64\Pihmae32.exe
        
        C:\Windows\system32\Pihmae32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\Pmcibc32.exe
        
        C:\Windows\system32\Pmcibc32.exe
        75⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\Pbpajk32.exe
        
        C:\Windows\system32\Pbpajk32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Paaahbmi.exe
        
        C:\Windows\system32\Paaahbmi.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Pbbnpj32.exe
        
        C:\Windows\system32\Pbbnpj32.exe
        78⤵
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\Qimfmdjd.exe
        
        C:\Windows\system32\Qimfmdjd.exe
        79⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Qcbjjm32.exe
        
        C:\Windows\system32\Qcbjjm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Qjlcfgag.exe
        
        C:\Windows\system32\Qjlcfgag.exe
        81⤵
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Qafkca32.exe
        
        C:\Windows\system32\Qafkca32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\Qbggkiob.exe
        
        C:\Windows\system32\Qbggkiob.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Ammlhbnh.exe
        
        C:\Windows\system32\Ammlhbnh.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Apkhdn32.exe
        
        C:\Windows\system32\Apkhdn32.exe
        85⤵
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Aidlmcdl.exe
        
        C:\Windows\system32\Aidlmcdl.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Aakdnqdo.exe
        
        C:\Windows\system32\Aakdnqdo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4864
        
        C:\Windows\SysWOW64\Ablafi32.exe
        
        C:\Windows\system32\Ablafi32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\Aificcbj.exe
        
        C:\Windows\system32\Aificcbj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Appapm32.exe
        
        C:\Windows\system32\Appapm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Afjjlg32.exe
        
        C:\Windows\system32\Afjjlg32.exe
        91⤵
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Aihfhb32.exe
        
        C:\Windows\system32\Aihfhb32.exe
        92⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Aapnip32.exe
        
        C:\Windows\system32\Aapnip32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Abajahfg.exe
        
        C:\Windows\system32\Abajahfg.exe
        94⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Ajhbbegj.exe
        
        C:\Windows\system32\Ajhbbegj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Amfooafm.exe
        
        C:\Windows\system32\Amfooafm.exe
        96⤵
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Apekklea.exe
        
        C:\Windows\system32\Apekklea.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\Adpgkk32.exe
        
        C:\Windows\system32\Adpgkk32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Bjjohe32.exe
        
        C:\Windows\system32\Bjjohe32.exe
        99⤵
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Badgdold.exe
        
        C:\Windows\system32\Badgdold.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Bpggpl32.exe
        
        C:\Windows\system32\Bpggpl32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Bfapmfkk.exe
        
        C:\Windows\system32\Bfapmfkk.exe
        102⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Bmkhip32.exe
        
        C:\Windows\system32\Bmkhip32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Bpidfl32.exe
        
        C:\Windows\system32\Bpidfl32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Bdepfjie.exe
        
        C:\Windows\system32\Bdepfjie.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Bjohcdab.exe
        
        C:\Windows\system32\Bjohcdab.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Baiqpo32.exe
        
        C:\Windows\system32\Baiqpo32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:536
        
        C:\Windows\SysWOW64\Bdgmlj32.exe
        
        C:\Windows\system32\Bdgmlj32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Bkaehdoo.exe
        
        C:\Windows\system32\Bkaehdoo.exe
        109⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Bideda32.exe
        
        C:\Windows\system32\Bideda32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Bakmen32.exe
        
        C:\Windows\system32\Bakmen32.exe
        111⤵
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Bdjjaj32.exe
        
        C:\Windows\system32\Bdjjaj32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\Bfhfne32.exe
        
        C:\Windows\system32\Bfhfne32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:996
        
        C:\Windows\SysWOW64\Bkcbnd32.exe
        
        C:\Windows\system32\Bkcbnd32.exe
        114⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\Bmbnjo32.exe
        
        C:\Windows\system32\Bmbnjo32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Bdlfgicm.exe
        
        C:\Windows\system32\Bdlfgicm.exe
        116⤵
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Cbofbf32.exe
        
        C:\Windows\system32\Cbofbf32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Cgjbcebq.exe
        
        C:\Windows\system32\Cgjbcebq.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Ciioopad.exe
        
        C:\Windows\system32\Ciioopad.exe
        119⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Capgpnbf.exe
        
        C:\Windows\system32\Capgpnbf.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Cpcglj32.exe
        
        C:\Windows\system32\Cpcglj32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Cgmoidqn.exe
        
        C:\Windows\system32\Cgmoidqn.exe
        122⤵
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Cdqpbi32.exe
        
        C:\Windows\system32\Cdqpbi32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Cpgqgjel.exe
        
        C:\Windows\system32\Cpgqgjel.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Cdclgh32.exe
        
        C:\Windows\system32\Cdclgh32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Cgaidd32.exe
        
        C:\Windows\system32\Cgaidd32.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Cagmamlo.exe
        
        C:\Windows\system32\Cagmamlo.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Cgdeicjf.exe
        
        C:\Windows\system32\Cgdeicjf.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Caijfljl.exe
        
        C:\Windows\system32\Caijfljl.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Ddhfbhip.exe
        
        C:\Windows\system32\Ddhfbhip.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Dkanob32.exe
        
        C:\Windows\system32\Dkanob32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Dmpjlm32.exe
        
        C:\Windows\system32\Dmpjlm32.exe
        132⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Ddjbhg32.exe
        
        C:\Windows\system32\Ddjbhg32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Dghodc32.exe
        
        C:\Windows\system32\Dghodc32.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Dnbgamnm.exe
        
        C:\Windows\system32\Dnbgamnm.exe
        135⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 400
        136⤵
        Program crash
        
        PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5664 -ip 5664
1⤵
PID:5724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjjlg32.exe

Filesize
93KB

MD5
95b761f5543c6e0e8e650a970750a4bd

SHA1
2c69d399c026640a7f582166983cf229601f1ca9

SHA256
08d5001a8ffa7e53aab58fb93199ebdd6678e4a8c9955cb53387257c4bf91043

SHA512
cc4a3b57ef2ef4517554fb2bfcb9af46fe37f42747e7b57fe597d0030bd125fd0dad01bed3c3b3f47d844ec6a51a580dc33c9eed0ae0ca303a03753d012ce1d2

Download Submit
C:\Windows\SysWOW64\Aidlmcdl.exe

Filesize
93KB

MD5
c2b0d242f648d555ca47abc0301bd385

SHA1
8550b3949e87c6d198260d55b2bfceac279e146f

SHA256
b4de5138ca92425d877ff040b48a19f042caa3e1b4e71ef85412682dd13fde04

SHA512
2b2a7f7895c8d140c37d2f8e8f574aa66d4f5f5664f0b1718690c7f7e29158a09fab65f5c27317f51fe37c437a6c050caf8d9840fdd846bba7281f39b3875fea

Download Submit
C:\Windows\SysWOW64\Ajhbbegj.exe

Filesize
93KB

MD5
6a43cfe37671d57e86791b67b0294b3b

SHA1
89774726be9a92f033ca608e8bf4cf2fe70e877d

SHA256
d5283776772047697dda87c0d2d57f0cad9ad7edda52d872443dff53ec5694f0

SHA512
52822e2e573aa0857cc66261afe1b6665be3311292d1f791a4122b0a44ffea45579cc788af4039d19ea9539725132ade57e9c57bd3a9d9b9b652e9d43dd92f8d

Download Submit
C:\Windows\SysWOW64\Bdgmlj32.exe

Filesize
93KB

MD5
23b8c51ede0d26fc45367aba1677316f

SHA1
0f24e435b658ccdf1a1528312da4a4c42d1b4676

SHA256
5f05fb4360be8c864c47a8320f6e5ee278846da750337eeca89feea2aa7ab1b4

SHA512
726fb39e93d66686529289aaf108c3ce4e122fdaef7d106057a711fc0190c7e50834f871c5cd6845641e82114f8392211466e79201431123e561814ed72fb702

Download Submit
C:\Windows\SysWOW64\Bfapmfkk.exe

Filesize
93KB

MD5
a85c7ff7d6fcede5f1933ab593d64b4c

SHA1
e2dba8b4421af84bd5fa0859d543a1647e991407

SHA256
3a9f575f2f8a382843a31c00d97bbb4a1a7b095e2307caf7817ff17fd768e8cf

SHA512
d82b521501d2c39c7eed5de02a8bb632bd4e6f205d989845b371314da530468858280f5c30fc4a291eefa22dc0ade7205fe7bc223f09c46936247c63974b96e2

Download Submit
C:\Windows\SysWOW64\Bjjohe32.exe

Filesize
93KB

MD5
1649d6b3dc07eb9e3c11953d715c1e50

SHA1
92718b533129310ad30aac048b7458e8efb321de

SHA256
2df560353df4bbe7724f145ae91ed954779cbea442c07dc59b8e47a658c5bcae

SHA512
247a67396aab1bfc3f429596f303382ba10e5706c097350bc6df3929f6797345e0baf2211d42e70b1e96740311752f1de1664ace463dc1a8ed7afcae86db4aca

Download Submit
C:\Windows\SysWOW64\Bjohcdab.exe

Filesize
93KB

MD5
4c045f4d485ec736fe9e6263003fa1c6

SHA1
8c56bd97b957f863318b0c8c641ee0d4922fb33f

SHA256
c362102df75fbf9a94f58ac8bc9941b2c816a5d297f4da184c4cbbb5da5da26d

SHA512
b42abe33b1c2453ab00c341a9c0f96df01ce36518441afdb411ac822e4a8a7136a162b522a993090496ae7b052af4d53d925e859f51e768e691ed22fafaab147

Download Submit
C:\Windows\SysWOW64\Cagmamlo.exe

Filesize
93KB

MD5
ffa0c267dc9da7cd6686c95228c85509

SHA1
4429d528d9d48968e5cd1d18159c7107691dad29

SHA256
7059113ad2cb329b4de1b9cf8da67005b8158f780102c285936256d3664203af

SHA512
804cbf428d715ba6f6a70140a1bf2e99cf1409475310cc67ff26c0b60803b50ee755ec5f562f47b696a1f665c0ae93257ce30216a9bcc49951f906442aca9117

Download Submit
C:\Windows\SysWOW64\Caijfljl.exe

Filesize
93KB

MD5
eef4a0087b1fe208f27b46bac18c6dc5

SHA1
3b9e58153b4c1052a3aa1d4ce1a51b4555a2b8df

SHA256
20d56d377c2a7893bcebbb729dc1d63d128db44f61c683fd3c2e5c8d28e1733c

SHA512
33274ffa7e3aad1ac5911ab6d2177fb5e9dbe4109dae137b2eee6f51ce8535b043f85351f231e46d49862c36f084b41ca7a7ca9fabf45f109db388e19864ad5e

Download Submit
C:\Windows\SysWOW64\Ddjbhg32.exe

Filesize
93KB

MD5
c5bd9638ce4cb94bdad012c5092f7e84

SHA1
b59a2625f19dcf21da509f558c5cfcd9c0c8b061

SHA256
7fccd6fb5d3d64db50c626192c8d82a0f36ecf50551ac9c44a5a0cf0fa7c4eb9

SHA512
0908090e7b2920a2d28d85fbf7684f04463867781f394077f68a0e74682f2c5867d7d2c5da9088675082090e29c58c0d735dab134bc13fc504d2eca2f663fba8

Download Submit
C:\Windows\SysWOW64\Jhfifngd.exe

Filesize
93KB

MD5
be07860559c16ab8b254f9127029c220

SHA1
1c0c29b60865c1fe9933643aee0cb53c683106d6

SHA256
9d93bc3e52149fe47e8da06be1254588e99b9b04d77457f8f8c151132dd06e10

SHA512
d6b7819490c3e2c7c6130d18ee6b2222ae611522558048211b145b31033b4c07ead109597417807a4ddeba57ac71607ce8ee8a6de6857fbcedbd0b7152ba6dd0

Download Submit
C:\Windows\SysWOW64\Jopabhna.exe

Filesize
93KB

MD5
0be551b4f662357317e713fd227d5970

SHA1
208a7a0f12d88580af6b1b9cb49a0efed0cac8d4

SHA256
41c33e4d25904e3907cc828951ddc553eae7e4a0217026e361cd9f220b84ed5f

SHA512
e1374e9bd04710e9da947d3d774114a0b473e42697362a3444d8203e8e73ec3cda46a40e620be9b72cd4f8c44792d259b2aed2da9139bdfd503fab2a9ecd4d86

Download Submit
C:\Windows\SysWOW64\Kaajdckb.exe

Filesize
93KB

MD5
4d2f66684134537e8ac9c15b9ac215df

SHA1
a2915cf33c845a78e0d20999444dd118eb383cdf

SHA256
39c43030a3e75663777a74573b373cb4e40eaa836cb0545c712e7208eb30427c

SHA512
2bc79c4002ab84e251ad28e5ebfb5b71313a250442fd9e6657c6855d6c3838fdbbbba6330737dae9e3f425e5ca13d66a6de329033bbdcee02b6c14d343da4dca

Download Submit
C:\Windows\SysWOW64\Kacgjc32.exe

Filesize
93KB

MD5
760426873603c00aa00f1d24360c598c

SHA1
ae5a7f46e31cdaed59eace992d3964f63b397080

SHA256
b5b43a628c3ee6f4f8619215646ff00ebcbfd1ade495c42f1436cb356f6afdf7

SHA512
2c220bba5be0577e66fab98693d03ccbe8cc20abe922ba8d234d613540704ad1ce0548b62ddf4c858c5a319ee9089222e89c66c909c4f2e878f057918ba526f6

Download Submit
C:\Windows\SysWOW64\Kahpebej.exe

Filesize
93KB

MD5
a6c8dc4b626df7a338a8ea491962a3d0

SHA1
06940397756ddf4a1726c77e0d7380a18636c266

SHA256
271ec0c7b1a608be8d01b7a8b6798ab8cb42181df96e1d3a6ac5220df76ad030

SHA512
647f303c289c1583ec2087bbc141f740b9a1ae6ba39a99d599233cceb19e14b1a39ed90080f5e5a505e0b44bce48588824704efcc6ac73fa25449789485a23af

Download Submit
C:\Windows\SysWOW64\Kaonodme.exe

Filesize
93KB

MD5
2947afb5a7244551dfa3b31db551dc5f

SHA1
3aea08733f8a97cba6fe3db975e6b0b02fc4caa9

SHA256
7942e2a6b0e79dee69e0667a28109ea41629f1448a2ab32f384f08da99f97e5b

SHA512
0f0db65540f8139581b4fc2daa977db3be4ad501e5537501e616a2ac22f74ec522ddcc17638aa6c1cadc99656a1e644277550921d7f4e7550b3cca9e32a1f453

Download Submit
C:\Windows\SysWOW64\Keappapf.exe

Filesize
93KB

MD5
dddc8c3da1f1a2c06a6482617807a33e

SHA1
e4b650bfc52302b9b119227d678f15dabdbf7ada

SHA256
f30989d7074cdbf34a8b7cb8d85a03710feb641079b30537103ff35b921e7cd8

SHA512
3a6e0f04dab5c6df053af7df54c6d63952fe1446b7200492e733748938ade8a226f7ec1a4508a2d6f62d6e958eede4cb823f1bc55c83ed93e9810328cd3a3d62

Download Submit
C:\Windows\SysWOW64\Khifln32.exe

Filesize
93KB

MD5
093ce983e910d420fd307cf6ba89f080

SHA1
669abbc201491a5d9b5827c28ba853b61e380ff2

SHA256
a73d3c3b7b13610883ee33258b0c7bf06e8eac6da68347af5d0f904a63b00989

SHA512
08bff8a1cbae9b38bf2fe105147a8b8f8856a488aaa926417b3ad493fca14e5413e87321217fa92cdec330337b08781ed3156ef5ff00ac378d318823894d20af

Download Submit
C:\Windows\SysWOW64\Khmogmal.exe

Filesize
93KB

MD5
6c6bb14897f3b71c8d08fe9f6c3277c3

SHA1
55758ac88873571f1fc1c994f269fe028046a4f6

SHA256
f4d1e95f29b0980e0c0b1a68937b8517799b2add8aba0d7343489907c9606d57

SHA512
2b59f519f81d603d16072bf97086952ee11c9429593f9f233430485102c313d60834946c4be0a6c5592189bda0a483b465351d21bd9ae8683ab708f12b6256d2

Download Submit
C:\Windows\SysWOW64\Khpllmoj.exe

Filesize
93KB

MD5
bf737be42e47eb15ee11bdccf762d432

SHA1
f186572e28f01ae70576e288101f64c276b4e462

SHA256
f2efec1047287849053e2c3d31a928ddd5a4cd9fce1639020aa6221fe19dca12

SHA512
e48d7f402540c3665b9c9ba54b2a1f9180ca5cc038d42f408fec0f7c4f05947240ea05a30d3b3e5cdbb9b282da0e2e99d7248927fe3be46c8793fd4a45026fdb

Download Submit
C:\Windows\SysWOW64\Kihbeald.exe

Filesize
93KB

MD5
fbb2434529fe71f35f4368ffae555177

SHA1
e14412f1c9c2de4b7f0f2ea61c489f5a19bb3c4e

SHA256
0159a29376b6c70891e1dbc56ec8230ce8e9f13ec12c44422e12ad0491ff3085

SHA512
ecbe04f3dc502d492a919d80bcd2a6e4c314aa623e8f9471bb975a496b97bb434568c7a7d7443e98e9818cc1ab557dcb8ad57ef6a997569730cf1d25d3aa6461

Download Submit
C:\Windows\SysWOW64\Kiohfpfl.exe

Filesize
93KB

MD5
9bca7e010c997365f5d6cffb469a82f7

SHA1
4f6a526b83a8e651bfb1ee7d4bc4629933862879

SHA256
2a70f7cf24373e76e1d4c1ee7e8c974ef277954fcbadc071496c85da9cf6d117

SHA512
f666f7a265da9277afc2096f19b056995bc795b7c7dc2b684ce810a343b9de6bc36e733e7cc8afc4517f83492e1adbc2529f454aa9d4dea9af3aaf7b9f993605

Download Submit
C:\Windows\SysWOW64\Klndbkep.exe

Filesize
93KB

MD5
8c1ef8cee2fb0fffd5de793c79d4120c

SHA1
dc62da482a867f59f84946d11a70e055a3b829f3

SHA256
e4ccb3c52e4634221b57246041be8b2235898c61f341cf9dd69d90783d518f8c

SHA512
f0f86814d3a15d992854b7d55ee3171d25eab74beeb7439f31bffc0d66ae763f9b79c7d92e62febca615f4fdac3b4c985fd2e1002f975c0df8b8f1b607d1e04e

Download Submit
C:\Windows\SysWOW64\Kocnhhlo.exe

Filesize
93KB

MD5
3837f304e20a8564c0a995194738041d

SHA1
0d5b3aedd385348cc6a4ae3ea78ed558bf528ab8

SHA256
cebf1dc06a036103d9f2a9528bc77404a60f45716fb60e65476d7bafae11a847

SHA512
42897cdb15288acd21792890797a7259b7105417d1ade9539bd7e650fe641b4ef59d84ad0c517e74160a53ee910e73508aef359e0af873bdfd02687f0c495a9a

Download Submit
C:\Windows\SysWOW64\Koggcg32.exe

Filesize
93KB

MD5
b735482a887f2a2ea249a80893393a55

SHA1
e62574a310331bef2ce78cb423728623e55d3cdc

SHA256
45be46d98d1f3cdd12cd59d4f658b1112616f1f2d0a3459f6a4d344a866dc301

SHA512
19624cd4369f66b581b0570c6157683e6313424f6a60ce40be4427447adb3b5feecc887fe34cdb95bee86d10d5abe33ab34f1f3fd82cc87a887299e918785a1b

Download Submit
C:\Windows\SysWOW64\Kpbjbk32.exe

Filesize
93KB

MD5
77c3791161b80ce466977488a7251c15

SHA1
b554a8982b2ab81bb1ed3e32261eeeac664fd446

SHA256
804d03ddeb514afbf7efc0136a9a4551446644ccea9df3b26c17a5f3de7d4715

SHA512
ed99b373fe91c572591d2a5422a34ee574970d2b211b69a60142fe69bb810151bc2fb485c2d0a218412d265f7025c11cf0b28ab99c775c66d3b79a7bce516e1f

Download Submit
C:\Windows\SysWOW64\Kpgdmjpl.exe

Filesize
93KB

MD5
59fb04cb422827e8a3ff7a0c4e8ae970

SHA1
cbe8f5b5a2a85a4efe4a5ed19a7e62667bfa47ed

SHA256
3820efca9e1b80491061c3489254794d8d9915f7ba3d0930d4058a112cd9a58e

SHA512
b80fb306c972fc5c25d44ab93c371ffb804145241bf6460a6b822919418f3c8a32fed85b6d822eacfa179c413512091d34da6d75630bbf5eeda63788308bb19e

Download Submit
C:\Windows\SysWOW64\Ladpaakm.exe

Filesize
93KB

MD5
edbbc63472dfa2b3944c847a4f950588

SHA1
1ff979935f3fba6fa192ebf1d6a4a2380e13ab24

SHA256
57ac57a5c493a747a16c9c6df9c4c9655fd135b94a0d1ba2383d17bfc629d74c

SHA512
10b94a54f5e9686d36c517f52a4b3a59041382d148d154deaae325f373dd1594820a31775b641baf45f5e1902ab65a8343d510bc571e0b611e0d13141db7bb97

Download Submit
C:\Windows\SysWOW64\Lcjide32.exe

Filesize
93KB

MD5
72adad6c59817895ba070906471f4a61

SHA1
f1dd1e5add4653cf6d542494f3fc10aa8a2fcce4

SHA256
6b68f660e9983f41984052ea4fb256091f12c5f06bb214f1cd6b8a0ebbc39e6c

SHA512
27f776d507f5dfd520b37a532d16919e16a579e08ec5c5f407bdbd83fdfe491ef1e6bfbe3650b54c0eecc39e1eed3c060610d51281cb95553c9076076dc42784

Download Submit
C:\Windows\SysWOW64\Lefika32.exe

Filesize
93KB

MD5
29a6b3741ffe894aca7b3dfa2a8634fa

SHA1
0ec1a5b7830877faf2a8e9bae288d912599c4f68

SHA256
b8c8778884ed177840761804ff9447273794568b9df9eeb3886598036112ac22

SHA512
524083a0ec72c146b1d917284144b30e016bfe3f474020279df8ae1579a379af4de3830850d2a24b42200f24667333d8d248fdb3005c435e2889f16b4e376a24

Download Submit
C:\Windows\SysWOW64\Ljfogo32.exe

Filesize
93KB

MD5
9f1a1d8c231380f3337a90396634e8cb

SHA1
22ce8b455d71c1a4a0573aa78004a8729121f704

SHA256
db44fd00d70a020185d3b48e2ec1abfbb7b641639d8d2ddaeef1c35c7900a78b

SHA512
1975f4dd972c3003cc4795244186de57686babb36e052637be1ece96067a9bffc1dab2504d00d5701d382616e34e326903bb838273c3fc75ff9a15b86a5cc3dc

Download Submit
C:\Windows\SysWOW64\Ljiklonb.exe

Filesize
93KB

MD5
b6c8c563bbb497a86b5e4153c7eaa539

SHA1
bf3eccd136ba4776ed5cf4518aa3150469121a67

SHA256
f49ac9f828389886e39eb4144c2280dd3773689b35096330c8e77d7709f1e186

SHA512
474f51f229d28ab0efb6363fc8ccaa25dfeb159e9c161b5f4477efed1cb784757c5ad79ec8e4f4861845a1d5935e27f730aa29ef4bf3638b48cc085ade4ee94f

Download Submit
C:\Windows\SysWOW64\Ljkhbnlo.exe

Filesize
93KB

MD5
4b14596b77b29991d765d3fb0b8f3d2b

SHA1
7fbe2add93f5b63cba2586eef29b57ccba829cbc

SHA256
50690ee7245d1ce95874263f45b70c4eb8f11c541f40d1c59930aac95d6b7cbf

SHA512
a7b548263fa15968e34acb5c295175fbf3c793472a7ab17a63724760dd86550e8057ac1916b65ebb224780cb51338498409d43e32f4b11f10386a5d5bd49c03d

Download Submit
C:\Windows\SysWOW64\Locgof32.exe

Filesize
93KB

MD5
2832bfd5a451005e58a38e94ac1be8c4

SHA1
4da8d0ad5364a990bb73c343de07f3eb22dbd7f3

SHA256
6c70734ad1fafe51270f65ca2d928c5d1b293c7805687011654399102d3d6053

SHA512
01e2002720583a0d64a40b759dced4ca24adb962652f250f43f440172ab7a01e69bebe26f9859b517d01ba3b3972b98a0793059f591c03efd8393fe4511f9c76

Download Submit
C:\Windows\SysWOW64\Lpnjniid.exe

Filesize
93KB

MD5
92fdb862f504dd2a663c09bb16d2c8d3

SHA1
9d73c9fe095612c4e2d09a77cfe296f5b829fee6

SHA256
91b5f1f62b834cea641a4c3209ff307bb24c0aee2ad32b1f3f0e5e4f2d19da44

SHA512
54d1584cba34fb199550cf49fbe77a384dabd5d0fbb8ef0d75fcc5e6e3411f7faebe0c88839a50b03f33c735ae0b1082335923a311e435850f445de5e352edb1

Download Submit
C:\Windows\SysWOW64\Mafmfqij.exe

Filesize
93KB

MD5
e5a6e857dc0c6ae36b3eff2a1e1064b3

SHA1
94da440ccd0476a136757c25c35cce6d60c7675b

SHA256
297802c4a03bcf66244dfe38e8680e1d93348fd5cd50682643c8e3ab5b39e018

SHA512
e343bc755fc8491a662eaa205c57a7729ce919cb33e906b35f43b129e777b10e38b78b5b507cd080af8600d9067fae4b4d5011a2b77f1d7a29c5467a14c64a4f

Download Submit
C:\Windows\SysWOW64\Mbhilp32.exe

Filesize
93KB

MD5
3b18d059ba79cf85737c104d099fc37d

SHA1
ee9b82cb54d8c4e7f3e727025d72127679383932

SHA256
8d9a46f4b94263ff2a9bf7b1250366bc210e51b8d252ba2505245bda01449d0e

SHA512
b5e385cdbf3fa24658be3321474004d3882a007e501d588c9001a3016f45525e81880de4ebd3dc1afcf0313477ca4455a1491d2464de085febbb0e253b5a1b82

Download Submit
C:\Windows\SysWOW64\Mhbaijod.exe

Filesize
93KB

MD5
e8e589409f634274c99ceee104465d49

SHA1
43ce5da64f2e3e93a6e780498c6bcfe65ceef58d

SHA256
53c2959d9877d8f321602db0b8552766524ea1f5325376e1fe25339b8371712b

SHA512
f4701ab6ec5d5d482c0a2768460e340e6775f9a3be0d14066641a9db7e5c1ecb47bdacd9e2617677eeba68776174db2b0135fcc484c5229910e37d2301b083ae

Download Submit
C:\Windows\SysWOW64\Mhpeckqg.exe

Filesize
93KB

MD5
194f8cf2a1f7f2644f7fe369c7a9b924

SHA1
dc43d1edf7854b58b253c4c10b9feff53bfa13fa

SHA256
e5906c4fd4d200ca511e033697366d42054c4f5436dc262ddfddfec6d3e24c16

SHA512
7a9b7b7d0bc14d4523647af9e06dc2684622544198ff8fc4a518d670ed05b92a43353afee14859fc25cec73848b0c484a9d8e594adc183e2090109eac6e868d7

Download Submit
C:\Windows\SysWOW64\Mohpjejf.exe

Filesize
93KB

MD5
f1105a91e1e53fa146f9a68e73af9b61

SHA1
c3e0feaddaa1e7f127b13a972ddf4dcab74cd922

SHA256
cf096bbd34a7f15e1c156a149aeadab51b80c1ef7ceaa35be02a28107ddc6d3b

SHA512
d0010abb021bf878f97e159575dbd8533eeb64e788012384d78827b14c58d9c3c444d99d86eee44d988f24c9753a4821a64e01649b0df678bafc983a44304b43

Download Submit
C:\Windows\SysWOW64\Mojmpe32.exe

Filesize
93KB

MD5
c4e532994cb13c4a3068be0e5a02ea20

SHA1
eb4b978cf45ce69868072c617823f658c2eb42f0

SHA256
23369c9365f4e33817a5a25c77337ae50a9812909223226c1c85e59c14580e53

SHA512
4edf9362e55d52b5bd46c5cfa475f2f0c2aa94de84d223f7494f7bd1bc215ebfae014e559b2c0c2dc6d1b5aa171a1040e993862f0fbe854843b922e383c06052

Download Submit
C:\Windows\SysWOW64\Momjed32.exe

Filesize
93KB

MD5
ac22f0e5b4b7b65600a590058fdcb910

SHA1
aa116943b90d2b989417d2e493e91896131bc831

SHA256
1ce8668759b2e6ac12830448e767c54bfc85624cad04ca140f57b7d43ef687e0

SHA512
ca7078238a3e4b1d5f9de0284c00f5577323429e6a3f72cae44609336472c6ad860c0c0b4165394d01a8e41ebbbefe09a32db415f9aa9318c0c2ba869c2e019d

Download Submit
C:\Windows\SysWOW64\Nfgkilok.exe

Filesize
93KB

MD5
8b7e315e80b836100dbee0cc5579d592

SHA1
f373d2183b310aa88f5cf64baadd4de032837814

SHA256
e22e99186308a0d2145bedbcd7365ee5df7b6379b4adfaf7c8cce30903ef51da

SHA512
d758edc49c7b68b0a7f847abec876581f4b3bbc25281cf77ee5566094bc4617199079a6175c2473ab766edce6bf3f3155aa53d8aaf32aac6a5ced1eb33730d99

Download Submit
C:\Windows\SysWOW64\Njkail32.exe

Filesize
93KB

MD5
b720bbe533dad1b0402909e4c12f86f7

SHA1
b05770bc397a8b0fb8bd92df96b5a740c314e72e

SHA256
2a63687eee8ea328c89431095a1d25b08689b01e7e5378799e8cc59eb46f954b

SHA512
5a62f58fd158bebf4f3d1d49f70728b8f9f0443042c5d7437913d53568517c8d26aa91bfdb570a6f57c93eac40ecc3f5c9385d16fbd67fa4069b2884b0272592

Download Submit
C:\Windows\SysWOW64\Nqqpjgio.exe

Filesize
93KB

MD5
f3bb79370b6d15cbfc2d5b17beceefca

SHA1
42418574e02ee3b3cdb3948d0c62f9af38139318

SHA256
aae03bba2e2108bd246318cb27b89a41137000e231235566a73a7300b320452b

SHA512
b75bd602d0b424742525a5315d10a82015fa73d46733aac77a8ecb54083f3aad77fec3f90ba5566ebcdb047f4fc6ebcd6337e94a8441ff695ce3d53b3472cd11

Download Submit
C:\Windows\SysWOW64\Oilmfg32.exe

Filesize
93KB

MD5
a8e39ccdcfb53caf5e2619811522a372

SHA1
cc5f4d6c75ec5c853966f03444c5767b1165f590

SHA256
40c43fa0132434293c3183c2d69767554fa7c32289facae65b81ee4b92046d06

SHA512
e8da5fa9fc43f1c924abf4a19766dc4e8c3a1501be46542cb935b895103e92f48eaa6810be90f9157d6743909f191de4e6eda8d0bcde547371e039415b6815fb

Download Submit
C:\Windows\SysWOW64\Ojecok32.exe

Filesize
93KB

MD5
de55218378f1f15d9779225cff213ff8

SHA1
8cdce1aa7e94da5612beabc582d2abcb8d707e6c

SHA256
7b58efe2739749086c9a4fb7352a680cef239af6aeb8592ce596a603cdd4e079

SHA512
2da7564cbf87e8f6d71e848a164c18712ca881e7d8f678e91c7859d247ddc6dfce86b4475eb0b0d015807750255d206eeb93e597ef918243dd3b4897440b790b

Download Submit
C:\Windows\SysWOW64\Ooalga32.exe

Filesize
93KB

MD5
ac13b35471d8db2fae2b30a6b5d0fc89

SHA1
344aed44b4f80ce8fe217aeb1a00ab785a6ad3f4

SHA256
5fdb97793475691b3d6f5735419b2daa2e42341cc19d65e116c019d926cace1d

SHA512
7fb6d221dc56a71cff2584b10f3e86eeaeb8d3d4f75b071c60d112b2334fea84cc99ea3f44eb5e014ca1469672ae5acf0a8afad95a3b060f880b7a8dc759c792

Download Submit
C:\Windows\SysWOW64\Opfebqpd.exe

Filesize
93KB

MD5
6b9428b7ab0f2246dde6a1ef335e1dbd

SHA1
3e91980427780c9cda2c5b5b75ed05fb694fef3e

SHA256
64ffd635ce5ee8352f79fca85941a80cfe2e67203a64bde5cfe57a725cd05fcf

SHA512
a146b6a812651054bdf57ec55f51c0c4e9de8d6958c771d4873fb1fe98354a1a19caa93d171382cd71284e289eba3daae80806df8d8d30c1978e29ea2c70bdd1

Download Submit
C:\Windows\SysWOW64\Oqfblcgf.exe

Filesize
93KB

MD5
b5217bf50c86452b030c8545d005f1eb

SHA1
51e335bd1457c2ea963ca9cbe0788aea3c68bd4e

SHA256
77be294f5ac9c8b079d0635c5a751c7eb787d8ba0cb3ce496b68f9f04faf935d

SHA512
fca3c8ad529dff42238cff36d28f5934803a982808ee331cace133bed5512f6887e38dea9f17b073938e6cd6465548e1570aac07cd9927228c3517d3b66f2ae2

Download Submit
C:\Windows\SysWOW64\Paaahbmi.exe

Filesize
93KB

MD5
d7cddc9ef38c10bb1227b67c88e1c3fa

SHA1
ffedd84d952a1f123f3b55900c037b90a48a0fc2

SHA256
3f557fa485bb95ab8df9d80f868e22eea751621ea73e4ea83765b4062c05f427

SHA512
13f4ba1b8e87ddc36134853c084b1573c04f3b7e9a2378adb50a62a532fb9b3580f4f702e36995fa482498b2537dd8787a9d51f7c25ef7297b6b5e23778c3628

Download Submit
C:\Windows\SysWOW64\Piagafda.exe

Filesize
93KB

MD5
02861ce5c8485aa5da4e404bf1f996e1

SHA1
9e37c0d234e1b0559e98af2afe0bbe7b93d3a495

SHA256
5cf0323bf109418badd2b10b10d84b7f1ff41aab784c7ee739aa7165e1b906fd

SHA512
01c55b5f7ec8d0c1cbae0219a59b0d50e41035f8a97d1f04272c22ddbaafaa6f689933e72fada493fb79966b02d8eb725c5d2499034065c8a065cd60fae3c4ab

Download Submit
C:\Windows\SysWOW64\Qbggkiob.exe

Filesize
93KB

MD5
722081df7dbb66dd0656a674a76fc367

SHA1
4f4ac785239de2db4237e98ff35cbabd5237cb1c

SHA256
443625ea8bedc8778ff6d46a42eeb71e72e90937429b25ea413b68a5508b1b0a

SHA512
b807bbd564c54213d578f3839041b9777a13f6920a2ca3bd18a01361fbbac2098294bf2cc246735c873e5cb63b9d767a44f80490c11531edf2974f5e39dfb5f8

Download Submit
memory/8-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/180-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/180-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-981-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-1001-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4616-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-929-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5620-923-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads