berbew | 77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe
Size

96KB
MD5

bbf1c00ea7e970054b22763958338843
SHA1

502210ca82e144f3139995abc65ad41781fc5ff2
SHA256

77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5
SHA512

0d269af73ae8bf920183e41e66c75f67b254b9f67ef00cc44e1eed1866eefd357293dd17fb3c476f41cbfc30f0022f9055a7db980d05bdefa9f7b83ffcbc71e5
SSDEEP

3072:7CaiT6OoC4RAuPiX+lsDufBnEnDQEnKClUUWaef:7VQU2OlsDufBoXKCWUM

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c21-135.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
1204	Jfaedkdp.exe
4392	Jpijnqkp.exe
412	Jfcbjk32.exe
2116	Jianff32.exe
5076	Jfeopj32.exe
1292	Jmpgldhg.exe
4956	Jcioiood.exe
4924	Jeklag32.exe
2468	Jpppnp32.exe
4416	Kfjhkjle.exe
3384	Kiidgeki.exe
936	Klgqcqkl.exe
1980	Kbaipkbi.exe
3648	Kepelfam.exe
2380	Kmfmmcbo.exe
4564	Kbceejpf.exe
1812	Kimnbd32.exe
4348	Kpgfooop.exe
5088	Kbfbkj32.exe
3552	Kedoge32.exe
4484	Kdeoemeg.exe
1752	Klqcioba.exe
1696	Liddbc32.exe
4152	Lekehdgp.exe
3832	Ldleel32.exe
2232	Llgjjnlj.exe
3564	Ldoaklml.exe
2180	Lepncd32.exe
2036	Lpebpm32.exe
4680	Lmiciaaj.exe
2900	Mbfkbhpa.exe
4504	Mlopkm32.exe
2340	Megdccmb.exe
1500	Mdhdajea.exe
4372	Miemjaci.exe
2820	Mpoefk32.exe
4900	Melnob32.exe
5112	Mlefklpj.exe
2392	Mcpnhfhf.exe
1544	Miifeq32.exe
2896	Ndokbi32.exe
1460	Nilcjp32.exe
1172	Npfkgjdn.exe
1644	Nebdoa32.exe
4140	Nnjlpo32.exe
2060	Ndcdmikd.exe
4468	Njqmepik.exe
1476	Nnlhfn32.exe
2132	Ncianepl.exe
1216	Njciko32.exe
3760	Nnneknob.exe
3412	Ndhmhh32.exe
2832	Nggjdc32.exe
748	Nnqbanmo.exe
2184	Oponmilc.exe
3440	Oflgep32.exe
3976	Ocpgod32.exe
908	Ofnckp32.exe
5084	Opdghh32.exe
1640	Ognpebpj.exe
2308	Oqfdnhfk.exe
4360	Olmeci32.exe
4376	Ocgmpccl.exe
4008	Pmoahijl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ejckel32.dll	Jfaedkdp.exe
File created	C:\Windows\SysWOW64\Jfaklh32.dll	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jeklag32.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Lekehdgp.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Kfjhkjle.exe	Jpppnp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Kdeoemeg.exe	Kedoge32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1956	6052	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpgldhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfeopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejckel32.dll"	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bcebhoii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 1204	532	77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe	83
PID 532 wrote to memory of 1204	532	77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe	83
PID 532 wrote to memory of 1204	532	77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe	83
PID 1204 wrote to memory of 4392	1204	Jfaedkdp.exe	84
PID 1204 wrote to memory of 4392	1204	Jfaedkdp.exe	84
PID 1204 wrote to memory of 4392	1204	Jfaedkdp.exe	84
PID 4392 wrote to memory of 412	4392	Jpijnqkp.exe	85
PID 4392 wrote to memory of 412	4392	Jpijnqkp.exe	85
PID 4392 wrote to memory of 412	4392	Jpijnqkp.exe	85
PID 412 wrote to memory of 2116	412	Jfcbjk32.exe	86
PID 412 wrote to memory of 2116	412	Jfcbjk32.exe	86
PID 412 wrote to memory of 2116	412	Jfcbjk32.exe	86
PID 2116 wrote to memory of 5076	2116	Jianff32.exe	87
PID 2116 wrote to memory of 5076	2116	Jianff32.exe	87
PID 2116 wrote to memory of 5076	2116	Jianff32.exe	87
PID 5076 wrote to memory of 1292	5076	Jfeopj32.exe	88
PID 5076 wrote to memory of 1292	5076	Jfeopj32.exe	88
PID 5076 wrote to memory of 1292	5076	Jfeopj32.exe	88
PID 1292 wrote to memory of 4956	1292	Jmpgldhg.exe	89
PID 1292 wrote to memory of 4956	1292	Jmpgldhg.exe	89
PID 1292 wrote to memory of 4956	1292	Jmpgldhg.exe	89
PID 4956 wrote to memory of 4924	4956	Jcioiood.exe	90
PID 4956 wrote to memory of 4924	4956	Jcioiood.exe	90
PID 4956 wrote to memory of 4924	4956	Jcioiood.exe	90
PID 4924 wrote to memory of 2468	4924	Jeklag32.exe	91
PID 4924 wrote to memory of 2468	4924	Jeklag32.exe	91
PID 4924 wrote to memory of 2468	4924	Jeklag32.exe	91
PID 2468 wrote to memory of 4416	2468	Jpppnp32.exe	92
PID 2468 wrote to memory of 4416	2468	Jpppnp32.exe	92
PID 2468 wrote to memory of 4416	2468	Jpppnp32.exe	92
PID 4416 wrote to memory of 3384	4416	Kfjhkjle.exe	93
PID 4416 wrote to memory of 3384	4416	Kfjhkjle.exe	93
PID 4416 wrote to memory of 3384	4416	Kfjhkjle.exe	93
PID 3384 wrote to memory of 936	3384	Kiidgeki.exe	94
PID 3384 wrote to memory of 936	3384	Kiidgeki.exe	94
PID 3384 wrote to memory of 936	3384	Kiidgeki.exe	94
PID 936 wrote to memory of 1980	936	Klgqcqkl.exe	95
PID 936 wrote to memory of 1980	936	Klgqcqkl.exe	95
PID 936 wrote to memory of 1980	936	Klgqcqkl.exe	95
PID 1980 wrote to memory of 3648	1980	Kbaipkbi.exe	96
PID 1980 wrote to memory of 3648	1980	Kbaipkbi.exe	96
PID 1980 wrote to memory of 3648	1980	Kbaipkbi.exe	96
PID 3648 wrote to memory of 2380	3648	Kepelfam.exe	97
PID 3648 wrote to memory of 2380	3648	Kepelfam.exe	97
PID 3648 wrote to memory of 2380	3648	Kepelfam.exe	97
PID 2380 wrote to memory of 4564	2380	Kmfmmcbo.exe	98
PID 2380 wrote to memory of 4564	2380	Kmfmmcbo.exe	98
PID 2380 wrote to memory of 4564	2380	Kmfmmcbo.exe	98
PID 4564 wrote to memory of 1812	4564	Kbceejpf.exe	99
PID 4564 wrote to memory of 1812	4564	Kbceejpf.exe	99
PID 4564 wrote to memory of 1812	4564	Kbceejpf.exe	99
PID 1812 wrote to memory of 4348	1812	Kimnbd32.exe	100
PID 1812 wrote to memory of 4348	1812	Kimnbd32.exe	100
PID 1812 wrote to memory of 4348	1812	Kimnbd32.exe	100
PID 4348 wrote to memory of 5088	4348	Kpgfooop.exe	101
PID 4348 wrote to memory of 5088	4348	Kpgfooop.exe	101
PID 4348 wrote to memory of 5088	4348	Kpgfooop.exe	101
PID 5088 wrote to memory of 3552	5088	Kbfbkj32.exe	102
PID 5088 wrote to memory of 3552	5088	Kbfbkj32.exe	102
PID 5088 wrote to memory of 3552	5088	Kbfbkj32.exe	102
PID 3552 wrote to memory of 4484	3552	Kedoge32.exe	103
PID 3552 wrote to memory of 4484	3552	Kedoge32.exe	103
PID 3552 wrote to memory of 4484	3552	Kedoge32.exe	103
PID 4484 wrote to memory of 1752	4484	Kdeoemeg.exe	104

C:\Users\Admin\AppData\Local\Temp\77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe
"C:\Users\Admin\AppData\Local\Temp\77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\Jfaedkdp.exe
  C:\Windows\system32\Jfaedkdp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\Jpijnqkp.exe
    C:\Windows\system32\Jpijnqkp.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\SysWOW64\Jfcbjk32.exe
      C:\Windows\system32\Jfcbjk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:412
    - - C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        32⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        36⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        38⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        40⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        42⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        51⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        55⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        77⤵
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        78⤵
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        79⤵
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3444
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        82⤵
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        85⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        86⤵
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3436
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4180
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        94⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1880
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        106⤵
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        111⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        112⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        113⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        121⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        125⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        127⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 404
        128⤵
        Program crash
        
        PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6052 -ip 6052
1⤵
PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
fb1658760822d8c139f7ccdbd56b362a

SHA1
ea97813d73873306d976833f5379a59cd386ccf0

SHA256
e8dbc93ac0bd7e3a7230df9a4d090cc4c319c4a2a341299cb3c592f9b2c18b89

SHA512
115c33592d0624d3ad627b1987c7243d8472bdf1d86c48c6339bed4bbba573c686a45418cd35d47b8d921d054a4ce7c5853acb3c2ed152de1ef3a9d02ea25ab0

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
38f9612aec44bc054d089a02eaf5beb4

SHA1
2cfe6a5fb955b09f281b2aabee48772cfd883493

SHA256
ba0bd2545e5128f9990614da7840e6e38770621944aa22e5dbc64b4aafbc65f0

SHA512
674a303a6b0f781da01d94b354a16845629c2536704104fe9b1504257db96a2fec0726a85688fbe21f45ca370d09b6231c21b3422007954759d3f67a67b489f8

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
4be125551495623ad4fbe5855f57bcbb

SHA1
7ebe0010c9962af90f3c6e17260f5312fed94f60

SHA256
0032179a16cc461ba9949961a2bab3b12faaf2c6196fa665820d7f9b33ac00ac

SHA512
c92b2641004b48e2940cbf35997536dd7ed433ba2c9f6261550c13ae1c7ecac71a8c9609a9d4914db6f7a736c4a514ec57ddb78d1ef221ac2f30fa11f0a28caa

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
48b8736c5af3dca199f2a48fc9873f43

SHA1
6c3b44a3ae9ffcb4edb44353d556918646759c15

SHA256
fe3006769061ecd9c5157115eb4cba075dd574103c4d8fdb1873394fc29e4332

SHA512
46e8e1fd40504fc3c67072481f89749707e707fa3e2af46cf55125b0e6ccc89cc02af54d5cfcad825659e3c14ff8dfa0e13ac6261616f35d9f84f90c058cf14d

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
fef5e4106bb2d359738727007666f651

SHA1
a6bc0e1831d237bba826e81f51a75fe8ace7180d

SHA256
ef46215dac40ee1484353aed80267c8480109a192f5b5d060025468e15ba59c9

SHA512
3cae3132ddf8a5537f864706fd2024e1e62d8faaa75119b61c3624158b9f911b2c3eee054ed07027e83623fb24d91fe1a875ec9c14709b5f85e71e351e7e04b8

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
784f34960f71136d5ea1281dc45ec7d1

SHA1
7f480efad12b828104650bdc6ae9657fb15a1296

SHA256
099a41c96663c419b061151ce00d7d5ce413dcfca7c132814614277e61844577

SHA512
67e989d22854c5f31b14cf1cce001aa15ccbbad0b9759a319efecbd01ed014f12a1ff616436bd05a3a39d5d1b6532d906b919f09935107a9ee346823880af8b5

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
96KB

MD5
acc5fffeb0b878864cfcc7efc1202746

SHA1
67a269b3b09fb7a53b339689de018cbbfe3596b5

SHA256
cc82b31e2fdd16385c56a5c0927af34ec61986ae94c503aa6e78bd2825f85729

SHA512
22e8cb547cb1b0974b159cfe83074f3f732f4c3e304f46d6666ad5141aff3aa4b7e9d08f3a182cbe185e8119013d83d9ced939559687d045b5b3dfb81072378e

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
96KB

MD5
0d0980e34561d3bcaf3a3b90eba07e1b

SHA1
f599de2caec975c6d9e123881fcb04aea514b42e

SHA256
3ea96a4a09df4f33f21f1bb8ccca94df193fca7077ebe7aff112e5c5e399acf0

SHA512
521c474139fce51a1a52a182f7cafcda519be8b2d6b4fea1ddd177bcf09dad81feabd899a02f0cb6850fa59228fc416c59fc1c44566a8fe32c3ebd22b01e996e

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
96KB

MD5
f5585bf5d6b112f4490f66aa9e0cf486

SHA1
26160358c3490bf00a82a10619822c161cfa72d3

SHA256
ef3f5d1b867c49a8008f54f520f8949fe87800cf6b431e12a24c75a1f625e3a2

SHA512
a75933a5da32903bd9519e17fc3e8160839d846b5808e950c04c05ff428034f759dc5597895dd6b4db4f3bf0969943bef3f3b7cbee3744d1d083f073ab6b4942

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
96KB

MD5
888407ff590f3e2fe103e66f3b1484cd

SHA1
77a96c8ab4e88180e91c6072886f7acd885713ca

SHA256
cfd6aa79f833910b778094517808b16a0a85268aad9a330d5097f6bd9fbf057f

SHA512
1ebe15e6fe8a743d5bbaca84e051f61ed61a13fb5886142c53d3e86d682a96e38dc8f1ba38c6a33f1ebfd2fbabc17201100a9b1e395f02dbab0ee84ec29cde1d

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
96KB

MD5
7022150cd5a595c0050223198ac2cd8c

SHA1
2bb82eb8fd3ab1c33e4c48d56e15066779e5e65b

SHA256
43f54174148d4bf7af4a618cabd7679121384cb790237da9bc420c3889cd2da7

SHA512
ece0c0a557c65efd194e43406e1e87071d6d2e03782f41226a302365b7850b6fdc95d63341ce9d2bfc237934ab7c0c27372f49c0fec18d414701715ed49b4381

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
96KB

MD5
15b3b6b90012d812fda22000b736c860

SHA1
041e8bd9b0fbc64a5b12be593a8d06c9c316fa82

SHA256
c6f1321e7745381938416535f9ba6b0a2eb9f22cdda367af6f55cc0bc29a5ac4

SHA512
dbac7ba236729a4834fe84e28eae251388ad676f1761175cd689b83308519ec791bfba3e91cd750a1d2ad760ef3bde9581f6cd420e1363e477713dd590b02be9

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
96KB

MD5
d049617557e49f603cfb16d69ffef013

SHA1
ba2c82a9bc3e488208b7a64465f205dabec2dcd0

SHA256
ed3c27deec881ff7c42cf0589b88f48495134882d8a44e51d17b4cd4a8854d89

SHA512
3c9e7474f95f10a66afcf6837c6776dfc07291c5e4deab6fb16138d4bf99e754e4b21ecd31b23082a529213df408bf4e83436146cddc5c622bfd8b5a63633a83

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
96KB

MD5
280e14f40a2305cc7ee7345e3bae679c

SHA1
b336d57c5bda2619889cb376fac6310bb8277cda

SHA256
e7daf4bf4e1bccc3553bfecc59ab8325bc69112368f5c6b64893b0036ee48503

SHA512
fe8a746940ab5e8485015fbe6e6f5690765d048740596ec3cd0c60d5140603e2ec499175f35a6cad4db551c8dc86837ab78094aadba655ade74ff6d84b366c2f

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
96KB

MD5
a1e9be497b128ba8ff732b76d958c54c

SHA1
ed0e0b727aed07b7c975bd538a9490f3ad9194d4

SHA256
d4362db2d7fed40673a009aaa8627ba6bc17aeaeb4dd37e72068df9c4cce9b0c

SHA512
590bf94dff7519acec90fe06247e647be852d982db8ad7a0efbc0315832e566c30729aff719616f646233beef3dd2a1b1e64b1d2e7325a36b558230ff712ab9d

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
96KB

MD5
bdc77a78f11d55f2d1fda6fb9dc7f681

SHA1
b6455f6c03d33c8fefe41cb5aa73415f029cd171

SHA256
205f15c7c877ffd99b756b4628ed1ded98a1b8b3f4ae87b21330a62cf3088103

SHA512
07766f7a31b52674f49aa742372d4b1af59ff52bf3e0b4d903b9c2f5ddd4e781f1696449ca51badc902e1de74cea4b1d0ffc9cac00089647022ea31d549ffa76

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
96KB

MD5
d3d5a53b2530e9286b78e5f6a675fa5a

SHA1
0424a2fe89323caa221dcbd91662b35f7b1deee1

SHA256
dc3b6e80a2dc6b7f918b4e66c5a2d6b187dcfa822803c7bd04fd8f1bb94e6367

SHA512
68d57ba12239c42e6c0558e11bd46c813f51667035e470b216b1dec60fbeb2309569e43088bb02aa317b05e92ef32edad7b37df556afe655f249366b19826592

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
96KB

MD5
9100c336c61794c435263188df01768d

SHA1
b9c8ae7777860be21b7da25c4b7b4c3e45a4412d

SHA256
c55c3dd2d8bfb711e85ae8526c1e8787d3215908e8ff27e28a8bfe6a4ebf2927

SHA512
1fb1022aad39d96e3ad00f06f8c2a1b34c36249cde38c244aebbead6b1ad3742c914f0c60b3b3a2a20a0ec629cb0cd9248b2e7d8af8b3f55d843666dbee0df91

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
96KB

MD5
b0cac95e4b23f791183d39cd5fb295b8

SHA1
fcbe81db8ee531904ed28e64ac2929c632d651e6

SHA256
0306a75ab63dcb8225265e79c809a111b488ac15628affdca88ec5f799ee7eb0

SHA512
7c1713520b60cf001993c41afe918aa63fd3248920cf5c23806cc88757dcfb6ebfbf0c996b85fa30635ac2563676ec98d1358fd4db696669511a41c9b590a996

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
96KB

MD5
5ee78db0cec521501946f9034396321e

SHA1
5f78767917bb521bd09cdbdfb2665cb51db38362

SHA256
91a29aacfb61231a54f3c3a972ac1be4f4c034a202c49f339e5cf2732c213c56

SHA512
b6d2bf85f2b4b4cf9d6186a664e039a9796d6aaa5fbf6e333e7273eb1edb30089dd67f5d2c3e7c151ab2a291149be70c92f0baac2a1c152b0abe12b272692192

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
96KB

MD5
278d018fb6e36500c86ec9eea77b38f2

SHA1
9b2fac445c6b3f8c8dd94ca323ef4986140417eb

SHA256
223e20cb830d81f5a2a168f9de4e554e99e28a204259284f0be1263ec83b7abc

SHA512
8e554f73585c209d11cedc109dd04b0b06ea0aabd62d90ba98f35072bdc473a9bbbc2eadce900aa587ec2b72d7172a2dd96f1f716614aabad7ea673cf1db2684

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
96KB

MD5
c37632bfeb9278305a7d838822dd5a92

SHA1
c0ad239fd9a692721557b0a6e4447250f12d2205

SHA256
e4a06d7d7de53c4bc796f586a6d265bd12488e3dae9615a904b45ef5c07bc886

SHA512
3326da99262be5ffb5922992de4f37686d8081caf3684f69d98eedaabb8c354ebd3d4dd0de469b66b016213c2fe48041b9cddd63894a020ff15e95229a69303b

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
96KB

MD5
47be79f03cbdcd483fead215a2635511

SHA1
f1c4d26c4139b0e64fe57af2d68859895d5e315f

SHA256
bd0934fd7f9d428683ac69c8b195e422cc48bace72abedc4b7728c5d62a27dc1

SHA512
23c3c23c496d8c73c135dca40fc5aa3ef7fda0358dc335784dc7f591cef6e8474ec74bdf3e9a37b7d6cb3bd138bd639b5c67ddf64a0600e15421e52e9d5419e3

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
96KB

MD5
f50139ecbb4649c8b6c3fd71e890d0d5

SHA1
e41429ae094971b81444fcd93afde8ad96387b9a

SHA256
21ed684037165f227d455bc70714d09afd6d8fdb3e3fd2c4f2caea5dede20eef

SHA512
76de23fd172b9da0449bb2926a3dc8014413996b558d031e4d671d6724d254a98cade5c9f8cff5ba974647fd0c3d6c659d3acbe90b6e60d635f9d12d55211856

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
96KB

MD5
33863602dc6ff1ab6b64f990e600f1d3

SHA1
5a7fb1dfd44f0351e089d7fef996609f18797883

SHA256
f37040129c2686ab1869fc4da42075911719f1f3fe75a2a7d442ecb3e4367ca1

SHA512
c017dcfb12efca05e8f251c4d791aca84e60c1bc23122239a46e09dbfe8dba70bd61bda69125ed6ba5d86cced4285c83129d96fc2e6d5788b8739a6ab9024c5d

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
96KB

MD5
5766ca40327e5e10f86f6caea1cc3782

SHA1
72d0b534180fd5569454b6b0ae3ce1ffa869b393

SHA256
a8bfae1d458d069aeb6123fc5569ad0359513cd8052b2b16875b10f98074aa94

SHA512
fd8b2b7de5dcb1f72ccd1e610dc01115111e7ce29d7af0f779b67a6e69889a7c4eab807a1c36746bb0d77aaed25b932df723ab1fc637ee3b01c087afc8d375c5

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
96KB

MD5
09f2427dca23ab721ec5f89ebf643b58

SHA1
bc9c61df60f43b317768353accc32fe49d5726df

SHA256
5953036b6c979562c0a4ce1ab63cb28412430ea854b05543ed2c6c484aaab443

SHA512
f34ae671197d461baafcd2d9a4f365087d6395edac671735bdaa525d687331e71eb9642650fba44a96770a3ac7a158b5112b214e6226066e16b04c6e45f380ab

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
96KB

MD5
ae1662f08c67777a6cd8361800fc45d2

SHA1
2cca18638b1753b35187d366a50f42433354ede0

SHA256
bbfc7a4c58a7d06a36483b810382524e14ab5e7f817ad50f5f745683f2b3c5c7

SHA512
51e77c18166c049a469036e7781e7db5c1e32578474a9c9691f084dfd4c8dc4f38eee71cbe79a930eda0b36d56de2e93f1a622154b85e7cefac85443a030a473

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
96KB

MD5
6e401618f876b3ca8f2e5042111bb972

SHA1
96050a0ad2149e0f91f2a56ef0cb1f36c9d984d6

SHA256
aaeaf7a09a5e4d75cf1b8ee97b861777f06715351dd13217e603825e1d6a912a

SHA512
abf15132b1731e1be1ee8bf8ef41703f9ab80f94964c736dd12269a8ba6018b0e062d87970a567a5ba3c7a5cf51ab494544aff09d35f9f937eb0c18a436b0322

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
96KB

MD5
e80ab6a043965b5b0fa746240ce68127

SHA1
9dfea420ad2ba4517687bec4e087c8672928c530

SHA256
5729b535d500ca2de732be58e3133fc69ac48a8091bf5475e12425ffea436b7b

SHA512
25d21b4bd9ec3d0de22fe23fc7ea84e27d0c6a76f543619d401e2ae6071181c3dbc725301d13d9e8dad29ddb478bbf14fe9ffba81aa7d62bde688f9ec9e5aa39

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
96KB

MD5
0fc926e654dfca3d250f83ce223d4840

SHA1
03d35b831781c0c9f86f92fccb82f6f12fd87482

SHA256
053a99c5b6cd1c91c2603c960127cb7365f0bcea55c8ab725531be6c081d21ab

SHA512
d23cfda24034848383d30562e1b8bc73ea2ec9eeab2cd017cd722a0ae71ae15040f6c95fc8795b0bb6eab567cf45e37383a7665581574115c525c88bd769bbd6

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
96KB

MD5
f2de04137da726eeb3100da87c992398

SHA1
b1450e3d80af44603bf40467a7531eba768c6aad

SHA256
3b23f1f6b2fba29e6dcbe083c8d8dda4a1feb44d952da88418b36c77e098c57e

SHA512
8937efce11304ff6a2743258d6601824cc221ced5499a3127e6e7fcb9c96f94c48fcee20e9e6d8c7504d314a67236eff06f59542b6bf3d650b33065eff48886c

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
96KB

MD5
04d98c3bf4d6413ebb383b4b289ef3ca

SHA1
ddc325e61de14aae37a57188201057f993563906

SHA256
fbf4b1496d44d6bf889eb5f7c4fba0fb0967988f40a75ac59ec230d3bd966aa2

SHA512
20da1ecb0f0280e31eaa7e50ffe083b3cdb52dca52ea0e897f05bbc724add6facecc5982d3975bcc357cac2f291e135f8c4ecee7afb28746e4d70864128e119a

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
96KB

MD5
9064652e251649fd6668f3c0bc59b905

SHA1
f6ec13d8b8135532aa250e194af0bf6d4ef1a96c

SHA256
a6b643e0ee7e4c5ce09f13d2e78b7aa4fcc6ba9489abebdfd0d83e5f7f50b780

SHA512
faf12623f97118958f4aafd1d39119157368afe804883db67ed21193234a24f5471d1040e5e10518286da8150cbcc66c19ee0ddab192639340df49c06b46c50a

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
96KB

MD5
3728a0b997879ee29266a9228498f2bb

SHA1
75b47c89a72e91e6a0f17eee05698e540f42fcbf

SHA256
729a0510e4a5e04cbc3049694586ec3d2ff8579583405f8686e8c909d05d798f

SHA512
cb7036376ea60ead4cfbb42c958d1842583bf58ea4a4979af2ceb58ae0a563d8354e110aef93b8d06fabc3e721668b57e36ddc4726d56a32469ce45b705de49b

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
96KB

MD5
5cedf3c1c69d9651fe2bfba1f4f2d305

SHA1
3d5757a4988bf26adf46adc44f8635a3fe499b7f

SHA256
85577115b3d8823d042c0cd19a3dc80033557620b557b3a7d1d8e256b3a9b5e6

SHA512
dd9127b81d5592fef3a6c5f748538f140a0c2f484a82dd58e75cccab358ba7c498942b473f494b4ead63c8b248e2e4f3a68b95afdfeb866e9f6798d7777a7d27

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
96KB

MD5
22cce4cf1c655dbaa313e4748e85a52d

SHA1
3ef4b059d6700d870db655dd925fc9977fd2c16a

SHA256
d91eb318c5b1dddb14b073b4ad7e3fae07b41f594f2866931d4204d5366172d1

SHA512
c08eaa1945798946d501cac5142800dbdc7e19c8f12881370a2ad0307128377fed80ecfa25f62f4fb3e9555d6fffdadeb75253a668e9b5e2676e51a1697f6805

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
96KB

MD5
dc158169c336c2612358478ee460ade1

SHA1
8c9b3b6aa49d4b87cf13dcfd478578fb0c05c7f2

SHA256
0f846905520ab9e1831af7e1045d6a19a4aef5151b98185bf3e7b837fbe77783

SHA512
2f91ed2f645d4283f83eaa7d72209a34e637524515043b706964bf1005ea4398e87afb8d0f980990bbf8bfb99baa91ac014d21da9e5995bfba97948efa49bdec

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
a9a35938837086db8d565a2a6ccb06ad

SHA1
37a7242c01165b06795b1338608061ea99b54624

SHA256
3b0610dd01425b99cb5cfcc25029537a253cc5df8d8a8ce95b13dc8cffaac24e

SHA512
0a6ab64a24fd40c834a11b31459c53f275ef0f49ef5aecc3fbeb9a927e6278ffcb831addadc8733217d2ccdbcb17a4cf18e746f79dc2889a3b4888ad8f759311

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
96KB

MD5
64f2e6c1e29290a08fc4f820a22c7da5

SHA1
56a49e8ec5080a2d2e5f1a4383763677f2a3f7f2

SHA256
7a3defd58553bf18a6d509115ad8056507ac26339dbfb2be4241c55bd5cd6e4d

SHA512
7c23cf51853deb6fcbea90f361dc660e9bfc44e6d1956f063fe6590472d472ec4922ba521074c4ea992c600826ebc2286bdc068ba708810350db57d37018cde4

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
96KB

MD5
fe394b00b3d9d6d5b9bdda4c02eb0c7b

SHA1
c590725a44054447b9220aac651d7ee8c29267f4

SHA256
5018fa224d60acd436e908c9699beff61e4e3b41271ed1f85af01d23a6a8fec6

SHA512
21a4e410fdef6f0a561c41c75c0d7098c536ccebba3a81b25c31a48d35605c3919fcc231d6c461a35d38ad9fecfe5b5fda6360a93d008b1251df3d2f9ad930c0

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
af5b3b57f1ee9e79d9cd963f030a01cb

SHA1
f67a0f72193b5d7ebd19e7d3e88dc1e247d574a1

SHA256
9ef84da458132dc770ea5c4cd0fed1b5690bd449fecf16d14c4c095023e99255

SHA512
210c2fa95b70a73487ee869bc700fd887a21cb5c11a88fb000582e24163d76f4a7e6a86f6acf177e2d02f5971a1fc7b97eeae013fb7c00a5ff5896516045662d

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
96KB

MD5
905492758cefbc0cd0d4e82bfbbff024

SHA1
8f4475ac3359ff91c283964747fab7122f161993

SHA256
0eb9fc3e7be0ae31666674e1147b30235d60904c8f1de895e702059d3c59e06a

SHA512
05f0baec20ac384f927c943937fc3ef25bcc803de235c1df4c4b166f44dfa9bd74be9feee402779b67ded4dd7f50e9211488b786f8267389a1270fc36fcb29b5

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
96KB

MD5
ebbf5aa1ff915aba7e60f454af742d03

SHA1
01b3d943f1d02bba326e6a97aebd81af501d071a

SHA256
b4eee728ddc3b4d46175e1269763da404480fb8583759e1d25160f97b91eab58

SHA512
c078921416a1aa7a18106b1f6e9853e6aaf92296818e986d090b9bf9197d5ea783a779bbdf62878235f45c384b9fcbf88e7ed4dea4bd6774dc1867c91828bb41

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
55e312b30d65e487ae6272b3621f5451

SHA1
aa444879f631d0e6e77b8bc74ba5883bc06033c3

SHA256
7a36e4b49c28c5dcd6047fa9074b15a1c816d80eb2501ba003a28545596fa734

SHA512
945b39f32919702c5668726818be46198c2cf35468468a0693ffd2a60ef74c16428e0f744ab6ced10daf54fdcb61fdc06225003fcdcf515e638ebb8ac76f7f5d

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
96KB

MD5
e7878241f61729401de92431f4476a6c

SHA1
77bb5db93dcd632e2ad3e884c37a4e1d8b632476

SHA256
39c348ebb258c85a4efc0a8132d5977f5c08d4d9167cd8db85c0637176cbcd02

SHA512
d6b3d828120961c866af9006ae1600374fd4befd90e809d044290eda70b845274413d5c01051a2834d10687cfa0a86558030a861dd8e8c68e0674ce4f5f8099e

Download Submit
memory/8-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/532-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-957-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-912-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5380-895-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5432-894-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5776-879-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5920-876-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads