berbew | 8de3a66b8a183cbc278098bbf66eefbef23b1a114c8e47a67853ffdaff30d110

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/01/2025, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8de3a66b8a183cbc278098bbf66eefbef23b1a114c8e47a67853ffdaff30d110N.exe
Size

96KB
MD5

c7b74c305e74e77dc9873f48680e37c0
SHA1

5830557b6e38fcad2af964fb82aa2b609bd30458
SHA256

8de3a66b8a183cbc278098bbf66eefbef23b1a114c8e47a67853ffdaff30d110
SHA512

ef3df5226073a7290bf57cc37c189b80fc373100016a64f47bfde764e9eddaac6be42269f4c3c851d5bf65ab3600eaf297889dab39bbed420e10ca89941c652d
SSDEEP

1536:GpZ879I4qsUmbdG+J/V3+74V4GKkWvYyU2LX7RZObZUUWaegPYAW:GyK4qYbd3J/Vo4qdkEtXClUUWaeF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8de3a66b8a183cbc278098bbf66eefbef23b1a114c8e47a67853ffdaff30d110N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3124	Jlednamo.exe
3924	Kboljk32.exe
3820	Klgqcqkl.exe
696	Kfmepi32.exe
4324	Kmfmmcbo.exe
1952	Kdqejn32.exe
2916	Kfoafi32.exe
1668	Kmijbcpl.exe
1428	Kpgfooop.exe
1384	Kbfbkj32.exe
5060	Kmkfhc32.exe
1116	Kbhoqj32.exe
4092	Kmncnb32.exe
2204	Kdgljmcd.exe
3508	Lffhfh32.exe
4648	Lmppcbjd.exe
2140	Lfhdlh32.exe
3136	Lboeaifi.exe
2940	Lenamdem.exe
4604	Lbabgh32.exe
688	Likjcbkc.exe
1208	Lbdolh32.exe
1132	Lingibiq.exe
3604	Lphoelqn.exe
4784	Mbfkbhpa.exe
2484	Medgncoe.exe
4552	Mdehlk32.exe
4296	Mplhql32.exe
4496	Mlcifmbl.exe
1000	Mmbfpp32.exe
4388	Menjdbgj.exe
2624	Ndokbi32.exe
4588	Nepgjaeg.exe
4456	Npfkgjdn.exe
2168	Nebdoa32.exe
4984	Njnpppkn.exe
2908	Nlmllkja.exe
4508	Ndcdmikd.exe
1436	Neeqea32.exe
2268	Nloiakho.exe
1492	Ndfqbhia.exe
952	Nfgmjqop.exe
4828	Nnneknob.exe
3064	Nlaegk32.exe
5032	Ndhmhh32.exe
4780	Nggjdc32.exe
2980	Njefqo32.exe
3172	Olcbmj32.exe
3292	Odkjng32.exe
1100	Oflgep32.exe
3920	Olfobjbg.exe
3352	Odmgcgbi.exe
1480	Ofnckp32.exe
1332	Ojjolnaq.exe
2420	Opdghh32.exe
3000	Ojllan32.exe
2596	Onhhamgg.exe
2076	Ocdqjceo.exe
2752	Olmeci32.exe
2760	Oddmdf32.exe
1824	Ofeilobp.exe
2884	Pfhfan32.exe
5108	Pmannhhj.exe
2164	Pclgkb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Kbhoqj32.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lphoelqn.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Lmppcbjd.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kbfbkj32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Kdqejn32.exe	Kmfmmcbo.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kboljk32.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jlednamo.exe	8de3a66b8a183cbc278098bbf66eefbef23b1a114c8e47a67853ffdaff30d110N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5636	5508	WerFault.exe	197

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8de3a66b8a183cbc278098bbf66eefbef23b1a114c8e47a67853ffdaff30d110N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoqj32.dll"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnbea32.dll"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakipgan.dll"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeokj32.dll"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 3124	2024	8de3a66b8a183cbc278098bbf66eefbef23b1a114c8e47a67853ffdaff30d110N.exe	85
PID 2024 wrote to memory of 3124	2024	8de3a66b8a183cbc278098bbf66eefbef23b1a114c8e47a67853ffdaff30d110N.exe	85
PID 2024 wrote to memory of 3124	2024	8de3a66b8a183cbc278098bbf66eefbef23b1a114c8e47a67853ffdaff30d110N.exe	85
PID 3124 wrote to memory of 3924	3124	Jlednamo.exe	86
PID 3124 wrote to memory of 3924	3124	Jlednamo.exe	86
PID 3124 wrote to memory of 3924	3124	Jlednamo.exe	86
PID 3924 wrote to memory of 3820	3924	Kboljk32.exe	87
PID 3924 wrote to memory of 3820	3924	Kboljk32.exe	87
PID 3924 wrote to memory of 3820	3924	Kboljk32.exe	87
PID 3820 wrote to memory of 696	3820	Klgqcqkl.exe	88
PID 3820 wrote to memory of 696	3820	Klgqcqkl.exe	88
PID 3820 wrote to memory of 696	3820	Klgqcqkl.exe	88
PID 696 wrote to memory of 4324	696	Kfmepi32.exe	89
PID 696 wrote to memory of 4324	696	Kfmepi32.exe	89
PID 696 wrote to memory of 4324	696	Kfmepi32.exe	89
PID 4324 wrote to memory of 1952	4324	Kmfmmcbo.exe	90
PID 4324 wrote to memory of 1952	4324	Kmfmmcbo.exe	90
PID 4324 wrote to memory of 1952	4324	Kmfmmcbo.exe	90
PID 1952 wrote to memory of 2916	1952	Kdqejn32.exe	91
PID 1952 wrote to memory of 2916	1952	Kdqejn32.exe	91
PID 1952 wrote to memory of 2916	1952	Kdqejn32.exe	91
PID 2916 wrote to memory of 1668	2916	Kfoafi32.exe	92
PID 2916 wrote to memory of 1668	2916	Kfoafi32.exe	92
PID 2916 wrote to memory of 1668	2916	Kfoafi32.exe	92
PID 1668 wrote to memory of 1428	1668	Kmijbcpl.exe	93
PID 1668 wrote to memory of 1428	1668	Kmijbcpl.exe	93
PID 1668 wrote to memory of 1428	1668	Kmijbcpl.exe	93
PID 1428 wrote to memory of 1384	1428	Kpgfooop.exe	94
PID 1428 wrote to memory of 1384	1428	Kpgfooop.exe	94
PID 1428 wrote to memory of 1384	1428	Kpgfooop.exe	94
PID 1384 wrote to memory of 5060	1384	Kbfbkj32.exe	95
PID 1384 wrote to memory of 5060	1384	Kbfbkj32.exe	95
PID 1384 wrote to memory of 5060	1384	Kbfbkj32.exe	95
PID 5060 wrote to memory of 1116	5060	Kmkfhc32.exe	96
PID 5060 wrote to memory of 1116	5060	Kmkfhc32.exe	96
PID 5060 wrote to memory of 1116	5060	Kmkfhc32.exe	96
PID 1116 wrote to memory of 4092	1116	Kbhoqj32.exe	97
PID 1116 wrote to memory of 4092	1116	Kbhoqj32.exe	97
PID 1116 wrote to memory of 4092	1116	Kbhoqj32.exe	97
PID 4092 wrote to memory of 2204	4092	Kmncnb32.exe	98
PID 4092 wrote to memory of 2204	4092	Kmncnb32.exe	98
PID 4092 wrote to memory of 2204	4092	Kmncnb32.exe	98
PID 2204 wrote to memory of 3508	2204	Kdgljmcd.exe	99
PID 2204 wrote to memory of 3508	2204	Kdgljmcd.exe	99
PID 2204 wrote to memory of 3508	2204	Kdgljmcd.exe	99
PID 3508 wrote to memory of 4648	3508	Lffhfh32.exe	100
PID 3508 wrote to memory of 4648	3508	Lffhfh32.exe	100
PID 3508 wrote to memory of 4648	3508	Lffhfh32.exe	100
PID 4648 wrote to memory of 2140	4648	Lmppcbjd.exe	101
PID 4648 wrote to memory of 2140	4648	Lmppcbjd.exe	101
PID 4648 wrote to memory of 2140	4648	Lmppcbjd.exe	101
PID 2140 wrote to memory of 3136	2140	Lfhdlh32.exe	102
PID 2140 wrote to memory of 3136	2140	Lfhdlh32.exe	102
PID 2140 wrote to memory of 3136	2140	Lfhdlh32.exe	102
PID 3136 wrote to memory of 2940	3136	Lboeaifi.exe	103
PID 3136 wrote to memory of 2940	3136	Lboeaifi.exe	103
PID 3136 wrote to memory of 2940	3136	Lboeaifi.exe	103
PID 2940 wrote to memory of 4604	2940	Lenamdem.exe	104
PID 2940 wrote to memory of 4604	2940	Lenamdem.exe	104
PID 2940 wrote to memory of 4604	2940	Lenamdem.exe	104
PID 4604 wrote to memory of 688	4604	Lbabgh32.exe	105
PID 4604 wrote to memory of 688	4604	Lbabgh32.exe	105
PID 4604 wrote to memory of 688	4604	Lbabgh32.exe	105
PID 688 wrote to memory of 1208	688	Likjcbkc.exe	106

C:\Users\Admin\AppData\Local\Temp\8de3a66b8a183cbc278098bbf66eefbef23b1a114c8e47a67853ffdaff30d110N.exe
"C:\Users\Admin\AppData\Local\Temp\8de3a66b8a183cbc278098bbf66eefbef23b1a114c8e47a67853ffdaff30d110N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\Jlednamo.exe
  C:\Windows\system32\Jlednamo.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\SysWOW64\Kboljk32.exe
    C:\Windows\system32\Kboljk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\SysWOW64\Klgqcqkl.exe
      C:\Windows\system32\Klgqcqkl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
      - C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        24⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        49⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        51⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3920
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        53⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        64⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        66⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2876
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1560
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        77⤵
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        98⤵
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        101⤵
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        104⤵
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        106⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 396
        114⤵
        Program crash
        
        PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5508 -ip 5508
1⤵
PID:5572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
08a8140c8e28a19f5eb3a467b19a475d

SHA1
8168a67662dbb2072cd85378c08b1c548b36d8e0

SHA256
aa80bd2ec1074213807fea57a789d2d00f9a37e110c06d08bbf83caa8867f266

SHA512
e394e20f660aa111b25910b3ec2bb4544341ed3a4fa8c44f8550df85118f8a7acb620e951a56c20e942bf9e5fdc70cb01790c3e049444cea6f783f071d8137f8

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
41362f2dd9c162db21da83daa751d7af

SHA1
6484ab3acbac0d92486d64a137605c4942e2d5bf

SHA256
f548976b179ec12de1a89bb32bfb4d7d63dc2285a69743f17026906dc1dcdafd

SHA512
ab347c3ab690ad304afdc1065a49d4c93d0c441de9c851ebdac652144d80d563eac3a27ab92eb329324198d7083a5dc7ea431a9389bb852172c26d9c29ec0e6c

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
96KB

MD5
b0a56c126e619b36378130304451b2ee

SHA1
2bc01a690a05da48bcc438d2dd6f3bd44b2dfce1

SHA256
73e9dbbfa222c9bbf065011445fc3a81fcb5b73c1f698c51fa4d9b9651efd73f

SHA512
e66b2dd2ef2f54e9eff417b108ea5bc3d9ecfb8db37afaa2ef736cd56f01e1309ff7986af6340cd127c6c5e3f59341c9cbc543bc916f2ef9049f17726ae7b024

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
7683ef397dbb9344edaee80550443a98

SHA1
8255c5cbcd05a4f3fe5986c4378775ee5db54a07

SHA256
b069e149993c024b8e194bc427a54efca2201b561a2620d32b33022359409dde

SHA512
b27bc695f8288cc5a4331d7de6ccb121be7674a5f4e9c87dcbf781fed621cabdbca833ec9b2def3a951c8514f47bf2de19acf128ddc5f9cd553ef35904d1f4b2

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
9ea273e4e39aee657b6b245fda83ea3a

SHA1
d23dbe267907388b8e46c6e4780963f8e4e495f4

SHA256
7b83b3e0975579197d12c182f3e630576859d1bd061b8e600d3c8952b656ad4b

SHA512
e34bb8f06b67070cf2555745752ea48b12a617b4365ff0a7530f273d1b77c56e94fa52d9e764c428af2dbdcc64d62df0a6f1fa0ddef663831253ea7299ee693b

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
d3206089762041fef29ffbcd2a238710

SHA1
86987513c4fccc13c89f4da8bdf7e6c0e17ea840

SHA256
4ebca436b83474a5010ddb4b9977e6639880ab3f7efbf3853eab8909d62059fe

SHA512
3a46e77dc66e59ff9f5db6247eecf98bd4cb0b094ef0d861f515fd4b2bc8cbc465accc59f5bd381dee7d35d3b8d5657b2c8a0a6fb44430cbfb002480513ba60f

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
96KB

MD5
e15ff95c4f905671bed2fd0553b3c166

SHA1
02d7672521ac259c2f082765e5dee37bfa3aef4d

SHA256
77c30ff287877a22f1fccbe13331ec027176fb2ca5a1732e6e4f571b598a638c

SHA512
0454a2b57438487afa9d14856fc1f41a6588f37e399e0ce587f772d004ca94dd84ff1ff7af85111e2a5dc5729c3b2be90583230f4cbdaa8c864c396b7cf89c8c

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
96KB

MD5
90d14cd2494a58880c584a37f430ea52

SHA1
c638a84a0f6b0877fa2263dcdf7791364d843ac2

SHA256
19ce81a3961aeada25e80b1e03a4f585ced9e6c522c076d185f6c59f45096656

SHA512
5e396559ac473a670cbeb9846594227d1ed2ab348e024a12f989dc6467a9129f8e35fa3c7a4eac6da373e145abbe97fa5889d242214e1519d56166839e7806b6

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
96KB

MD5
380ef5de89ad1bfd4db623403bfba451

SHA1
4e5d1b9901884e69dfecd26144335aaba293bade

SHA256
72a47458400eae214d7e6625ee5d6b65ca5b6eaee61b89354ad7039673289663

SHA512
d6d448213a45969941522a602140655fdef9edeab37b20575fe367a52c2013ce43c098e4f3089621896ed0f97d3b71bcc18b1d05f43452f0a2edb0082b19c42a

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
96KB

MD5
9eca46eeb1208b935e7e878b1ca48cf5

SHA1
f694fb3a9a4a4b455e734406be2258e7faaccb51

SHA256
361d4e05da70b7410e8f2f4f0e1a5a9aa1475eac00cc536fcdede6463a430227

SHA512
c36ecf73e16829c18aba8f91c9eb833c8cdf08652dfcad496c86afc56a7a421c9445037afc5aa0456feef6e6362e732adcb2b3d05a7105dadbaac5589af04400

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
96KB

MD5
d68fc3e5978de12cbfe006b0e1cbc468

SHA1
46c72b7f4e2054aef3e08a287a566a42481de99a

SHA256
6e2a6fb2f97cde7d9ec05c6258cde0ef99d1bf0471846bada2c51ae54d32f527

SHA512
f4776281808bec093837fc5081e79438488603033c92bcdb7881794c024aeb95ac74cddeb1cce1f0affe62e9299dec4a76b6dd529c739bc2072a8561007f5184

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
96KB

MD5
52db8213c1dc53e7709b5e3c9c7ad266

SHA1
28e7b0b73926818709641220de4f78c9591a9e51

SHA256
dea41cfd1c723e217c5f77cac0c322ccd0dfcbf3a6d11dc5677a133d5428b0c6

SHA512
b671c1698ea5f76a33e2583db67f51579875e5500391e6b1c836a54185857c87d4a2cd42f355ff4b368b252b8e24af46fb862c5d07efeba72060b855202be810

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
96KB

MD5
314dcd99b9324a3d36e5e732ec79ff8a

SHA1
e94931241d404f27667eefd57d356295bad0a398

SHA256
e567c058c4160a168ce40a07e061db7b84296c6eef5a9f43e73b984256214e71

SHA512
0463ee3d36feedb5b16d9897612d81471f2c4bffb5381c3f2ffa081cd34f906e37c112c91052cb32ad3361792be955e4c1f03c650b8af56bda27d6ffcba458ee

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
96KB

MD5
8c11839db35d68a0741b3e4b496d0d93

SHA1
ded1ac1cf175c011f781dfaf927d6ae4a89ca1b1

SHA256
f15e5f35cf356db4b00f315132aea4b690a3ab13495faedcc87b84b20010b2c3

SHA512
1c9cd2decc635b1c8c0963448ec779c0d5946451833fce521383d7c24e5b4fa204f3962099b4ea829112ba498436ece50d93c62c745567e6f2a94e5ea4940614

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
96KB

MD5
3b609b4ae06ad0a2f1988b84589ec6c9

SHA1
27e0fbd0c1381881caf689505499623db8f9cf78

SHA256
7d79f141cfaf5217603381c3e748e9251164810790ae826cc4a92fb8e6642a6b

SHA512
2e5c190609c476d8376e1bbb28119290c1fab2728ea731f9b6e0805a425c8d9319cd5201bd44d934bf7cce12dcb930af39746c70129a3915abb8cea970f069e5

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
64KB

MD5
132fad74e715b138cd5453c80290d61a

SHA1
9087994c8ae20241640eaa74f75eb32a67dd043a

SHA256
1a68bf0ba35a3276403f385dd3ee6196b2a7abfaafd31e951e30b3ebf89dcfe0

SHA512
44610a7e3cb344251c1045ef5e6f825f4e0cea73b878c444928e361eda21a64878bdd6e1eaa582685db7de59a212794ea5240226c8cff96597c91e215666eed0

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
96KB

MD5
d034f7cde2fccd352096973ef7f2f7ff

SHA1
17bb981f5963147ec26ecb4dddbe6730b41649de

SHA256
80617068e906fcc903f2d40674095413e1f457333878acec85908a35a5a64ebc

SHA512
095c2e2754c7840d6c4d11dc3125dd622d3d2746674a592c52721f5d162a1c0beaf9afd3cfd3018203a2651a6f1662d889353b4199e29c0cf757cfb1eaa9c028

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
96KB

MD5
db56329c7dfde2eab6533914f8276860

SHA1
26993ec31328e4218475796b63514dcf3ab78e25

SHA256
0b5ae149ddce29cb11b98e6b91851a093a87d22f7f4cd19748e2bad7a6a84a4c

SHA512
0383fa9dcb4e877fb822185eb01a2abb39f73bb1417f1b97e755b572b49cf352833ca2cf0cd3f7e82691f24b817df9e2a9c735153c4869030293b256fee25f36

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
96KB

MD5
8553d7fbd542158146352b699139248f

SHA1
a9255713ceec058b3278e8d42678b1cd9c9f93d6

SHA256
9a7ed91a9d8ca7646d94d522f64ee9e2c3612c7f6bc5607237969aab54913935

SHA512
a3acb73f3c8b206d8316a90bca61a88ab23259147b5aedf7ce44bf47c1c98a699012ea1d6d3240d24b67e802fe5c7d55dd59474a2c50e95a1efe63905a3769e8

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
96KB

MD5
68142f370d4127bb116a45999eaacbbc

SHA1
6de5227cb1ac58ac38456f7a6bac8d78d934e196

SHA256
80f25d4926a32b56f6f7805de7af55cf3bf7abb70dd3bedf2d7c76dc20bf941d

SHA512
4b207579bfeb0082af9220e533f61c5246cefa1a382cb1c3aa8e4bb7c98d2025cf26bd89939a59db7d6519b599ec73e585ac2f8c29f14b9d1d0f177be26fe05c

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
96KB

MD5
95e21808a7abb78acd6dadf5ada8a742

SHA1
52702139e08f56032b44930d7c862bb5b326e32a

SHA256
323d241be6172e6387ef085da6e060974ff02cb66601d7b97ff6b2d71190c708

SHA512
eeff2378b082c8214def3733df9c29368715cdd6faca22661b39fda6b9c9b49df61ebb9de3cd5d3eb500fe71184f75876ecab0fe816559b56db7cc90dda20033

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
96KB

MD5
4ea669de1f5cc54710836677f09ea922

SHA1
a892eaa2106d725242a0af6b3be0431c8af9439b

SHA256
aec24a07184717a93eb8c74bd420fa8195a67ede34a23c61b9f1bc5ac10ea0c7

SHA512
fd2c792c339fe5296dda60a3d8139fdec4ecd9ec00c5b74116243541f39cbb18f4b658d03e6d284f07795dcf6a52b8306e0b1a6cbc395c39f36e9668a1f92c7e

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
96KB

MD5
21ba090b38408d7791effda4e62095d6

SHA1
673e0ee3ea7b3087d5c9fffcd84b4701764a72e2

SHA256
c953415f72bfd79c973e6b4f14809c01ec6752c2dda1f0f9dabddb3b4df32484

SHA512
7c4470b410c6c01e38bb1aee103601a044dc1088f993ae0e616aec78bd4fe721f5efa783dc5a6685faa009fff1545e74945aac5ec3ff0cf382f7f11e9e35d6a7

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
eb32f98e5e4060838e93b294ff3a5af6

SHA1
229cff91f3c1745c816e8666d6972f60f71b8e35

SHA256
171d54e3c1dd2d2306ec5a1cf18d0dfcd23656817a0da8887039590902a21a38

SHA512
23043bf6ac3059f3efa5c85c31b79eafcfbc70bc72d3cb82735001303ec8bb0a249869b2b92859aefbc93c3caec7f23b168370014c23db83670a088cd9e1fce2

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
96KB

MD5
a53f72d17560cf6ad40dcb5dafaeb53e

SHA1
e6fedce4e262ab786dfe56f7608c1361d548ae1a

SHA256
e6291e110d8b8c1de35fb9eaf59bc6339e995a72dc8f4fceaa8e94219f98f8c8

SHA512
8b4415e9f9c54029d6b807d854c49edf5bbe7c051f76db4679379b2c07ba5dd8035b37d1810fa0d11c85974d997a68af6c7195134c963e8bb2cb89f9036aa251

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
96KB

MD5
451fa46d4477df85ec5eea176c64c444

SHA1
3d151ac99fc5aec9337c31b6a38fb2aadecd3557

SHA256
6197dfb4b41a9e44bb6d5a7cc65ea1ac5c9c46ed575d73f36ab5f85d75649a69

SHA512
f839a7b3e113b68843b7b2734e5d90da34a7f88cb539084dc6539986aba991bad49075990f7c52f740c6daabab3bff5ccc9124ce95c2a8d8f511b9fd37832819

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
96KB

MD5
35df93a48cc97d7b08394806e91bdbda

SHA1
c9847d31668ede960bbe9a8877b1c6a1a4b0818a

SHA256
ce7620c737ac8223e144c602602df9ea10c49d4f3800c3e4074ef7a19750f569

SHA512
782f73360ebc011aa89e2e91d3a76d8e5da02ccbe9af8bbc7703feb6981d76c17c3acaa3f0c74603322b603b06933fcf274a972af66c7e9ca220bdf4ae04b174

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
96KB

MD5
6bfc57a89aad89c4d70e77e9634b71a0

SHA1
b5dd7f7ecefd2c838e248a2dbac06a70ec3fbb0d

SHA256
41b44870bf071c07c70d93e6b673f939644e65d7f413955b6984615b772b0c4c

SHA512
51a503be0b775c6e314d64d66da0a8bbe17b575921062fe46ff6e057ff0b6b9a8f5c54380e10072c829b12df358ec06e4687f865e340f46cc86720640ea42b66

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
96KB

MD5
21f57829216f326209513e6be50d11cb

SHA1
043a190aeb07a8e4c46cf7857b03ada35e8e05f0

SHA256
0a001a675dff9421ec789633b7234d28a8869b74882b9432a36f07fe61423c05

SHA512
4742067c04eeb86c4a5616b2d72f375eeb6975728bc7dd158dd79e7944fbf64e9387cc3c6fe9ee57f85d2e7c05b13cdfd4a471429879ca7b83b6201842715d09

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
96KB

MD5
fe842b0da97c3c5577e8ac337d7e37aa

SHA1
0d6f7fa4b26b1b27dd648e1715354fd821a75c63

SHA256
8fddd39bc8ec0af571af5313c31b6f6fc83d31265d29a529edc13347207c0361

SHA512
a51a3e7eaa57430af56a1b484c4c95783d2db0838125a3d87b31648550a891ed456103029b109795c6a7e76e1942c2a9543b0ed5957c6f9e9f39e195a89145a5

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
96KB

MD5
6639abd75db178868fa2a3a78cc22059

SHA1
d642cc09e14ad604b49570b4ba78b2697e79c3f9

SHA256
1c36a4d67d080d98d6fe7b67878b58fba50ac14bc6e23e9e9e1f379c093815a9

SHA512
8362e26ab51e460571766b5daf7ff2a99e8a27b280802c1c3d09916fa512729adc5b91ce3d73bfdef669ac500d1142da3cd1fd648bd0a3efd57fcda99e968c11

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
96KB

MD5
8caa245dca345353834659fef8ccdca0

SHA1
8dce848092eb02b797c1c51134ffd5b114f5d40f

SHA256
417e4c18059c5942fb0d0ecb0065eb29001c7d1e03bad27db4bfcbbcb4ce5b5f

SHA512
80627ad5fa9156d171626775cd36ab79cff80bcceec1a5f27f127b1a46804acbb44ccfcae1215ab9cc199f1a2c2b36151aac60396c71287bf3c0258ba376ee9d

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
96KB

MD5
8ac4ec019274f729e7a643af34b1aa7f

SHA1
a595eb6fb6e1ff367ef09b1567f6b7b5055c2302

SHA256
b94f59f6b8d8403a44dfa62a4eda96c3a0e3395a4dbb7b426e43feb1d10a2423

SHA512
8e382ab2e318e452b3ec6dd83c7bff0de91d6b2031ca3a05b5542cfce75a66dd9952e3144d8de991c50f22847db6bf69be07f7e2f3497052d54dc6a0d8b5d62b

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
96KB

MD5
197a934bfdd73d06bc6eaf1213ff8a35

SHA1
fb61476a08c0859593a8b1bfef24c6db39ff05e9

SHA256
3a2b6520b7b246ccbd703ef0cc39aa107fd5b552254c6c1231c7df4459c701d1

SHA512
cefd6dbbf3a9ad347580012c1dad815be4d5685c695ef03881da667c7b1e9b40874dcab2e3e8c4c5260d2cba7b9165308a94ee4c26e5a0a1af485a6899e0699a

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
96KB

MD5
947048d482c045c0302cdc597abf67f7

SHA1
73c41a883e1aea13cfd8ecfacb8170acecac070e

SHA256
d1be43f6e87e671707f80cc5f19beba6829802242afa4a8d2912eb69a8f10e16

SHA512
ce0e2cdcde3884160da1a985520a551de3936a89aab73a95c889a59c20813b25fa51431a23d3c3c038b2275a43b7dd162a220606ff49fff84658398a32feeef6

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
96KB

MD5
4198f10df72fd43e0347c88b6eb2aa85

SHA1
d5052c6cd0982c48a7918576ec0c42bf0a5fbbee

SHA256
348f1b50c5730550bbb4fe9955feaccc0052a62a4856bb499b4c908b37ca81b8

SHA512
f7f06a166b1b7a48fefc0463b9ebfa21c1f3c10c188ad6c994cc4333750328faf2306addbc386bee21cffa0d0f29f9642d2e76feb7eb05e51da554ed6f5834be

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
40449da4888a301c48f0323cb79e57fc

SHA1
b6dbf60d0d65f7886ab4c91ee389bda8ef4e4e0b

SHA256
3b382f65a9cbb4e2c5fc24bbb5251d14e07428c258b8dc469c2c24d6fe9572f5

SHA512
b6f24439122cb81cc08f65a33763b97cdadfe45fbdaa29ee3db3389239e9df68e5688bee561e19b9b3c3300ae304ef00b4a42ea390d44e0e5ed3f5d19cffcb91

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
55bd368fc4e7e4429776d8d03533cc51

SHA1
62b4b92d23412e306bc128be01d082649e87229f

SHA256
0305ee51833200e0aa6df04f3186a95f1c4fe1676e8b02b95365dc976fff6a75

SHA512
6b7a45264f86d7766d8fc4d60db977b57e3085fcdd333ecf9ff7d7a5ea1f0d0b36e2e607789281c5456ca9edb2fe20545f2e3099516ae5e24c86b01f7e35373b

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
96KB

MD5
bdc4dd4d290fee4bef3c3bc474f832b3

SHA1
8eb69c0f1512d196a9f1e02cec5be3ead33d5d43

SHA256
a8a7d61b21c19f84ac602c6d46784190517496ab250cca5e5ec9cdb7797fa36f

SHA512
451cfa2132ae65d7ba67bf2d2be0a7a9339bdd4fb4b9f945106fda0b20853e5082903b4d1ad09ad09c509252a6ba98ae4e5cbaab6a7575e0ddbef00e6b85a581

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
96KB

MD5
c3c16a8b6861e799008832cbc7fc6b07

SHA1
9b39386bdadef097db0ce3a14475ff3afa9bb5df

SHA256
fb7dbb51aae66b6d9150dd34e8d90aa544591f540f01b37caabf113b1d831688

SHA512
0b91a330381eb319692f9ebf49babc6c9dd6d062f36f656c1754199515c89df3be058b30ebb58fd571021b9b73d776e20251af5327917dd2987eabcda2e3dca2

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
f2eb9647396299b112036bdca9c883df

SHA1
7af7579ef78f950cc37e9ceb67a01e39dd6955b3

SHA256
38af6aecf93d30a266eea5a2c160e77fa6cceae17a157838c523fc7323be0a5b

SHA512
f1d800c1d7eb2a9209ac0c9f6eb88462c66f7d0b1b2e386a08c617de1e646e97b30eec2516be9864051ecfbcd09ec25233c1a74f7673882cf3b00cee6983190e

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
96KB

MD5
4beefa12eba306da81eb12ce89015635

SHA1
e6e6334ca7cd80e7d83a2a426f0b9507267a24ab

SHA256
0f5e74c7a7066b9bd9cf1424e84cc12c313413acdd251a4784ff288d857521f9

SHA512
2e3207e950a33ffcafda1ea20fb6f84eb24751dd576ed09a086b234cb4e118416c60106a9a46eed48b7d92aef285a38da6e6478064e9038afe3b880b9f3347de

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
96KB

MD5
0d605ea16a2feb7a7f15473f69a55abf

SHA1
da1d8310f92bc153b42b4748b3814ee7915a2c33

SHA256
65a5ecd1ebd9e9f04f46e59d4e294a6fc8d1324485905c3cd330a54547f4ca10

SHA512
a2b69463df2d0baa3aef6a0653090ab75205e3d0c931e65f13de36df5cb6191f69e569603eb6588b0776c0821f3d892301f5d65d38558e2fd6c482ce4f899569

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
60e2473f1d0b270fa112e09b3c51073a

SHA1
d09597d1e3211168d21dda454570b870a0313f9d

SHA256
3742e7125474370111e7580d5acee53eda9679e1bdff70d5127c1dca2c0a4f77

SHA512
048e62e07837461a4b27779c6798205f70c2a87f3b99eb5b135918ceda15100ba043b61ab73bd01aa196784db41287790df7c552bb4336c8d2ec47f0056e8e91

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
96KB

MD5
edfca1e481d96eec77a4d02761062ee0

SHA1
f0fd5ec9f38c0dc33c7ca9d03982f3fde8422088

SHA256
c1bfa1b32b83126d8561de5fcd34f812812db94e85a55218bda6817129cb5b70

SHA512
4f8584eafc3a8d55c9b17ec621ec6bc80a58cfd8c8bdf75571fb87bc04c438fb8502013312568a742493a796d4b253db2934acdce8022130ceda23be1c02c24c

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
96KB

MD5
1493a686f3e3953a9052102cf51ca450

SHA1
5334199e19165609359ca9493c019de60a752934

SHA256
154630b5e021b5a96de0b562db4323c4ff5f8c59304afaa04ac1ba464b973f0f

SHA512
793aca4fcfaac0ef5ed01f9c3280b2da5921f62f54b034f8cd480cb05ea2046eb9dde29b402546b2043cc18b36bbe511a235e6150bf80d2367e8e6489952e6a2

Download Submit
memory/396-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-811-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2024-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-820-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5244-783-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads