berbew | 938172d448892c9019f1daacf4f28e5b7e38eea7c347ae13492ff92555c57860

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

938172d448892c9019f1daacf4f28e5b7e38eea7c347ae13492ff92555c57860.exe
Size

163KB
MD5

609a3dbfa20569007ff050d17e3d48db
SHA1

5f42572f5b2b2ea05eb2369a9bef5e6e853313b2
SHA256

938172d448892c9019f1daacf4f28e5b7e38eea7c347ae13492ff92555c57860
SHA512

40503f0582c2df71b4cbfd5324f611be2518846cd83f5c0e6ce626270f763cfd89e2fe3b587d356e6af5d87d9065221d7cc2c26b716d2711f6e781b4adf955b2
SSDEEP

3072:hgq21qdvgMQMdFWv7u8rltOrWKDBr+yJbQ:OqG/MdFWvK8rLOfQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	938172d448892c9019f1daacf4f28e5b7e38eea7c347ae13492ff92555c57860.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3664	Jcefno32.exe
1872	Jfcbjk32.exe
2532	Jcgbco32.exe
1628	Jehokgge.exe
5028	Jblpek32.exe
3628	Jpppnp32.exe
2292	Kiidgeki.exe
3116	Kdnidn32.exe
4748	Kmfmmcbo.exe
5016	Kdqejn32.exe
1852	Kpgfooop.exe
1092	Kfankifm.exe
1620	Kpjcdn32.exe
1016	Kibgmdcn.exe
1252	Kdgljmcd.exe
652	Llcpoo32.exe
4792	Lfhdlh32.exe
60	Lpqiemge.exe
4880	Liimncmf.exe
2908	Ldoaklml.exe
4172	Lgmngglp.exe
956	Lljfpnjg.exe
2620	Lbdolh32.exe
4588	Lebkhc32.exe
3104	Lmiciaaj.exe
4296	Lphoelqn.exe
512	Mbfkbhpa.exe
532	Mgagbf32.exe
4428	Mipcob32.exe
3032	Mmlpoqpg.exe
2788	Mlopkm32.exe
1108	Mpjlklok.exe
5048	Mdehlk32.exe
1632	Mchhggno.exe
3548	Mgddhf32.exe
1428	Megdccmb.exe
4356	Mibpda32.exe
2344	Mlampmdo.exe
4168	Mplhql32.exe
3328	Mckemg32.exe
4924	Mgfqmfde.exe
2072	Miemjaci.exe
1780	Mpoefk32.exe
4012	Mdjagjco.exe
4492	Mgimcebb.exe
4284	Migjoaaf.exe
3968	Mmbfpp32.exe
716	Mpablkhc.exe
4952	Mcpnhfhf.exe
3576	Menjdbgj.exe
4440	Mnebeogl.exe
4572	Npcoakfp.exe
1052	Ncbknfed.exe
1968	Ngmgne32.exe
4304	Nilcjp32.exe
3404	Ndaggimg.exe
3620	Nlmllkja.exe
1684	Nphhmj32.exe
2764	Ncfdie32.exe
1488	Nnlhfn32.exe
2652	Npjebj32.exe
3380	Nlaegk32.exe
3852	Nckndeni.exe
840	Njefqo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Jfcbjk32.exe	Jcefno32.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Kiidgeki.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Jcefno32.exe	938172d448892c9019f1daacf4f28e5b7e38eea7c347ae13492ff92555c57860.exe
File created	C:\Windows\SysWOW64\Kibgmdcn.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Fmijnn32.dll	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lphoelqn.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Jehokgge.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Jpppnp32.exe	Jblpek32.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Jcgbco32.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mnebeogl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5684	5484	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	938172d448892c9019f1daacf4f28e5b7e38eea7c347ae13492ff92555c57860.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcefno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll"	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdjagjco.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 3664	4460	938172d448892c9019f1daacf4f28e5b7e38eea7c347ae13492ff92555c57860.exe	83
PID 4460 wrote to memory of 3664	4460	938172d448892c9019f1daacf4f28e5b7e38eea7c347ae13492ff92555c57860.exe	83
PID 4460 wrote to memory of 3664	4460	938172d448892c9019f1daacf4f28e5b7e38eea7c347ae13492ff92555c57860.exe	83
PID 3664 wrote to memory of 1872	3664	Jcefno32.exe	84
PID 3664 wrote to memory of 1872	3664	Jcefno32.exe	84
PID 3664 wrote to memory of 1872	3664	Jcefno32.exe	84
PID 1872 wrote to memory of 2532	1872	Jfcbjk32.exe	85
PID 1872 wrote to memory of 2532	1872	Jfcbjk32.exe	85
PID 1872 wrote to memory of 2532	1872	Jfcbjk32.exe	85
PID 2532 wrote to memory of 1628	2532	Jcgbco32.exe	86
PID 2532 wrote to memory of 1628	2532	Jcgbco32.exe	86
PID 2532 wrote to memory of 1628	2532	Jcgbco32.exe	86
PID 1628 wrote to memory of 5028	1628	Jehokgge.exe	87
PID 1628 wrote to memory of 5028	1628	Jehokgge.exe	87
PID 1628 wrote to memory of 5028	1628	Jehokgge.exe	87
PID 5028 wrote to memory of 3628	5028	Jblpek32.exe	88
PID 5028 wrote to memory of 3628	5028	Jblpek32.exe	88
PID 5028 wrote to memory of 3628	5028	Jblpek32.exe	88
PID 3628 wrote to memory of 2292	3628	Jpppnp32.exe	89
PID 3628 wrote to memory of 2292	3628	Jpppnp32.exe	89
PID 3628 wrote to memory of 2292	3628	Jpppnp32.exe	89
PID 2292 wrote to memory of 3116	2292	Kiidgeki.exe	90
PID 2292 wrote to memory of 3116	2292	Kiidgeki.exe	90
PID 2292 wrote to memory of 3116	2292	Kiidgeki.exe	90
PID 3116 wrote to memory of 4748	3116	Kdnidn32.exe	91
PID 3116 wrote to memory of 4748	3116	Kdnidn32.exe	91
PID 3116 wrote to memory of 4748	3116	Kdnidn32.exe	91
PID 4748 wrote to memory of 5016	4748	Kmfmmcbo.exe	92
PID 4748 wrote to memory of 5016	4748	Kmfmmcbo.exe	92
PID 4748 wrote to memory of 5016	4748	Kmfmmcbo.exe	92
PID 5016 wrote to memory of 1852	5016	Kdqejn32.exe	93
PID 5016 wrote to memory of 1852	5016	Kdqejn32.exe	93
PID 5016 wrote to memory of 1852	5016	Kdqejn32.exe	93
PID 1852 wrote to memory of 1092	1852	Kpgfooop.exe	94
PID 1852 wrote to memory of 1092	1852	Kpgfooop.exe	94
PID 1852 wrote to memory of 1092	1852	Kpgfooop.exe	94
PID 1092 wrote to memory of 1620	1092	Kfankifm.exe	95
PID 1092 wrote to memory of 1620	1092	Kfankifm.exe	95
PID 1092 wrote to memory of 1620	1092	Kfankifm.exe	95
PID 1620 wrote to memory of 1016	1620	Kpjcdn32.exe	96
PID 1620 wrote to memory of 1016	1620	Kpjcdn32.exe	96
PID 1620 wrote to memory of 1016	1620	Kpjcdn32.exe	96
PID 1016 wrote to memory of 1252	1016	Kibgmdcn.exe	97
PID 1016 wrote to memory of 1252	1016	Kibgmdcn.exe	97
PID 1016 wrote to memory of 1252	1016	Kibgmdcn.exe	97
PID 1252 wrote to memory of 652	1252	Kdgljmcd.exe	98
PID 1252 wrote to memory of 652	1252	Kdgljmcd.exe	98
PID 1252 wrote to memory of 652	1252	Kdgljmcd.exe	98
PID 652 wrote to memory of 4792	652	Llcpoo32.exe	99
PID 652 wrote to memory of 4792	652	Llcpoo32.exe	99
PID 652 wrote to memory of 4792	652	Llcpoo32.exe	99
PID 4792 wrote to memory of 60	4792	Lfhdlh32.exe	100
PID 4792 wrote to memory of 60	4792	Lfhdlh32.exe	100
PID 4792 wrote to memory of 60	4792	Lfhdlh32.exe	100
PID 60 wrote to memory of 4880	60	Lpqiemge.exe	101
PID 60 wrote to memory of 4880	60	Lpqiemge.exe	101
PID 60 wrote to memory of 4880	60	Lpqiemge.exe	101
PID 4880 wrote to memory of 2908	4880	Liimncmf.exe	102
PID 4880 wrote to memory of 2908	4880	Liimncmf.exe	102
PID 4880 wrote to memory of 2908	4880	Liimncmf.exe	102
PID 2908 wrote to memory of 4172	2908	Ldoaklml.exe	103
PID 2908 wrote to memory of 4172	2908	Ldoaklml.exe	103
PID 2908 wrote to memory of 4172	2908	Ldoaklml.exe	103
PID 4172 wrote to memory of 956	4172	Lgmngglp.exe	104

C:\Users\Admin\AppData\Local\Temp\938172d448892c9019f1daacf4f28e5b7e38eea7c347ae13492ff92555c57860.exe
"C:\Users\Admin\AppData\Local\Temp\938172d448892c9019f1daacf4f28e5b7e38eea7c347ae13492ff92555c57860.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\SysWOW64\Jcefno32.exe
  C:\Windows\system32\Jcefno32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\SysWOW64\Jfcbjk32.exe
    C:\Windows\system32\Jfcbjk32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\Jcgbco32.exe
      C:\Windows\system32\Jcgbco32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        34⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        35⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        36⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        39⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        50⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        66⤵
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        71⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        79⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        81⤵
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4584
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        86⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        87⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        100⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4836
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        105⤵
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        106⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        107⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        111⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        121⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        123⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        128⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        129⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        131⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        132⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        133⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 400
        140⤵
        Program crash
        
        PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5484 -ip 5484
1⤵
PID:5580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
163KB

MD5
83d5a466fa13e4444bb069f9f50f9364

SHA1
ead03d9126a1040e25ec864800bc9ceb790db907

SHA256
6d8f00d91e00ff17249530a0c8d489c2253a26667e53b7712cc57785820d19f8

SHA512
369d7a0fddcdbf1720a992f90e1199fdad47ec09135c171d5f268cba3a7941639ecd395d90ee9b09a9ab81bb55575ad8aee8af0c9791211ab47df7d5dcf5e0ab

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
163KB

MD5
656477fad4bce6e5d2f954f25363b6d5

SHA1
ab22f042d4352cd9602a5cb39cacf7cc7c8c8cb3

SHA256
969f75a30d68c66d69ce6a8c1130daeea821a694519f813b2061b224cf7e1eaa

SHA512
e88beeef3fdc41421bf483d40f0776047cbc56aae33481c59a53efb13d6dcc5c5074586a211efb405e59c2b1b6ffb4de99220c6dcac6ae13f759d91e8ba39962

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
163KB

MD5
0ffe952d19bbeadc35ddf74dc91ab305

SHA1
9e30e8bcef6af8ce40e0652ed37a053786d100ae

SHA256
20ea6209f9df0c492a10c77771c32bbe1fab2d7cc4a15abf58bef17bf96def3d

SHA512
5209b73f6171b0f9631b68c131f21becbdc2dbc9e3ac02ad20407edb5aec1e180b576f70d49ec8e3b5c1cdffac495363022c16cff6b8a07183ecf109de92ea15

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
163KB

MD5
fce6a1d64faf36408ad277e9fd51b772

SHA1
c9aa834e4da44ec002f270e600a739dc947c0d5d

SHA256
45ede1ba9cc226fefb23e233803bb46ea5e9c477398adfc66e612defabe3690d

SHA512
7262ecbbc6d1f863f63958a9727debf0c6f08090989637e89aaa8ffeb291b2744dfb442036dccfde1152a4f6413a52ba8b305fe159fcc8f15faa16f2a2bbab0c

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
163KB

MD5
e5fa6fba9d279a49fe921a536335294f

SHA1
dc353d42269aeb73219ca6643d107b13880d452f

SHA256
e395afd54666988b2b10046c2d879a1827536142167396d722176988e2cf629b

SHA512
aa2200ffc0c693415c85c1f9aa62c7dc97f1b6d82a5e4ad8f81c183294eaeeabe0ee90d907c9d916e4f15ce33d613adea386d0a0df911615ecec4a1f7201f2d2

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
163KB

MD5
39ae518510e9f1289a54db71ad92756d

SHA1
e15c78a61428efa315af0144c02e4fcb3fd0dad0

SHA256
8afd32fa7295b1e9c634700dda024165bb83744641b90623b1529ae1f9d42c65

SHA512
2f7e686045927b13a3f26e6d151e9b9983348249f990329cc51a806b0e59be4446b090a944557fd5585f0d9e8180597d3a868296054af3b6aa0c42a2fe49acfc

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
163KB

MD5
c3e3018c115897e178d93952db406f46

SHA1
b3f3e978e5a480a165d5f555d2106f2f2c49c7cb

SHA256
3f0ce2664a7a78e1bc58b3638792c31bb0824166aad5e91d1a8e318f91ff8edd

SHA512
4b2a13420b3ddd90fa3cbb1060dca35285e8cc3ea21d198da59986207d41b41030d95eb851028df0ab194d6d6e59d0bc8553c8cb53bb5e1b44465227ee2e1de3

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
163KB

MD5
a748c498ddb7d6df8e1d7b78f66e2e15

SHA1
755c21ca36af5790307d31603a08080bf76ef851

SHA256
6470b9afae3a0e6520102020cea47aa2a766eac5b9382ba9860ae0a427424ad0

SHA512
d7eeb07e17629af8f802a96d0fafb2d40f533e4088ae34c665df64361b3a9aad13b64c577493fa7fccdbbcfeea7310f5022ed683b836d6ea4400d2eb692a45f6

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
163KB

MD5
f89f6ba68380030aeb73490aa9dd19e7

SHA1
9568a9a92428829b3a6647b89e31d8dcadbf9fa7

SHA256
8b4ad64bca62c759e6354b6531814f56fb63a7e4e86ccf9f7eb6f4a4d94c445a

SHA512
fb99d5569ad0054c0be2f50260bdcb1bea5a0a5fdf9daa658769abcb63b23d417fb2d0a7b7a1bf7601c26f4fabb7d775a1a30cea4dc8f39ce60cc2b2b0e2ac43

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
163KB

MD5
739441ecf983694931269bc44dbbc035

SHA1
f7a146e379e08ca0de020369b1f7051689f504f7

SHA256
e7d86a7585c1df2669ceeaa0ac3f806661b6dd8260fff45c147bd1eb404bd56d

SHA512
773e0720c48f6193ff547e9af7c486c9e24d1692d2cdce02fd00382dd16a0625541e97d2cbc29ccc10b9957657a097491eb7a5e9f1c06ff86211db67307acecb

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
163KB

MD5
cf22c6ef1553d9ac1e0daa932559b317

SHA1
0d4fb8c06a70947b75bdccca01aca80102d0875e

SHA256
250fa22d17a12bdc77b41902463bf846e95bce3109ba0e090c43d83cca7c04ee

SHA512
9729dce385562555e13dad8c2af5f8a8485412a7bfc9ef25bfd51098d34c22429050f1e39ac2937358f254a86849fe1d40de51e449b92c2e516c885613aa72ed

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
163KB

MD5
ce9526136d7c3039fc3f7f2430601c1a

SHA1
3d6b68a5a7a3b33fce422e8c139250edaf2cd379

SHA256
3fa38754175d3f933f01624a4ac4f3d23038627c0c0f961717c5a76af48460af

SHA512
821d9b7c5628be868d546a773228e1a4e78195ea59423af5fcc508686df372a646bd88d0471da194c9138d58b8a674d40296c659ef440b949250ec79ce570f67

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
163KB

MD5
66d040ca508fb6d144ef56e51e598602

SHA1
5093f1150fba025c25641c2521d49df5b0b1ea0d

SHA256
f0ddaacd7792684440d4fc907879137485be211e8d926e997eb4f9b5c01d4ae4

SHA512
ab251866536210f802683f9f0593fdf49ca58f65c70eeaa929120b5f0078e25ce6a59329d139ba8cabe05660c17a85f4bad6d7926e97a2edfc7a9efba979f26d

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
163KB

MD5
d4965ab2b6f64f7aa3a6a0c71a805f05

SHA1
effb69e3604753ad4b78c2b98904a2af318dae5f

SHA256
adc125db5724be603b8168247b9b29981e808ea2946a0e59396aaec2bf1bc45d

SHA512
56bf211063797e799875b5c78586bdf035071d08c2aa5470867cba2fc3e429d01c42e07226c38dbd53e35e77b7cd574ef88f82d43691d4ed531b5083fc9d9275

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
163KB

MD5
7d78567f552800ee90643caf3d95d0ac

SHA1
b685b3d2780a2c183dac23af5d3458707fa08125

SHA256
c9d698a80414ffe8bcf72aeca5abc7d42276d2888d11059e557ca168fec0de4b

SHA512
42a95614c48808a219bd7e23103bf3fd6b1b8a36d2fea677e0db8234c9ed2dc274cd72d1e03158a287ae80b19aaa692dc382696986a1a2588c4a0c41ad4e38d4

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
163KB

MD5
049c08b56113cf40881c21d78cdf4ab3

SHA1
5763b48c8abfdd8abee2655013da812a2b170f9e

SHA256
d4788fe22f60e569e38db1cbf2616532ff0292b432e5ad7af15e4b6907666973

SHA512
8c426cac8ad161ae2e82a28cdbde2ebd6a741130bf8c8dc518b4d66a19074042ea58fca8bf9197c1690de7e396e8bf2d6eca247bd03aab8b3f19eef0a26b4eae

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
163KB

MD5
fcfe04a3982cc088b2122e8f343f2b09

SHA1
7143fe82bd52d5b95adafc0b36aac94a45fdcfd4

SHA256
070d32d1f1083b8f7598437c55b5e4eee5805913986590f989a4d197d73a520c

SHA512
6b5e6ecd21e7f28fb4273c755cfeb83018f0d57e678a1ca8a18b954ab2464b53837d938b8c2227feee6eb4998b673168c04555cda61a4f1e7e2c450054870c17

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
163KB

MD5
28ecc725ae7c9b97d4ce8f4f16b2bfc3

SHA1
6ada8a6cc226d93f68685349c16f65b47c2df295

SHA256
4cf4a1789a5275360dceb50c70538919f36896154bf623febfd2f9f33253c7fa

SHA512
3c16efa2d11ed7bd387b17ffe12280414a605fa7246f52e0272a09987817323a14bab810c240100e125d1627d9c30b4fb2471a0a340fa5605e09712980e5af37

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
163KB

MD5
eedb9a48809d43b80824e3584b5b7f23

SHA1
4550d165285d608adeaad74ccfd88a8631b8ea75

SHA256
5173965c286b296f595a4aff26e74dcaf52fc3f1bf8f7f89649b4d07c0563ebf

SHA512
66e68a6127cbabe6bb32da45c048a7ff4dc2857c5d3f8846554b03fd240a1e78665775d7d204f913ec67e999a57962497d9e1f98a88a67777e9cfb01a9e8db03

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
163KB

MD5
852530dc050df9c4873118c6329f4fd3

SHA1
4a88c63afe618a717f750cea7f6dd62843f29b07

SHA256
0f2afae093b8538ccdc4daa042fb07e6bf6022acf7bc96cd28ac43825bdd2280

SHA512
31341085ede4bd7b2861c304a782c575fe0f686c6fbc762d64c32f398d00aae1b3b448585b3850968e2f4ac3ad0d42ee0bd080bc2747e5817e4210cfc9a23176

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
163KB

MD5
2506b5d60d6824ce0eef903bca159dab

SHA1
2499ae8e50aec312d0e7d2a65814b14dc92f9944

SHA256
1a556abc60fe47853e2d468f0ca04e8fd7457fc201b4bd4bbceb77ba75c9715f

SHA512
86cd6875adc29b266c06853f9e69580f1f96bbea943f22fc3223036025c1aa561c0466768ab441d411a937ee9e9d05afc28b0d05b44ba517189b3adac076098e

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
163KB

MD5
40f31850ca368f8e575e8f8a921166bd

SHA1
f1ebd9475b2bc192bd11890fa5b6b41b1304ab42

SHA256
b069f7abd7ef8cafadcfde573909cab398f52cdf1cfd2ec26b265b44dcae2d2b

SHA512
5363c46e12969e00bbcf570890e33aefd89a47556a304e09d49aeb5b9ce6a59602c0b059fea91a0ae73a488bec9dbcfbd6446cd24a6fa5c8dc58b42314863e5b

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
163KB

MD5
4bb1d10c8b49a82c8ed337daa8cadad1

SHA1
f62697cb0bbc8846498fcbafa1aab8db59813cc8

SHA256
f3f0f469039c0d05224096cef2888daeb7199c5319449b6a3e25e9b007c5a23e

SHA512
1ac60fa2cee38b4d501257f7f477091fb152642df930ee505bdd20a04d737e94bb4077800e602ae2c204d5aa2b1c3ff074ebda651fbeba8df774c80ad8de2749

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
163KB

MD5
e76615328184392c8e95d75a59efb15a

SHA1
07d5e1ba86399af42360d8a49cdec8abd4075c67

SHA256
210c9eafd5474c1f5a55cd77598cc7e3028fb2a7bf34efad9700d13313d63368

SHA512
08b6123e62045b22b9054dae2080e12af6d99b6455604822daa6e93437aefe83471a4a43de285c9e86ca2f6d4389f17a489447aa1f504ab898e51a871f332197

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
163KB

MD5
03a9a8c656723e73bb72b2a1b7cd399b

SHA1
55dc8346e58e04a3afbdc2c9e4930ea7e794ebf1

SHA256
ff789a83ef7fad91e9e0e52f3e0eaecc6d3820637c14f34e60fb151d9fb323c4

SHA512
a6e55baa01c95c1a0075224ff707e4ddd079ed14ec3c6f954210c4332a47c27ed5e249e42601a89d70c8d0fb1f0932aff7e649b8bbc94b5a2f26cafe0d214508

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
163KB

MD5
abbfe7966849205f2481fb2f532e8541

SHA1
b242947e914a6660e290fdd8265f991cc6824f6e

SHA256
98152ea9666602d74f77fa06b4d7caf6fef23bd01154d2d8455fe5e8ffe3f280

SHA512
504910184ecf71745d9489c1a6b54f17d9add87f5c133fc5aea20e4f8ccc3f8e4f8cb0bb7da7f6fc4be392fed8c6aeaeec51c8d9b9cb212c5e89f299bb0b7e7a

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
163KB

MD5
70b3a4c81e6e4d045e30cd37451de3e5

SHA1
9a2343883d0b7460599b5cdb37e9b1d89e9a5e8b

SHA256
14a85b6a1dc6b84b818ccda7e8a3d7dc5e305f82a336ff0338738c72a17016a9

SHA512
f18fe21e05e0deb83ea6b3c7942f736e4da436af3b433b376c8922c517f0fee9da0b2e5f5c5587d87f76c690ec24b0be8e96e191972d0b4de2e5d1a6f4d2254d

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
163KB

MD5
6e578c84135bcb18d371684bf1f6d450

SHA1
af281037b97d79d867cd896ce909d6db437bbafa

SHA256
a2f5ff49cf12d925d89c6817e71e3c70e01285ac6aaf1b8211f24c44a393b874

SHA512
e98b530e360b8590202fd5609f521a6a614a48ca3d2f462114cdb9dc1036d4c11df78e5c9891a4c3398a204dd9f267f5aa5381a543c6877d5c0abbc0f658e002

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
163KB

MD5
95b9435e37fdc6796e23822a50f0083b

SHA1
6a410956e4fa1f8caf2cecaa8c35a4437347393e

SHA256
687d5823f3da57e563568944c5cdd5a31326a8218839e3c8598595a1d0a4be0b

SHA512
a3569a4d0ecbb76d3d53cbe75ec0db88dee91ef2ba5a615df1f8f2fb43465bf6d0abe1cf804f9970e517c6d31f15dee22ba0f0620c063f2fac96604e62f89c9c

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
163KB

MD5
bf62571f17d3b2ab3fdbff4111bb6630

SHA1
76d1a4ef82f0a66ae2f8082c93d52aaa7713a83f

SHA256
124b96081a6c97c08dad9f481a3ea8d6da45e4d83132c15cb415f07dd4743c89

SHA512
e2976245634ee554f489570cb7797d8ff7701caee4b4a1cd8c6b7787527258b1bd58703c2c7bd30d18c5cc4a2e6a6e2a1f4890afd853cb39ec64d1be7b359c5a

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
163KB

MD5
a2d4e04557a0754c3d129fd1ac59b4d5

SHA1
0c41fd47087fbcb62a9f222af89a2725dddda48e

SHA256
aed4d623745f3897ded5d789bc9ae4b25c41f58972eb466126cd413edda8e2a4

SHA512
6bf03bbdb3d708ebe4c74e584f87617b20721d56bafc736484a8b79f19529600d65e70dcf696749ab883bacaae605c88f0a98022d356de620ff54650b7fd9e5b

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
163KB

MD5
cc4944537e633aa28566f718f6fc4ff8

SHA1
838bdd9849e7fb2495f924f050c87247ada34e2e

SHA256
e018b0907c827640e4fa06a67e5701c613a4725d5c9f7f1de6e47ada93dd436c

SHA512
2ae9f67027d0a8ec2d8962dc3989fe106a564a9415b83358738748442cd845fc2413322af023af516308b40b9ed66fbf7d294c242fbc90135d0c2fb49d7dae5a

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
163KB

MD5
764c7083f8e3a655e83e0e60215fbd2f

SHA1
b53b5ed29d934f80fe66403c16018554b1e6fd0b

SHA256
341e47ffb8300177e29bdd5dca1fdda3e97e13c66e0450dc51c5bb650ddcd35f

SHA512
82972c97efac66fa6cadbbfa568cc9e06ed7531ab2c7961f4003b8e4360fa865f9fa6b2d820306839eafb4e0f6c11c14e38586b2eb2bfd0bbd9b189d042965b6

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
163KB

MD5
7b86a4c923758862c589b540ba26a4a2

SHA1
d69a09806492c06def8dfc93e1e559e9b70991a8

SHA256
b4c1d5d1783d3256c1b574719db87953b327d97294a56af5bb2ce4592f123bcf

SHA512
ee40c5e6c885f2c050f7aa2a4129f998fb8f2d577e776ea19ba4e06bacd07b342e53fac5ef7426ec119afc528cfe36d63e841da481d18c92f52f2047af5a42f2

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
163KB

MD5
26198511040c741e360a6a30a1c92031

SHA1
8b2967cc520199a0a25faa0bd804fbedbe7f4102

SHA256
f32718a6b6d98ab5e559dfbafb2a313abd514c26c29bd4c059f2d2d2f530f5c7

SHA512
bcf89a9f8ead25e72810605ea9ddc3e2d272f9bf2497d90e43bd1cc7be5b9dcaf1883def176fa12e04974f70359fdf8ba03f2bb239da5ac99d5af0a8c6878587

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
163KB

MD5
3021d103a7fd786307cf86ebf7d25f13

SHA1
8e8027f7f4b28be10b99b72f905012181d9f1084

SHA256
6cfb91b65cbf5f1636b82f2ee146162a7be2d9b127efb325a068221ea6939df3

SHA512
3fce7cd72cda7e3a74a3e4af4e2c6a0406d6fc55403e55359c9d6935bcd0a0e6f1c68e348f4647e43d2f1c8917995df66c8ed8c7ed5ff93b0e1add79e7b63dbd

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
163KB

MD5
00d39e71b7f8d11594ec2b395e140fba

SHA1
d992c98610e8e835cbda0ebe1eab085b1ffcf057

SHA256
4fdf9ad3b6781085f47700f880add9638f4859d7b572b106e902dc4b3abf1142

SHA512
dcf1c1ab0efa15229b101c46db7081d8c299d422ad805cbde93f08f7b460b2c535b57f97fd66db9887eb1c774800ffcc189bacdc5a223e9f035c93de842b3afe

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
163KB

MD5
f9f81690ca1af419e7cfc0c0414bfe0d

SHA1
1a1105f30ec59d5be3347c0c655d2b8c927e274c

SHA256
9d94f20e41a986520b23a35047313363a454b0be97779a1503228a16419dd5da

SHA512
7177c982e2e451b763c0d5dbf6dd8405d89e1338d83e29e09cb85b19c4ef7eb8f9aa27315ee28f4a56b26ad10834c2d897d13f7bdfd2e231051917ac1d1c70e9

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
64KB

MD5
331880495d42139dd84b7be74b3014dd

SHA1
a42d21c8d19f201dd80eb3be4464dfbe351f9c1c

SHA256
65564a1a8c029b13a92ee9ef127ccc91a06fcf2e0c60c4ffc8dc23c8b17c6a1b

SHA512
50257bcea1d95bdd328dbd082ed27c54bb4f58297baceb241cd4527099c6b1709260199bd16a3db9db77f799453448324449c2b1667248c41477ec3712a198d6

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
163KB

MD5
80cf0a6cd8ce65ddbbec44ea50c5f7df

SHA1
6c1b6cb4e764a75c21a5ea567cd1963bc121e4af

SHA256
377556a9ea69af81da5e73b9018361040c68b171da7d84347e2d63ca7cc725ea

SHA512
b284110058070d425e439067ea33d828ab36b92a3906b49dfd6e0b6f8c1daf564fe20daa61ecf708ba842295fab52a3288912e8dd9a5503290d46fc4110f9b75

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
163KB

MD5
5e4e06a5bf7a4a47f7e7d9b9381149ed

SHA1
290d6deba4e4309bde2682ad982e40227c144744

SHA256
b9a2688da257d5d59ffb20cc5c5fc47a05b961cc963c2121e47136e80fa3b61e

SHA512
7a2e90fc5695f84e817523e0227287453a73de889226dbbeb16f1a71f0ee505ec754209b06b017de63929c1c4f30ebf6927a6713521b77614a65832880f9b1e9

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
163KB

MD5
391326e81cf814a40cef5dc5bbe59c32

SHA1
cbe4989682136c7662ce14c384cabb8bb794d979

SHA256
2ecce76f07fa055a385112dadb03d00647a994fa953075cc9c409b269a5fce48

SHA512
56e53e20428e79be88548d664dab79539b328642afa9abc8a6b3fb59c1ce1198da5575c5752c61e45f3eb33855b08d5f910707c3a008afdd05b6e613fb58b819

Download Submit
memory/60-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/60-1151-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/404-576-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/468-577-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/512-296-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/532-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/652-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/716-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-505-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/956-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1016-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-368-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1076-613-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1092-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1156-457-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1244-511-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1252-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1460-523-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-1057-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-439-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1488-410-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1552-547-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1620-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1628-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1628-665-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1640-445-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1652-541-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1684-402-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1732-529-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1780-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1852-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1872-651-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1872-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1904-499-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1908-481-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1968-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1992-463-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2136-625-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2236-1054-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2236-451-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2292-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2344-306-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2532-658-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2532-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2620-189-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-416-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2764-404-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2788-1126-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2908-165-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2968-487-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-983-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-666-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3104-295-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3116-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3172-632-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3244-645-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3380-422-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3404-386-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3512-659-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3520-595-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3548-1118-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3620-1074-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3620-392-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3628-674-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3628-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3664-644-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3664-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3708-517-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3716-1006-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3716-589-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3724-493-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3852-428-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3984-652-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3992-535-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4012-338-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4076-1043-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4076-475-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4148-601-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4172-173-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4304-380-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4364-969-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4424-583-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4424-1009-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4428-298-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4448-619-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4448-998-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4460-631-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4460-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4460-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4476-607-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4492-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4508-638-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4532-569-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4572-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4584-553-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4588-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4748-1169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4748-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4792-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4800-1046-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4800-469-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4836-673-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4880-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4932-559-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4952-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5016-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-672-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5048-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5452-953-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads