berbew | 2cd68abd84c14a7a3a3073ccddd1ae3f39f41a8247683ec67daddb02de56980c

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cd68abd84c14a7a3a3073ccddd1ae3f39f41a8247683ec67daddb02de56980c.exe
Size

93KB
MD5

1186694cd93a10d4c6810249b24343ae
SHA1

777fbd3e4b08b210a918da0d69e3185459a071d9
SHA256

2cd68abd84c14a7a3a3073ccddd1ae3f39f41a8247683ec67daddb02de56980c
SHA512

d6c84c02af9b5bf93923e7d3c5ef025a411ce5137afa7e5271fff8670b0a3a34984cce90645862167d9300bc7b4b701a3082a374f996fa4646457806d724b05c
SSDEEP

1536:EV+L3S9X8CyuLHYk4I1DaYfMZRWuLsV+1R:xL3SKCyuL4kTgYfc0DV+1R

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2412	Kpeiioac.exe
4428	Kebbafoj.exe
3444	Klljnp32.exe
712	Kdcbom32.exe
1032	Kmkfhc32.exe
3936	Kdeoemeg.exe
3652	Kbhoqj32.exe
936	Kefkme32.exe
5012	Kplpjn32.exe
964	Lffhfh32.exe
4436	Lmppcbjd.exe
2116	Ldjhpl32.exe
116	Ligqhc32.exe
2144	Lpqiemge.exe
2892	Lfkaag32.exe
4432	Lmdina32.exe
4380	Lepncd32.exe
4308	Lpebpm32.exe
2404	Lgokmgjm.exe
3100	Lmiciaaj.exe
3592	Lllcen32.exe
4496	Mbfkbhpa.exe
976	Medgncoe.exe
1540	Mmlpoqpg.exe
1412	Mgddhf32.exe
1080	Mibpda32.exe
4088	Mlampmdo.exe
432	Mdhdajea.exe
436	Mmpijp32.exe
860	Mcmabg32.exe
4508	Mdmnlj32.exe
1876	Mnebeogl.exe
1616	Ncbknfed.exe
1524	Nljofl32.exe
1396	Npfkgjdn.exe
4932	Njnpppkn.exe
4856	Ncfdie32.exe
4164	Npjebj32.exe
1344	Nfgmjqop.exe
4884	Ndhmhh32.exe
2316	Njefqo32.exe
1328	Ojgbfocc.exe
2392	Olfobjbg.exe
5000	Ogkcpbam.exe
2964	Opdghh32.exe
4964	Onhhamgg.exe
448	Odapnf32.exe
2668	Ojoign32.exe
2904	Olmeci32.exe
4636	Oddmdf32.exe
1604	Ojaelm32.exe
4416	Pqknig32.exe
5028	Pgefeajb.exe
2432	Pnonbk32.exe
1520	Pdifoehl.exe
5060	Pfjcgn32.exe
1368	Pmdkch32.exe
1916	Pqpgdfnp.exe
3680	Pgioqq32.exe
5084	Pmfhig32.exe
2640	Pdmpje32.exe
1224	Pnfdcjkg.exe
2400	Pmidog32.exe
4356	Pgnilpah.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Lpebpm32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Lmiciaaj.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Lffhfh32.exe	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Lepncd32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Lmdina32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5916	5828	WerFault.exe	204

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2412	744	2cd68abd84c14a7a3a3073ccddd1ae3f39f41a8247683ec67daddb02de56980c.exe	82
PID 744 wrote to memory of 2412	744	2cd68abd84c14a7a3a3073ccddd1ae3f39f41a8247683ec67daddb02de56980c.exe	82
PID 744 wrote to memory of 2412	744	2cd68abd84c14a7a3a3073ccddd1ae3f39f41a8247683ec67daddb02de56980c.exe	82
PID 2412 wrote to memory of 4428	2412	Kpeiioac.exe	83
PID 2412 wrote to memory of 4428	2412	Kpeiioac.exe	83
PID 2412 wrote to memory of 4428	2412	Kpeiioac.exe	83
PID 4428 wrote to memory of 3444	4428	Kebbafoj.exe	84
PID 4428 wrote to memory of 3444	4428	Kebbafoj.exe	84
PID 4428 wrote to memory of 3444	4428	Kebbafoj.exe	84
PID 3444 wrote to memory of 712	3444	Klljnp32.exe	85
PID 3444 wrote to memory of 712	3444	Klljnp32.exe	85
PID 3444 wrote to memory of 712	3444	Klljnp32.exe	85
PID 712 wrote to memory of 1032	712	Kdcbom32.exe	86
PID 712 wrote to memory of 1032	712	Kdcbom32.exe	86
PID 712 wrote to memory of 1032	712	Kdcbom32.exe	86
PID 1032 wrote to memory of 3936	1032	Kmkfhc32.exe	87
PID 1032 wrote to memory of 3936	1032	Kmkfhc32.exe	87
PID 1032 wrote to memory of 3936	1032	Kmkfhc32.exe	87
PID 3936 wrote to memory of 3652	3936	Kdeoemeg.exe	88
PID 3936 wrote to memory of 3652	3936	Kdeoemeg.exe	88
PID 3936 wrote to memory of 3652	3936	Kdeoemeg.exe	88
PID 3652 wrote to memory of 936	3652	Kbhoqj32.exe	89
PID 3652 wrote to memory of 936	3652	Kbhoqj32.exe	89
PID 3652 wrote to memory of 936	3652	Kbhoqj32.exe	89
PID 936 wrote to memory of 5012	936	Kefkme32.exe	90
PID 936 wrote to memory of 5012	936	Kefkme32.exe	90
PID 936 wrote to memory of 5012	936	Kefkme32.exe	90
PID 5012 wrote to memory of 964	5012	Kplpjn32.exe	91
PID 5012 wrote to memory of 964	5012	Kplpjn32.exe	91
PID 5012 wrote to memory of 964	5012	Kplpjn32.exe	91
PID 964 wrote to memory of 4436	964	Lffhfh32.exe	92
PID 964 wrote to memory of 4436	964	Lffhfh32.exe	92
PID 964 wrote to memory of 4436	964	Lffhfh32.exe	92
PID 4436 wrote to memory of 2116	4436	Lmppcbjd.exe	93
PID 4436 wrote to memory of 2116	4436	Lmppcbjd.exe	93
PID 4436 wrote to memory of 2116	4436	Lmppcbjd.exe	93
PID 2116 wrote to memory of 116	2116	Ldjhpl32.exe	94
PID 2116 wrote to memory of 116	2116	Ldjhpl32.exe	94
PID 2116 wrote to memory of 116	2116	Ldjhpl32.exe	94
PID 116 wrote to memory of 2144	116	Ligqhc32.exe	95
PID 116 wrote to memory of 2144	116	Ligqhc32.exe	95
PID 116 wrote to memory of 2144	116	Ligqhc32.exe	95
PID 2144 wrote to memory of 2892	2144	Lpqiemge.exe	96
PID 2144 wrote to memory of 2892	2144	Lpqiemge.exe	96
PID 2144 wrote to memory of 2892	2144	Lpqiemge.exe	96
PID 2892 wrote to memory of 4432	2892	Lfkaag32.exe	97
PID 2892 wrote to memory of 4432	2892	Lfkaag32.exe	97
PID 2892 wrote to memory of 4432	2892	Lfkaag32.exe	97
PID 4432 wrote to memory of 4380	4432	Lmdina32.exe	98
PID 4432 wrote to memory of 4380	4432	Lmdina32.exe	98
PID 4432 wrote to memory of 4380	4432	Lmdina32.exe	98
PID 4380 wrote to memory of 4308	4380	Lepncd32.exe	99
PID 4380 wrote to memory of 4308	4380	Lepncd32.exe	99
PID 4380 wrote to memory of 4308	4380	Lepncd32.exe	99
PID 4308 wrote to memory of 2404	4308	Lpebpm32.exe	100
PID 4308 wrote to memory of 2404	4308	Lpebpm32.exe	100
PID 4308 wrote to memory of 2404	4308	Lpebpm32.exe	100
PID 2404 wrote to memory of 3100	2404	Lgokmgjm.exe	101
PID 2404 wrote to memory of 3100	2404	Lgokmgjm.exe	101
PID 2404 wrote to memory of 3100	2404	Lgokmgjm.exe	101
PID 3100 wrote to memory of 3592	3100	Lmiciaaj.exe	102
PID 3100 wrote to memory of 3592	3100	Lmiciaaj.exe	102
PID 3100 wrote to memory of 3592	3100	Lmiciaaj.exe	102
PID 3592 wrote to memory of 4496	3592	Lllcen32.exe	103

C:\Users\Admin\AppData\Local\Temp\2cd68abd84c14a7a3a3073ccddd1ae3f39f41a8247683ec67daddb02de56980c.exe
"C:\Users\Admin\AppData\Local\Temp\2cd68abd84c14a7a3a3073ccddd1ae3f39f41a8247683ec67daddb02de56980c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\SysWOW64\Kpeiioac.exe
  C:\Windows\system32\Kpeiioac.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\Kebbafoj.exe
    C:\Windows\system32\Kebbafoj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SysWOW64\Klljnp32.exe
      C:\Windows\system32\Klljnp32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3444
    - - C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
      - C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        27⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        28⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        29⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        64⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        66⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        67⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2848
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        73⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4552
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        83⤵
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        84⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1192
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        90⤵
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1468
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1456
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:812
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2588
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        109⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        112⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        113⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        118⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        124⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 216
        125⤵
        Program crash
        
        PID:5916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5828 -ip 5828
1⤵
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
93KB

MD5
f0a1624b65b3f294c2683696c7971ea7

SHA1
3b74e017d7682e73ee5ae675ca356c764cae32d7

SHA256
ea103243d2858242564de3512a7a710a97e215cdd5af7490af1801dd8e018e0e

SHA512
87fd71f122bf2d45f042cac3f95848830ed4a6f6195308826354c4854412a097b22fbc3f6b4e6c623553c00a0612638f893eca40b2b942b85d72acf520083d9e

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
93KB

MD5
63c9c11d718f800204fa1cae6d860d33

SHA1
c1d28cfd27c2869b6b8af123765f3388e4d8987b

SHA256
3c7c00e00dee41019355c9a3846f0f126bc262fe20d54ebc3fca4ff8a3a1e6cd

SHA512
696b7a68b25deb14cf45c35f2f7b478e0308d85de75da0c1d71fcb5a979c77bfee3fd619bbedb77f5cbddd327b45b2645e5fdba34c184c016717b00fef95198a

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
93KB

MD5
80e64b7093b25996f69033f7fee1926b

SHA1
9873bdc12c7d34402e23b2e4b6bab9aaa3f188b8

SHA256
ad7bc6b182cfa29610e35755ca6637305751f4b4e84107dac224d7758522f097

SHA512
9cf7b56639947f9972455e67a75a3133266cc237ec66e193a9aa5bd9a4a0285b099196d379b0c1cf3483200cc54004f4b86c76701abc4d402064ba859f0e74f4

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
93KB

MD5
8ff38e75a8cc8a65582cb15b29c4b31d

SHA1
1872ff02863210f9c9922bdb0a7b6f02121c2a85

SHA256
a24499dc47d8d80661c8ea2fb608c881bfadf030822381c7639108ebac917d98

SHA512
f5b4bdf1cb7229859b1d564a8c7542b30e1397b305db497d11c1d46b07f391eda65346794c282ec4bfa55052e2153c5955803b8364a397fb07c50dc92d4a69cb

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
93KB

MD5
e7895a64d861c50027ab04ea8af16483

SHA1
d0681a439424d5d9c65310eb609466526d4b85c4

SHA256
b6cd36e0b128d54378678911a2cde98b49427474e306a78057ab5b937b150389

SHA512
c760c85d7096959d829f215defe4dd3b2acb84cb136b6c692af5dee639f99d53621d9e96e4a1a0f3cc5a5cf10e1090c7b87a31457917caa6e82f4ef297d1b9c2

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
93KB

MD5
90a8e93814f0e25cc7db22d6d26878f0

SHA1
05b5c8cb69724acd43661344ba82b87fc79001d9

SHA256
f714cdd868bd50496f1c85ad654cb2900dff0b6c08b985200f4aeed70eff036b

SHA512
634645ae66423e37933cbd4f1e7cbde6c1cf34728c3ed1e1eb552906d7cf31e428616dbaa162c941436c8c71f49777cf7134f3e6414cbe5b006dce75b5d28d9b

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
64KB

MD5
78907ac34491c32154c5a570b83427ae

SHA1
13215c68decfa422b7b62d946f8faa6bdf4a911f

SHA256
a19f519967fe5b5973472832101f62300d2e927483055aa48e992136fd7f1931

SHA512
cde98723fead04983a7958d500965f8ed25714633ef0b3e006dffd9e229b44de1709516ff9dd8360a10748b0c7eecb3b642501f80d1e305a0fe9044b5eda58cf

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
93KB

MD5
f25561a87ae533f3c5b67bf2917cb20c

SHA1
20bb98089100f87849603ccc5c629b7019b84499

SHA256
32145d0f4101d8f03127020f92c90d3f219cf7835aeb1281cb46b458b872c30b

SHA512
e411d7e49fa4a6bab9a166ef39afa964a994aac98a59c2f2197de993e1dfe348017fe90ed5aef6a72d3853da3dcbb3047766b11982ec36857c62919b6dbe847d

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
93KB

MD5
bc18e0fbc33c90a32117601d73804ea1

SHA1
741fa18e82bf7e4a4af8c5e4d06aa4a9f686525f

SHA256
1d2646b8a816b87f44dc001274b60f9d802c4d907fdc38c470c6e97b388713c8

SHA512
1f20aee930a5ef081d48c8ab8f5d2302f24ca8adaea8e3d9d042f4e2eb8c635e19744c64357923b80c09345e3b749495a84407af2a937d402ba13451b32391cc

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
93KB

MD5
91791806dd7f199e700693dcb327362a

SHA1
3b2ec3b11d8543a7d9f0c592a531196d62b9c417

SHA256
5e2745aa28f2ce58b574daa61be97eba84eceed6f44b0a819294ac379d88b425

SHA512
d36858babd085f48d12ba51a5e4a49abf9dcd92e250df5641b64413265932b01e36cae87932fcd86edf5ec37221e23f807980a4a5be4765b82ac20a33fa096a6

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
93KB

MD5
2505d83908b148c1fc21b11a065e0f78

SHA1
8640e80ab8ebbbc37392b9611ebc0d727e0e9bc0

SHA256
eb1db31dca7f598e96287bd3a9922e9026d2eafe8e0ded92319235c567f94294

SHA512
492c0857f82bfcd7f6790258dc90b0cc6384f39e527fb083f9c949096a6e87105953e97ab1e05882bf03dad01d04dcaa6f3065cc087411b7824057a0540cad0e

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
93KB

MD5
ee6a3ee175c800580a13de6493978f90

SHA1
bca73bc196e5a8d514da07ea89ed10172cf3b617

SHA256
55736d532daebdf20208b266357557b42d5d872924c58a17b4fcf3bf28814a41

SHA512
2d67dc4c2491b5d2139883d70aa03a41cc848f95ebc307a622b3e992e444f34c5ab29a0203442694ca7885ab4262f0c2524c2c8f29ff36fb94cc47342151e636

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
8a7c7a8c2bf1da92852d979d6de37c0b

SHA1
d485a7833042551247fd8df1d4f4420b279bf9dd

SHA256
69c80adc6a2d6f7702464b069347cac52f6c300f98a5d9f49f5e3a83e31b6b21

SHA512
4f5fee776d070433ef5eeb63b9e13a9c88495ec9f4fa57c3a5a374126eefc6d4420973b435990a310d16251435d1bcbd367c3620d6add0cb1f9775a556ca5420

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
93KB

MD5
02aaaf512e386e038bebd5239ede727d

SHA1
456abb9e228edbafe638386deb0c64ff8bbb1b36

SHA256
79a264292929da0fa91b42289d8be5e77f18199df4010606a55c44def5371867

SHA512
e0ef60508abd5b9ab16e99cd0f76a3f9ff253409560267abe0e2827626082263e631169e54f9a73f051a67a6bd41a6270acdf66f7a38cfb10006c8b61b1edb3d

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
93KB

MD5
ce68ea6f73ea5725d5022bd1f474b771

SHA1
99e1e36a073a94c4d7a2a118129a05623ad67be5

SHA256
27eaa61a79a01834ef676716a9084da53e384efc405ac4a72d51aca6b62c5477

SHA512
60d3324f8b6da2f4a85ca2fc853c986bbcb54c34fe07eb8726f1bb17c36e18441c3935081b663b2bf1088d1264d672ea492bfb79ca56b9f44fe1a48ef06db04d

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
93KB

MD5
49e99f6fe77434a21e03b809a55ca39a

SHA1
5fe86ffc48da635e0e3fac780f13f8d7b82c48b7

SHA256
2828ea70351a9d15ba3e6464d047fba86a4c71a4edf93ff5bee346d3c9537f06

SHA512
d48d04294513144a825c371b2f4fba8db16de420a9ec107a92293a851edbf8874bf8d0368e0a2252c6b300eca08b37d93dadf01180f20431928cc8f02d5578e4

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
93KB

MD5
da8170eae8bb16afd22398cc765c00a0

SHA1
dd674fca279e8d9f9400df59ffec73f9a36b6e86

SHA256
8008e11b2406d951f0e7d1a9b2630f3f09034494ee83882f4dcabbf87b42c11f

SHA512
02ae3010beece06fb908b6cec426e0f0d61d3c39c4fee842d883f59f5d7fa19d4cc64efdc8ed43e6081c5f6b9834dd7fda2513b0a260e13ff874542bb2812f2e

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
93KB

MD5
cc155efc4f32c8f3a5508b6ef9069e49

SHA1
8ef0bc4d3f053635bb984a6085c7fb7c620c993d

SHA256
c13255debfc1bff8b730be9c95f55d361fac4f7c74a5b42c536d3c5937f95e7e

SHA512
6127fcf4e0af0d5c3940f1e0af2054af4bfc606b6592c9c6b267a457e2408dde76de4a8e1219469e1bac211680c439c12e7bab2444d3f48b0bffdfe854095b7e

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
93KB

MD5
c506e45818b82438eaac11d2ad008930

SHA1
da1f3bab2f726b119852df15295717ce0daaa136

SHA256
a178830496b4b76ca79ee3f2723f4885f2e21a8b85765ddad93e3e70d99d7db1

SHA512
2cb67dec594065039109418920ca4e6960d3d78837831ce63a198b699baf61e0082f749968c69c633933dccd0392e013da9a72982d42d97b6735d811373143b0

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
93KB

MD5
905d7682c22bb2b90a32c6e49903da78

SHA1
154fa2c7ea1f8a2a508179a9ec1496b614b7f00c

SHA256
02bb081a70d8d0bea26664cb9bcdd5131c67267c8f2fdc84494e02dbf0b809c1

SHA512
530339b5102e1fb15a944ad5692cca1911259938be2a215d48f2f14006f5745b86be554ef97d79b7b3bea36752261c42c26e4ae3e263ba3177dbacaa0b31eb20

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
93KB

MD5
0e494e143a97e3ff35b1e8476e335d77

SHA1
4daf5651550dd6af2dd945db580f98314becba57

SHA256
f9d68577b0a13775f1498936e477cdfa91e96c465cbacedcb644f463d2c5b09b

SHA512
820478810c67d8e9116630097c37999b12717669d4da1ed8a36085c8b08d2147960ff4c3aa8f652cd40eb158d7f08f6d815490ac593fb39f73cfd8309afbf8f5

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
93KB

MD5
16d8c30f410398f09ed664172ffe2f53

SHA1
750b82b36054bd17c11ed2106a5ca5d27eced6e8

SHA256
4b4993020120525a1ae0c77501e840ed2225935ff955bcf1f68861f142832721

SHA512
67392c31e663e64080e55481dcf3cf544179d61047719992eb80ba04ecf8342109eb30d34add2962d6e55fc18672a4ef5e3c89c64abb31c6b4269fad5602202b

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
93KB

MD5
2026126ff49626a5af451a79c4c84882

SHA1
c2370b1dd713886f20c5ecaf86b9c5a36a1a1f51

SHA256
b48c8503041076136066e3275505e946f4580120ff3becd546c178f3f1234357

SHA512
bd48226336c987fef85c67e9b00c7c5854f254cf37ddcc2cca852ec38ed26c7b572c17e3658efe687ebe071e78c14c7975074fb367221d0d0919005af93c62a0

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
93KB

MD5
c40faf189fb4d62b198e45318ad5aacf

SHA1
14cc70f9dc7e751b3044820746cd4e2ec176fa68

SHA256
ddf4f1b304de384baa053b9a74709932593a0cdc848b1d2ca2a0f56f63b3a620

SHA512
3585aabbb3ac7dd09329842b5581b3ebe113c1c1186bdac4032178ffbc54b23754a0d601f218954f31a674d3d048d7b72b2ae750978e70c9ec5cfa66b286c00a

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
93KB

MD5
6622b21edac4dda78b310c9e0da78107

SHA1
c047fe1791e02a3858b22c1f00f5cffc1a2bf86c

SHA256
0470d3bd0082bf744be0cfce941cab5f87ec275ae2e38aa6b80765702dce5877

SHA512
27d739505f8ebacbfb1d9b1edec2e618839f0fad41ba41bf8b25f11e2994821e656a694896adf377ac207e50ead73fdb06114505f1f1237756a37d1ca11f5fc0

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
93KB

MD5
be895a53e1213a2cef55eb993bab4fa2

SHA1
080c6e801371245ef077cf1de8ce692b213efade

SHA256
dbffe26932dc15caaa9a16d8c771a5ba7b3564b85d10da72bfb0583f8086eb80

SHA512
c6aa90fe2c154bfb3b4e1956597b3bc262acc94c32afe16260b97849cf473f93ff0a1f7e3e8fac9c7db3fb9440bcb761a8aee95e7e99df011a46c131ad1e33d5

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
93KB

MD5
2a45b21df45df113a478e41dc164978b

SHA1
3da4e7ebe91b54c9a99afc259ff4dc8d88b9dafa

SHA256
f3614bb0f2dc4ad144bfc9190ce0ae473e7479f9106debecac6e58ffb7b4d0f5

SHA512
1d196e9d447c2dfa90e630e755b28313b7eb7803c7ae18a1ec45a7a9298c3023548eb39ad78bcdea41ef12cf8ac0b2d79256ef38571f418ba592c4f9cca1bab7

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
93KB

MD5
e4e50924d4ec699eeec7746d94933c23

SHA1
33e43caba1688273c65b0613eb129d26146deddf

SHA256
81ce8e77ded073ec2c54ad0b42387c0a43080e0fa0a478c51f703b80d43ba29c

SHA512
20c97368417ab6a588b393d00df1aae027b48803b14e9d4d5e0fcb3e0e405fcb39c263b7fe40c6af8558e4d5bed8a3649941234d11323d627303145f3bccf26e

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
93KB

MD5
c3dc1929f56b39848ac09508048f4bf5

SHA1
83dd7ae4dd7169ed55a7e7791bc07c1a2078fcd0

SHA256
8a0c145865a7379da487165914951b88b8215e35fea7239f2c16a64fcaf8ca76

SHA512
7469401261e87374cebcdd0c1c372f1e2ba91b30c8818df5fd370ba47bc6df7f0effed816f690bf1b445fbb697909ca943f17146530183ed997e2670f27ac03c

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
93KB

MD5
c6606f9fc192d0e50cf1d757070c92c8

SHA1
12fdad26ade85852cf4387a6bd608da3d33f4641

SHA256
0f8aaf0dc1f7c97629586059b9dbcdbe7815ab96a59e58dfb9d3fd4fe400c328

SHA512
a539a714cfd6ee466a446520d6e9b317ab43b157bc77c3a60fc2c4309e94bf89531950b4fe08576f2289967e8fb4ea9a603da3a6960f9804e64915ab2af83978

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
93KB

MD5
a09b262e95645683be5f3cf634a726d5

SHA1
bb53684c6b2505f84df030ffadf94e8caa0f0e05

SHA256
2d7e29179540a6926443f8cb0eb82de72d6809d9d7927b0dd28ffe8d3b2efcbd

SHA512
6a8707844c8553903bf5d5acb65fda59d816533c6a13a31c4588e79e70179be14c3cd5f383c0513d2e5645d4459438eb829afd2106af3033d85fc9725d57de75

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
93KB

MD5
c8d581c588e46fa870f2f284afb2e6bb

SHA1
349670cbcea393b68ddb2eb79f41b6889162a7ed

SHA256
0eb13ac7e71b8a50281e091211c151b6f6b24c924541c4ff926db7aa529957dc

SHA512
e1ca67ccf12f0313a2f51f6b50653cecacafa3dbdaa2c25f9134e65083a9e3a577382220a34a6f073212f0654dd14de72e2eb3199a7d8d160348a1778b07918a

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
93KB

MD5
1275862f03123ecac73c9a61ea3953a6

SHA1
440cbcb6e9fd2f550fee055029303d9c729f9f3e

SHA256
38df302ac108b842597906991c8f0baeed55c4c4591990837c9125f0b5ef0269

SHA512
de0fd064b154f8aa89feb022e9488d5991ab736a2d7abd085445e2e105257c1a469d06b7df30421b7d8a8fa4a9f06e628f6b2e6f22f4c5b0f537b40297813a3a

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
93KB

MD5
83c4aff66597a5ee0bb5a3996531d557

SHA1
099aae7d955e379492dd69f409b0dba3aeeed651

SHA256
092d557fa04b26c1195130f74923c79186ded3f0e83f953a7822ae62ff123e33

SHA512
7d31047641f2116c33b79db6581e2cd40b38de6e06a65b74e5840d39c5ed7b00b3dc5a19d99abc8843d0111e8c5300798b48f386f5ac5c71a05a88b35857d029

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
93KB

MD5
8f60c18cac9aed71f4b620495f8d1315

SHA1
612dbe5e8e60d5585e38fe597d33732d5e1a419e

SHA256
e851d48df934e9d82490565e4639d532b68becccd816fa7eca0a56a31b44cd6d

SHA512
1bc68f094c6d73eb24d02d543becfb577617d8982b7574c4166bbe151a5070b1ee8c5702cbb15fc9f0e7be47fb80151a449b9f49fef0ac39227a5235adcf3209

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
93KB

MD5
58da43798845d96d4c7340735df3e8da

SHA1
99c0e842a22bb8ea15d58810ef0ce2d011836a7b

SHA256
ba1fa09270418be746a4b25de22eab95082a441d277692ddcdbac7b0f1374d15

SHA512
1c90ae3fb9202793391e0c1d8861c6f8848c1d97eaca71821d084b214485478d8c84aac325e0da0529c853288a71473e239767fbbdbd9d9fc44767144e0913a0

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
93KB

MD5
a0baf2b1f3a62ff4e774a365b8896e01

SHA1
e16271e6f5b74b551ab306ef363b3e2a77b7f701

SHA256
dbb6ad0f775d45ceabeca0ebdc53295b67903560031ec06fd8466644361b9621

SHA512
2675e14f15ef27956a4e096a552ec59d8a28447324b92c9e8d7ef5aff8bdd8d313ee5f9ddd5a1ed03dbdcc636bd5b74c3d56a228124d8510e13f54100ec06731

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
93KB

MD5
9e2d23bf091356bf770593006a685fa9

SHA1
2a6da3a35e06c94685c8e56fb0cff811baf77aff

SHA256
fd38cfd0f843bcdf6184be2f2df01a32a912ff13373a2efdcc6654578be83ab6

SHA512
0d2ddbd881e58ce258f2ec73378f66c80878e3821f4aa281652e9304da05991e02808544e258ffd9c752e23baed7671c3def437cd3d446e495eff37f9c0f291e

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
93KB

MD5
7385fa4ab3530a61629c8964a839f213

SHA1
5af8983f33a8cf2d1edea531a3adce7e701f9788

SHA256
5166fdd7b7e2b6c1ea01c9c95ebb7f375600912a0e70be80f63714879dc5b095

SHA512
82cefd587c702160ef225664d826ecf7324b9f1f421c430908b8b0f1de521523f94fec3af832662a3cfd685bfcbf754b13e0b9404a55c048f05ea4285d0494a4

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
93KB

MD5
bb4aceb43775cce976e6d4608559a46d

SHA1
c5e30f0d0d1ad4aaefd2c2850a556dfefe93952b

SHA256
d96b6b8aee7a12e36e26603614aa6cdc6775d018e85fde7f0275a829cfef39cb

SHA512
528db020a5ac514eb2c4f9b2053104e06c2f51d249538485ccfd925f04857b2405ab5ece8c300828fb35b2e0e1a5029ec9910ed8f14152ce39287090ccead52d

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
93KB

MD5
5117a5a86936e3bc5ed1632c8fb7f4b1

SHA1
071193cb9881203870371e1b5a35d0a28d0c3a43

SHA256
fb6f7c71a56d4c69cce07973d8f22ecbc8ad76e1b684d88a811fe64146a1fac4

SHA512
b3374bba05f7df161d9a3491778d46818565199b2219ec74d118e6fcee40a28fe940a3581d11a8e45200759d659ddaeff4a80b350a8dffa404b538b11ae68f02

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
93KB

MD5
4af61e6ca5f4b6c80c49441c47737826

SHA1
c38c402a377965d486c6ffe7549e875a84d8c716

SHA256
e707cb9fc161cb67535acba04e4825d5d6317a1c27bc5b14a6349607a96a9aaf

SHA512
18bc7830989ad34178bc256c442e3ac3e07814702ff18f611449c09265231cfe2c63dbfb8b4431320612ce9070f6835c466f866dbffe853e7343e57ad5dfc0c6

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
93KB

MD5
351d498c849847a178f3ac698da3946a

SHA1
b994bf321ffac8f92240427687d980942d76de7d

SHA256
0014385d3f33ebbd443722691d1429906eda12d04c3fdc3c91b8cb03eac742fc

SHA512
98e85f3ea7e356e0a0c73f18563d591bce4c8d3d8474c2151cbfca823551af3a80fc6d07ddd426c6313b2e14e0d55d80122a2b8864e1dcde9e579f04c182ac48

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
93KB

MD5
82f551c045a5f60b88e4bd76b097755c

SHA1
f8b2a8178e469b383f64e74e32376cb43c5b6e12

SHA256
4df040e610c9526d50066978b24ce7d8a8efbf9ec593852d3f634f8bee1df087

SHA512
3429b642a1152e40af03feb8a281edf99922f53e2fff25381bf26272b68cdfe2ae9c43a2ab84a382c6ab048e614cbefe0f717ce0ead443be276254ec0f874d65

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
93KB

MD5
f8c1319f88a3bfd857f1436abc52bb26

SHA1
774915c89d283c6d002852e89ba7e0710610f884

SHA256
04db86a850e080dcb8034ae7d38e0b899a443883e609040f7cad4d550d4ad5ab

SHA512
2f5b9b28291c488b81f2f093631d309a5088d6ff5c6ad377fd703942d1e19f38ca0c90e90f2f385bbe8363ff67560a989b34e5803c913edaab746fab33d6e88f

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
943cc925309071eac97d8b344768db88

SHA1
627b8033903618589ba3c7492b064b548c6df33f

SHA256
bee373ad438a251d90d68539b48e5a91799280cde79a40b162629e833b67c82c

SHA512
e4dc87645a93cc6a6bd6bbcc9e8563b74d6ebd5948e5885229a16be108aabe685deed1863388f025b7d2ad04b8b71495556cd8dca90de40bfc7f497ec31786b1

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
93KB

MD5
3ee69ea28f692e52baef050e45958283

SHA1
d5f32f5830ba8b6dad822286622a5d5f05a2f8f6

SHA256
bbd12f9c8fa815ffc7963ca910af741672eb34925dc101b9c112fbfec1d735a9

SHA512
d194392cbf6a69dd63271bcef7a327dd72d9f0433849b29aa507bc5ce0c60ab32f5e5026ca482fb91a9b14bc9b6123d04f0b9d2dcaf646b11ca804dc93078fe1

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
93KB

MD5
2f116db3fe023bd7e92ac49945641cb6

SHA1
8ca65bd26300bb65ac904b7739ad3ace8a4674d4

SHA256
69ba97f944fd3b5c201ab22704ac3c18b1ade91d97815e4630de93e19252d200

SHA512
fa078ad012302a76c276bb9774d9b54413bf7c2815dd4487c6210c04ebea0b45717019088cf1b0fa43811f1cb5ca1ad60a4280c74781f028e3f87d85bccb2107

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
93KB

MD5
2a703ee7c808ab96bb7a08d182c36611

SHA1
673999269833f994bb614d441d894bdc468335fc

SHA256
9cbef888901d5b61b70a3582830ae47634de63cfe8b2d43987295ce619c5aed1

SHA512
51c25848dc5407cf1bde90dc22cac16760d3abbb356c6c62de2b556c5267ee4cb5d377bb999cf6c0c146b9465428b56c3f9e92ee5d48451338277a05a32a5a9f

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
93KB

MD5
95cc039b6baed7cc58cd9a125508b893

SHA1
033a27ec9f1cca1230ee575e5f2a75cb433e3819

SHA256
9e36cc6a4645985dd53ab1aa35444ff23d80f5d2f771a49e295ab1821033e83f

SHA512
6337ed93c9e7ef84ddc03a23bd56cdf2b1bf12626739bd1072570d53479206f2ce1040c24d370b4eb91e4c22b93bd939b9f74ddebba8453599f40416420ccf97

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
93KB

MD5
80aa37ba38ce953431d541450620e77a

SHA1
51ac3724d1c6e552aab1aed9937ed49baffad6e6

SHA256
e504e68c6d3d61d3a61f1f7c76ace6ea8a6bc7a8f64dbe7b89c29ff4894609cf

SHA512
175180a58967448c569a3587b60ef7f40a0e747c132f75277766e4a3ced9abbfe3f89ea30ff76c7544875408827f57e240f993a2e06c26e17e402ac5a15ad1ab

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
93KB

MD5
c41cc82487324e64edef01928ab4ecb5

SHA1
8cecbc5039458defdd8b55f23583d84f46ef4638

SHA256
8323435c7f0e438cf20a6943bca1dc2f45cd58d436d3dd23a09aae0e14bf0da2

SHA512
275fa55571817f807df575bc80e40344c1f77aae7c3e52436ab10933a19254586124bc9617990e236e853ad9475132253e3f08db895ddc6912172ca830396e87

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
93KB

MD5
c6e08f976829650583fe50b5ee23e91a

SHA1
df9a0290a68f9f0939fc3c2bd8d99b842245f022

SHA256
993dcb84842d16d2c057f02e3624912dd67148f895d21ee99e80361c3e065530

SHA512
5a0559902348a2abb151d5811e1ec7a23d1349a31f988bd6117a03c46763eacea2fa8d1e74ee28100d0203e086c198e40e11d656b2e0294e33614134bdc8b87b

Download Submit
memory/116-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/856-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-917-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-918-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-931-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5556-860-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads