berbew | b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe
Size

163KB
MD5

2904b713636160fb865e98d798a014fc
SHA1

8280bdeee93f9480f8d263714ecfcdccf8be12c3
SHA256

b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e
SHA512

af1c5442021bd9acf261785d553943b4dcaffdf04a54d6f67a39772d05b1afb800a9f5d75e1b7ff83f8438b6f64b33387bfe60e32facf12a1e6c514b238e02de
SSDEEP

1536:PSUqBoZECitqxAQ1OecGs/ilProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUQ:KUjwtqxA+OecGs/iltOrWKDBr+yJbQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kboljk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4908	Jplfcpin.exe
224	Jehokgge.exe
216	Jblpek32.exe
1224	Jmbdbd32.exe
3452	Kboljk32.exe
404	Kiidgeki.exe
3728	Klgqcqkl.exe
2192	Kikame32.exe
4500	Klimip32.exe
2328	Kbceejpf.exe
1984	Kmijbcpl.exe
3044	Kbfbkj32.exe
2952	Kipkhdeq.exe
4504	Kbhoqj32.exe
4016	Kefkme32.exe
228	Kmncnb32.exe
1480	Kdgljmcd.exe
3484	Leihbeib.exe
968	Lpnlpnih.exe
3604	Lekehdgp.exe
4048	Lpqiemge.exe
4872	Lmdina32.exe
1476	Llgjjnlj.exe
2656	Lgmngglp.exe
524	Lepncd32.exe
376	Lbdolh32.exe
1820	Lingibiq.exe
552	Mipcob32.exe
2528	Mchhggno.exe
1244	Mdhdajea.exe
1944	Miemjaci.exe
4148	Mcmabg32.exe
2808	Mcpnhfhf.exe
3972	Npcoakfp.exe
3024	Ncbknfed.exe
4388	Nljofl32.exe
4428	Ncdgcf32.exe
2628	Ncfdie32.exe
212	Npjebj32.exe
2452	Njciko32.exe
1404	Ndhmhh32.exe
2320	Olcbmj32.exe
1044	Oncofm32.exe
3032	Ojjolnaq.exe
64	Opdghh32.exe
2136	Ocbddc32.exe
2032	Ojllan32.exe
5012	Odapnf32.exe
4464	Ojoign32.exe
2836	Oqhacgdh.exe
4656	Oddmdf32.exe
2268	Ofeilobp.exe
2884	Pdfjifjo.exe
2740	Pfhfan32.exe
2276	Pqmjog32.exe
3944	Pdifoehl.exe
900	Pnakhkol.exe
4756	Pcncpbmd.exe
3488	Pgioqq32.exe
1964	Pdmpje32.exe
3420	Pgllfp32.exe
4516	Pnfdcjkg.exe
4664	Pcbmka32.exe
2812	Pjmehkqk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jehokgge.exe	Jplfcpin.exe
File opened for modification	C:\Windows\SysWOW64\Llgjjnlj.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gnbinq32.dll	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Ocdfloja.dll	Kboljk32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Kboljk32.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Kbhoqj32.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Klimip32.exe	Kikame32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Mhkngh32.dll	Kmncnb32.exe
File opened for modification	C:\Windows\SysWOW64\Mdhdajea.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jplfcpin.exe	b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe
File opened for modification	C:\Windows\SysWOW64\Jehokgge.exe	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Mipcob32.exe	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Kbfbkj32.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Oendmdab.dll	Jmbdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lekehdgp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5164	1108	WerFault.exe	189

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehokgge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll"	b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	Mdhdajea.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 4908	2864	b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe	82
PID 2864 wrote to memory of 4908	2864	b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe	82
PID 2864 wrote to memory of 4908	2864	b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe	82
PID 4908 wrote to memory of 224	4908	Jplfcpin.exe	83
PID 4908 wrote to memory of 224	4908	Jplfcpin.exe	83
PID 4908 wrote to memory of 224	4908	Jplfcpin.exe	83
PID 224 wrote to memory of 216	224	Jehokgge.exe	84
PID 224 wrote to memory of 216	224	Jehokgge.exe	84
PID 224 wrote to memory of 216	224	Jehokgge.exe	84
PID 216 wrote to memory of 1224	216	Jblpek32.exe	85
PID 216 wrote to memory of 1224	216	Jblpek32.exe	85
PID 216 wrote to memory of 1224	216	Jblpek32.exe	85
PID 1224 wrote to memory of 3452	1224	Jmbdbd32.exe	86
PID 1224 wrote to memory of 3452	1224	Jmbdbd32.exe	86
PID 1224 wrote to memory of 3452	1224	Jmbdbd32.exe	86
PID 3452 wrote to memory of 404	3452	Kboljk32.exe	87
PID 3452 wrote to memory of 404	3452	Kboljk32.exe	87
PID 3452 wrote to memory of 404	3452	Kboljk32.exe	87
PID 404 wrote to memory of 3728	404	Kiidgeki.exe	88
PID 404 wrote to memory of 3728	404	Kiidgeki.exe	88
PID 404 wrote to memory of 3728	404	Kiidgeki.exe	88
PID 3728 wrote to memory of 2192	3728	Klgqcqkl.exe	89
PID 3728 wrote to memory of 2192	3728	Klgqcqkl.exe	89
PID 3728 wrote to memory of 2192	3728	Klgqcqkl.exe	89
PID 2192 wrote to memory of 4500	2192	Kikame32.exe	90
PID 2192 wrote to memory of 4500	2192	Kikame32.exe	90
PID 2192 wrote to memory of 4500	2192	Kikame32.exe	90
PID 4500 wrote to memory of 2328	4500	Klimip32.exe	91
PID 4500 wrote to memory of 2328	4500	Klimip32.exe	91
PID 4500 wrote to memory of 2328	4500	Klimip32.exe	91
PID 2328 wrote to memory of 1984	2328	Kbceejpf.exe	92
PID 2328 wrote to memory of 1984	2328	Kbceejpf.exe	92
PID 2328 wrote to memory of 1984	2328	Kbceejpf.exe	92
PID 1984 wrote to memory of 3044	1984	Kmijbcpl.exe	93
PID 1984 wrote to memory of 3044	1984	Kmijbcpl.exe	93
PID 1984 wrote to memory of 3044	1984	Kmijbcpl.exe	93
PID 3044 wrote to memory of 2952	3044	Kbfbkj32.exe	94
PID 3044 wrote to memory of 2952	3044	Kbfbkj32.exe	94
PID 3044 wrote to memory of 2952	3044	Kbfbkj32.exe	94
PID 2952 wrote to memory of 4504	2952	Kipkhdeq.exe	95
PID 2952 wrote to memory of 4504	2952	Kipkhdeq.exe	95
PID 2952 wrote to memory of 4504	2952	Kipkhdeq.exe	95
PID 4504 wrote to memory of 4016	4504	Kbhoqj32.exe	96
PID 4504 wrote to memory of 4016	4504	Kbhoqj32.exe	96
PID 4504 wrote to memory of 4016	4504	Kbhoqj32.exe	96
PID 4016 wrote to memory of 228	4016	Kefkme32.exe	97
PID 4016 wrote to memory of 228	4016	Kefkme32.exe	97
PID 4016 wrote to memory of 228	4016	Kefkme32.exe	97
PID 228 wrote to memory of 1480	228	Kmncnb32.exe	98
PID 228 wrote to memory of 1480	228	Kmncnb32.exe	98
PID 228 wrote to memory of 1480	228	Kmncnb32.exe	98
PID 1480 wrote to memory of 3484	1480	Kdgljmcd.exe	99
PID 1480 wrote to memory of 3484	1480	Kdgljmcd.exe	99
PID 1480 wrote to memory of 3484	1480	Kdgljmcd.exe	99
PID 3484 wrote to memory of 968	3484	Leihbeib.exe	100
PID 3484 wrote to memory of 968	3484	Leihbeib.exe	100
PID 3484 wrote to memory of 968	3484	Leihbeib.exe	100
PID 968 wrote to memory of 3604	968	Lpnlpnih.exe	101
PID 968 wrote to memory of 3604	968	Lpnlpnih.exe	101
PID 968 wrote to memory of 3604	968	Lpnlpnih.exe	101
PID 3604 wrote to memory of 4048	3604	Lekehdgp.exe	102
PID 3604 wrote to memory of 4048	3604	Lekehdgp.exe	102
PID 3604 wrote to memory of 4048	3604	Lekehdgp.exe	102
PID 4048 wrote to memory of 4872	4048	Lpqiemge.exe	103

C:\Users\Admin\AppData\Local\Temp\b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe
"C:\Users\Admin\AppData\Local\Temp\b398b2ddd2aab4d5921054ac0c3bd2cf28998ec117488a24d140019cab99e36e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\Jplfcpin.exe
  C:\Windows\system32\Jplfcpin.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\Jehokgge.exe
    C:\Windows\system32\Jehokgge.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\SysWOW64\Jblpek32.exe
      C:\Windows\system32\Jblpek32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        27⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        32⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        37⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        59⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        73⤵
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        75⤵
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1868
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        80⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        84⤵
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3600
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        86⤵
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4056
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        91⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1588
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        97⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4264
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 220
        110⤵
        Program crash
        
        PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1108 -ip 1108
1⤵
PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
163KB

MD5
ad2f0e04869a9c136f5f3b8375b4b9ff

SHA1
6e5eb228629a944a16348b151e72c483064cd936

SHA256
f1fea560c7a094d522d5c7452b3daaaab0dca8e86ec1d2d02b2365ce1f75cb04

SHA512
f8b47903ed87277b47f912acdce87a3097806990c6742b20d650db952c0c51e17d84f9574769c1e8fc64ffda0ca7abbc2d4de83e508389db58360f319b797261

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
163KB

MD5
a1e878f08f5a4f0e757fd07608a4d9ee

SHA1
d1254041d93ad35de6103b9e6d28898e70c67302

SHA256
165eb7211ec5909728dda8419d6094b9b02f32328336c4c89f63aa5a39adccdf

SHA512
2eee9e1bb1c0dde2085424d6e4c6c5f0719862d23ac283813ffc19b4f7c28d4a67be06e48ac19e8034cfa01a0dafc283f8a14a8f10107aa422c75925cf7e0367

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
163KB

MD5
de655ca18a58e58e587ddf8ed2514243

SHA1
13fe751cb33d6a357f8e2280a9ee38494267f571

SHA256
1b7e366adb9efb0fc644316f5c3d80a74bb8f089d81b6d9e3b7fe428b514a312

SHA512
753608570e95584c35bc1efd2ac5b40370fccd0f931c9ae73c38e34fbedbf43c1200225763d39d8092801de199eb94f163d6780ae32d723fd4da1a29a61d5617

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
163KB

MD5
281f642b7f48aea3430225f22ff6c7c2

SHA1
835a2d381c2188c6c5e4b402c8e2951b62d93c79

SHA256
751cdc25e8da11b49e3bcb59a7733a887155b994f85beac5d147e1fe1fe3dc05

SHA512
62bebb13466bd360dce1a1a8b1253010e53db9558d67f2ada183606ca7dbee81ae08c02f5540269e2a0fbd983be39186757274b0b70279da2e186103d1bb9200

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
163KB

MD5
505b73837ef20e59b51dcda78c88f109

SHA1
9797958c02131ade74549fd23f1e54ec58acbb67

SHA256
e927da17569f544ae2aa6ff96415b443766129ec5c1fd6b200a6361032eb4211

SHA512
5578265c1b53f21e29fec0d20aa6c7ee1ab93a724d2c054358cd7dee180228f1845f5cde7e6cf4d4a6a0923fc9557c98e43c9bae231be9c2e5522fcaf665ee08

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
163KB

MD5
2ae71a6f6f94e3ec3d1a9b865f4b6026

SHA1
94dd38099f5791b6852c0e2931cba37bcd7f06b8

SHA256
f722359ed50d99846b6e92ea8a4509fcb68cf3b4f1dead7e2849df88ab902c32

SHA512
dee0f02209661c3c5f2dac4fa60b03ea38c38f9343c9b994aca56fbfc4efcd856ca7797beee6ad096094092c046440d88037318a40589ef5a37fb193e9e64f89

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
163KB

MD5
64e5c2c89e687d5a438e9c29730b8938

SHA1
064f9903025f0a2f265edfe351316b7ede4feb89

SHA256
82774505846c6aa9ed1b66400720f5fe52901aa049a20ab1fc5579afbbac41f1

SHA512
8b245e0cfd1510fdf4a1fd39d161a83b40a4521751def971ec7a1ab4df3598ead98e959f9e099e46a220cc717f3947446bdcd735ffbb89d1851dac0f4deea2d9

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
163KB

MD5
a90bad8d002f0f92c3ea2f3496f61717

SHA1
87381731a35e34425c84dc6ffb9bc93ae00af3e3

SHA256
3b4fc1b38d247c2a53c9a67b6be45a5cb93ec52af5100e6cff097a852196a519

SHA512
41cb597e95d869e9462bbd5ae0f4e488282783823836993e02e4b2f2066a02a244fa13ea2f63019d010a2dee80363ba60d1a75099979a4c6df3c11b9b264a9d2

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
163KB

MD5
5178f46d1e6e4b7b9af1689ace413b13

SHA1
896eea280c04828e27c1c82571ad449eef51c31a

SHA256
8b149f739d46142b16a00878b5d01a2030488861fc106e67bdec16b1f65e76eb

SHA512
89cc063624c04e576fffb6755a12d15f6370d1bdd699ee36b3f8a48546a6533043b35d570c82bd3774bbc5ed3d4d6445cc6f357b0366fdc28e9f1e1c01cf5663

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
163KB

MD5
72b62d868bc8d7a2986f727dc37bfac8

SHA1
afba4871c336207cd6a3a58b1c8736fa9106e546

SHA256
0e2484b3fc7fb38e7ffe474548668bbabaa364d794524a037c52e4964730c0f7

SHA512
299fff7225c8ce0136ebdcc0e062bbe5544f1fb70d5e84f8ee2854b2f66383a79fb3a0f8523bf05b2b293c7630e722ab1d574c7b52c42418c4e97fdf14dc49e2

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
163KB

MD5
631207e57c07d57609cd6577ad719f2a

SHA1
8358db2a6a76d349e3c2b8d4d5585b9b12fde8b8

SHA256
31990560907ea322c1314342f7662bd425454a520ce5186d5ae07f81d07392b9

SHA512
28c8574dfa66d75d4208330136c7ca7a8f408b17db5a973998d51871f973252931f75f24bb36511dcb2a6d7caa62c937329eedc1d6f053b1b61544d9afa02a1a

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
163KB

MD5
02fab2e92779c38890258cdf1e6b1971

SHA1
6c42cfded0864d91f70a9a50dd76fbc109a0072e

SHA256
b78f47f4fc31121663d806bac4f3ba8900b4df7ddfa2ae3096b6ab58e45e690e

SHA512
ec0f0ff40de5c40c555f4a7da707d1e7c42e31f737df84a4ade4aebc29cc76e9009c6a9857e78fbc37b7006c66ea111e4a865bdd2921263fd9dde6b0e1efe60a

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
163KB

MD5
8bc928c03486f78157856eaaf050470f

SHA1
7e1a758eba88e910bdcc0e5c67b63bc71367f70b

SHA256
933a602d03540bbfdce16cc714a7f00150f05a1397d16f36202d831f5f165399

SHA512
5d38c86b1ff971ae8dffab4a6fb7ef5a1104281e265a794b0a1838c236d3fd21326824411017e629cdb21344d58b3b18b24d73463c790499b9e82852943cbdb7

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
163KB

MD5
90ff1424fc7fa7cfa7ff23341ff95943

SHA1
4ae174ec7028de4fe5d53afc7d608ed7d8249166

SHA256
f88791fa7f592e04bee9370f377e2eba93f758b1ae54534493cfc7fa26ed6f00

SHA512
4496fe490afaa5289e9f7de6200e9b6c8752f41616ee8fad95c4b8c8d168489893433a213d2d9559bdc1e89d7a53b91d279ea83e58f53b02f399c98db8701937

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
163KB

MD5
1deecd739df1bc10fc4d76f98a703a33

SHA1
31eafe79b988a7cfe54c75a095ab6bf3fbf62b82

SHA256
c0125a8503e4ba2b591f49800769b6dab1307af44c87d002815ad83468d52920

SHA512
c92967fa23ba545098a898b4fde3cc5e06675fc0d2988b0a400e4586c3e335a1058c13614410fd816f0f8d31642ffe816c39c8231a5181c9957193f5a64ed46f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
163KB

MD5
8978c6f0ee12e1d16a6c7669dba174af

SHA1
5e7f27a9bc2dd0ee2f5e058472844f2b3528b6f8

SHA256
c4b95b9951570bd23524d5c287a25db34cb9e9ff802951f8cbb8586020e4f034

SHA512
85c27ada7b64f50c432b742ae398cdb716a5a93adcc2549fef19e4ae58f44eabd2cd0d2c6916d9fc63562cb54e9180b45a5503441454af873d834a5b0ded21a1

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
163KB

MD5
6b38fd03ca23554fae0ed3f906b2c588

SHA1
a1d87a2af299eeb43719ea6e6ed814c39c31cb7d

SHA256
39d9695ffa16dfbf58c7d7a6ed62180a8f070ec222ad9d108478173a47513654

SHA512
e5438ea03e317bb0b9f0944212d7d6bd51900fc16b8f618893709ee65a873fedabd081b0c6ea20a9abfaa2c957a89fe12b03d1479e183ca99093f3a779cd536b

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
163KB

MD5
18c4da9bd1339bad0a2e83b11dca90eb

SHA1
e8ddb10510c54aaf24ee9bee12d2011b5b111d2c

SHA256
00a9dba5937a4afa353e4879c81d44dc5dc67a9f6c4824bc1a83efd4b27f31f9

SHA512
7202d34bed24499362177a45ba2e859509977f04181c55fc5e53bde2e38e0827dbe5f4b9cb148c43356b988f9f373a55ad1670dbe5229ff022b4d934db7fd044

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
163KB

MD5
aef4b0dcc11c1c318928d8c78d5e2652

SHA1
95070b1b3d6b0dec61d648e822f4c067140286ea

SHA256
df9f26dfbc02e685f139058231a05805af7e505abd8e038e17b3cf59c62cde08

SHA512
e4871206e9640965beace11a255e60b5f36bcd1a82070e55a0412954b2714e1836f80f13becca240fdc1883a5477ac749c2f637e037e131a42b4f962b76258f7

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
163KB

MD5
fa62ce541c8a0bc1ae94b058552f2e4d

SHA1
69a2495e0534c55558582178a01367d80caafd80

SHA256
179a1365569df8197d94f3e0e72b5643f946dcb7fdb881ffd9138475608cdfd0

SHA512
e6a8cb4e014a4da913cda435b0ee43673dc65b96bc91531975dfe49041ae31de29467ef0b2f8ae8b132693d66156256299b5751d52823176e8df520147222a9c

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
163KB

MD5
0662ad58ed790ac77cf673d644b1ac56

SHA1
35489f7676955cc7656ea6548544013d1e840ac4

SHA256
081248b33478b42e74a55f96352bcea61455b6b1fb3ce97dcf3eb0852ede6326

SHA512
76817482c1d5b4c554e46ac534422ffdd3c08c2afe26c488f40c4b96069a37f8542dc32d8eed0f95ce531b0c4c756f24501248a9f774910842eb236c46309f8c

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
163KB

MD5
1e18049f68881c2fb762fb0117f8f7ec

SHA1
ce922f16db9606a62e67d8a624b362897c558f12

SHA256
a49fbb02031987a0f4b22d0e4c1241cba4b16bcf8ac066482168f04b9af9d9d2

SHA512
da97e12e90110485ed04a9bcea4d54ea9c15fba8946f63682a3af138dd2537ba0c43c7b4825d7f91c6d08a0024a7ba597e197cf26ab9549bbfb2c8b44441e449

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
163KB

MD5
737468213d9e2873e7e734c1b00b1537

SHA1
f524a6f0b2c70deb4a955a9bd60b94ecd544907f

SHA256
1d50f1b93995ccdeaab54507fc646e7ac7185767649b4bcdb64443ba926c3d9a

SHA512
137ab19b53a9d36d23d454f94ff456690f4347ec7a9978c4b4b1a240d7597f98b4028e21c2b04e1742e470610cd6d78fbf7b05929eb02e1586b75a0dd42ebf32

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
163KB

MD5
4f27147dad9816b7a7a3b8339680fdbc

SHA1
41a1ed5b72d9be7d29cadf2bfd2cc359fb629154

SHA256
79a973e502b6f425488e95089e15f9500d1af5fb4a5a8a1ab2171028d2a6a950

SHA512
e2bf648d6e0eaf38222623a0259759eea62252d856d99522fa48e7799565210a6b8c00fa7869fb40494a77304c9dd433be1f342fd2f665323139498ad5dfcc1f

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
163KB

MD5
df5eea764adcd12dc4f393e10c60bd18

SHA1
9bf7917f386bbeb4bff451678b7737a2d5d7146e

SHA256
299c782132c08f1623bf8e99affc58e657c0bc95a80a7fcdb89d62d332fdccb5

SHA512
9f32f5c301cb81a0fe8e82ca707e6185e3b182ccf8e325be15efd882a242c63798b0f141523efcb4cecd35d9ac80d8f03e908e8e3f4daf8055cfbdb0d3a09a6b

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
163KB

MD5
2ddb1fe676b091a37fa4d0df3b43b32a

SHA1
38233561b252be561b8ac0bf066042a42edf99ce

SHA256
37181ca532fc8e112a059885f313c385a51bcaed230a2b65864505f592915988

SHA512
ccc8a9ef9359c1ea76fa9c0a8bd353a1f5ceccaf254c0856387c6568908db9eacdccf884f854e187ce04e43158a61cfa7aefc2f233a8d55ae4d858a63138bdca

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
163KB

MD5
3d5ddf844925528437004ea070fe737b

SHA1
9d59cd219704024a41fb984fced8992f5dfc3bff

SHA256
2f64835629b6cf24353bbccb21e49fe0821edb6a235f0a676638200cb8b6241b

SHA512
cc58e61097908528a2257cc43531d947ce2a4bd9556dd088e47d4215b6d5fd1e2e04dcef346214e029b72b2aa26b184fe246bfde1b48048f7a01c6449c8c8a2f

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
163KB

MD5
e479261c8b393548d78f586f706b7912

SHA1
cd9a76505a915f3c58e5a76119500a08d0e0e5ed

SHA256
2768c808f17eb01e7010645a073e6cbb497e99c2cafbbe637060c1289ba55bc8

SHA512
88a6287ee8f7fa995ecfb8a40ae1ee7df17238efe049d8ad724386bce2faa5645b1856a4708120c70b5c7f08a24b1599fc9808e4b64b14d0b3d440ae00d97003

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
163KB

MD5
74aeb2856a2f17cd4045545e26a88e9a

SHA1
245385abf150ce340a8737bd48ad691585e15a5d

SHA256
1235264c895ddc0eb5af5a960f67ba26d88cfc735dfb64d69fd946e860718734

SHA512
44b51ba1d9045f80a99e9dabdbc23e7cf54fc110961b2210d737e0cca807905e411a982596e8756528ef40e32c89d1d9e71a3e2b7b5ef9343c29fcee29db61d8

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
163KB

MD5
0524effaac701be699fd8012c126e53a

SHA1
d9192d95ecc6004911ecd7265fe63e1dd86183ea

SHA256
5b0ebb381d500dfdeda940e60888041048737ba94f67cf08cc10cbdcee3e9732

SHA512
6e68b774c2a0817a3cbca8e4f711f98e55efc404f58a811dc84d7ab4d0304d1ee6e39054e85f8688657180d6b8fd95ee74d6844e851e7e5d686ec2ea1917e660

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
163KB

MD5
469712ffad52f97f5f09510c4f60c299

SHA1
3e8f3108c16f5313aa4202a24391c92a81ca9f61

SHA256
ef289bcd042c15e6bb08faf979820748fab2dfa8498477894e16d2068ce3de76

SHA512
b5cf6c87ff67a97cb374ccae0fa51f06b7c39109eae212a455c7c25fe18dec4183fd6b47c105b6f39a90f4b35afc0819cb8d626ec2ff818d65a8e89bff853bf6

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
163KB

MD5
f937eedc5f0bac36e0bd069fbe764471

SHA1
c9eb70414c4c63bfd96be447a561e3e73e04f4db

SHA256
0476300926876d8c1034d7f39905f5311f2db09e82d769832b2deecb75f455ba

SHA512
a8f91d84e6f6017a19f2e3f4c92e29546a77b28e44003503b2f60abceb4c8739363b6cf383c2997356c32c17973499469368d1bd9c030463b5121cd28c1cc271

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
163KB

MD5
496871f66dda5c723b2acce8dd1c0889

SHA1
9d5bc29f4643509439295e3cb7c6db3cbc0ba39b

SHA256
916097b9de1e96937cbdc2e52985f8524a12475d8b361fe0a9669589b64a9f5f

SHA512
2a42809075c5c239444f4f967cd0352ae96e2c39343095ae566c60779493be986e8884a6ce1447a9e55d2718cd2dcc4a5915068e2a528bf69e9a45b84e2efdb5

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
163KB

MD5
1f8b8d7450e34a1774bb3b8a22c091cc

SHA1
6ec3c15929481d538269a0efa1f23c75e1a37dcf

SHA256
c726090919cff9dd97e0db393a135f54325fa2180eadcc3b15d2e6d2214960c8

SHA512
043b770ef6f2a1c961b020f7f6853ce85fa842cd82954a3b81470cbd8986a2f4eb9086a63e16ff715408bf227e6f99d531d0c47fbaf8310f5316cb99d1599221

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
163KB

MD5
f2413b2708befe682593f2fc8e5d06b1

SHA1
3da6120cf744afd0b41d5854f1bc8739bbedf482

SHA256
58e3337910e85a3a421bd26fe03ab6ecd97aadf0a90097863e92204783ae0a85

SHA512
e0af441a46cbe6f92adb3ad91f4dea4c5cf9d15e777099d3ca62c790deb1777da1a4ae3226bcb9f0bbcfae2e76fc3e9789c4557dc2a6bd499b72e2d639e038ce

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
163KB

MD5
112a40b85cbde99d5bb3b69f179b566a

SHA1
6f87394513c6822039f0635b1d812c989c498930

SHA256
928aee3eca417bf1bbcc34f521563639cb141bba6f1a7f44d721efc5ef447697

SHA512
e2b98c6d0d4af525517c83a93e4b3945c971859570956ea16bfea303d1c4625ef638245cbb8f6ed0424da2a49db570d1fc766bc0a9083ae085839f20a38a9990

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
163KB

MD5
7302b7e33c0c831bfa12a9edad0dd585

SHA1
1d01cd91e46a1d1668354015006c18f5b6109814

SHA256
98157047fdf9ab5f4300cce429a57b4939ba8e01a377c9d5481565683914fcbe

SHA512
8a85ff548c0bea2d29b5a2b19839829cdd9d7f005d5a0609fbe61b728b58fa5bf7799b0ae845c8fe0b9bbab550776f473931ac1bdbe751aa34b65815648b2b3b

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
163KB

MD5
46c01ee8ba6d2c07cf5859faec4f7429

SHA1
38cf24bc9a49eaaac8ba2787da22851d5d8f5566

SHA256
bfea81d033d3c396b043e82cd935476f34cbfc8eb0cfb21025f8cde84c153cf8

SHA512
63014a2be93f21f495307d745c6713a4c28d061fe0b346ecc7b03da73560df60c7f9b225f9699eb1eea57eab4d25a370556f5859b25bbea484026179ebd868f0

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
163KB

MD5
7f096ed315372f40ec29e89ce124d8ad

SHA1
a5990641e8d6e45c9702f075eadc2378c73d0afd

SHA256
1eb9652b29ee843a336285f167228f3f2c82be55d04c73755ee9a78e577b6980

SHA512
944b13c997f1333720578b7d87eec2008b69ba35634d6b00212e1a02c3b6badd7cf38f1441bf1e95dd4f3d31155393abd8d48c94b6bbe63f608a023a71a079cb

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
163KB

MD5
25f8060788dd35dce1842cb60230453c

SHA1
ed8245793e53abdcd6d2007af6349b02993975d9

SHA256
21c625e2b19fe3d0fe75ca0f4ca8d89218fb61c5a096d81b0bcf2c1b65613614

SHA512
b8636d470888c8a72c6510bcff53f7ae7791baf9f57ddd3de2fb6e7547ab792a2950f5c4935f1f1a7ab9dd0e20a7556b24e30bf4e47437ba301b4ac09c05f0aa

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
163KB

MD5
ac375dfced0780564b5c86976f3502de

SHA1
ed4c36b1e521657c0ce194cabe5b23f8b3770970

SHA256
6d7f1ea181617ce3dc92df78fa9afee7cd4903d9d43c31dd6e38ab92ee8d9043

SHA512
3f1233d5561febba946fe9c47d0eae14138e5239ce50ce938a2570e9c857bc0ac596698b6a098bc30544ad1feb6569b827890cd037ece5effe0653a62d1ce19b

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
163KB

MD5
d449612d9673f52f3e1673b76b9757cb

SHA1
100e9947af78e117ef533bd52bb4f7eaf028155d

SHA256
be23a35ddb41cb04fb8b19acce28024a6d950bfc438054b7c032faef65e86303

SHA512
42edd765cf8c7701f6c376ada4656c2a49a277a071237056c6bbda10edad22a2a9fd96bd047f4d61a0c4d6ee10809da643eb0a46cae879c81f72e33da845a54f

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
163KB

MD5
f3d91369269ad86f1ded9a4885ebbef2

SHA1
c16a30deba13604583f77fdc2da71931764cfa6a

SHA256
742b62caf030aa7945c13c3835937ccce2017a0e0c46d80d0125a28cceab0386

SHA512
6f37d4e1f8380d5fedfa147e8894dfdf85aeb63feba8be2c2c1db36deba713c4be3beea66ecd9996e7e8010acc6d073547abfb64c03ed0a4ce785acedb1c20df

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
163KB

MD5
00362a6896726f6bc78d602cb1a73d1d

SHA1
42249d697cb544e23429103a5b297f0e318087e2

SHA256
569f178dfd2981f151e290134a3eecdc41b6f31dc9aabb1d813c73d544beb9ff

SHA512
66fca1075ee49c63c29c88df423e33d74e66ef93745a02565c53439a098b946d9f0527a9edffad14f5cdfd288fa89706da2f0fcde91531fec07eeb4fa98af7d2

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
163KB

MD5
aa7e2b986400f84581bcc7bb36788994

SHA1
03613774646bf35d165225aa5e49ca9ddfa90c50

SHA256
4057410c0fb808f72cbb0426065c26a6d8d72b9e0a05648d055ab32225692c20

SHA512
a0ab09065810f105790392330d635323c8f2ae472abafdc1b8b92405eb113819eccdc029796cbc9acdf60dbfb26c2ed1206c75bcee5e920d4c603765054fe711

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
163KB

MD5
9eb391de1f81cd0cb185ea2f41d3f610

SHA1
932746e1128b2fb26f885d2bc4e82f05d1d184f8

SHA256
76f37efd2bc59031f62791405da44f65701f5ee992cdfa6474b1202220773e6e

SHA512
dc83d6558ce979c399e7bd414bd8e7c54608dc4ae5247f3dc02f72993e9db5a45ee4683fa84c50a5e50d3912a97be8b825be36c91d5aa1b01619213b71938185

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
163KB

MD5
77f37b1194a8dad1975fe8b28e751bd4

SHA1
35bb13027df06404ce39b74aeabe0b16c451e6bd

SHA256
ba7e8540b9afc1a9171c9a12cc9d6c62b015cbb66e0969d15f3abc9776473599

SHA512
7135e460789f4439e87690096d57b730c82284953ab0ebe4bb0d526d370c5c57a1a17270368fbfcad452c09b513ccfd6c60e6780fbef0e32721677c5222c7b6b

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
163KB

MD5
68492c431f82abfe731581c897c7571c

SHA1
c18c0889de829f4183a4b2546b9343ff4795cabc

SHA256
4d05e572a72ec1c71b765b7177e0a1ee265371091082ed367b79a47f6abe1ac4

SHA512
241f5d724862fb760a647806e96727369c6ff2274614b1993e794f330e056a1c336a9f80f6b71a7c41c6007a3e7a459abd88b858d71ab722698e217eb9b40349

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
163KB

MD5
cd554d8680bb9c908d81551368aff121

SHA1
64ba8ea59f1985c7e907d363b57ab0faefdd42bd

SHA256
80abda1b734405b2a2f253e685423f2393583d05d2a028d2e536b00d7c53f8c8

SHA512
a75bc94561b2b71d305bab7d008a3fa6022d01450d69e6c3844544ad08a6b5e2f189413b9b2c520b777f77d8b22ea251bae584fd1f48fe7377b84bb65af3f0ab

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
163KB

MD5
22827006c68fed272a46444e58a126fe

SHA1
9d9a93677cd82acff41bd9a83a6fd7d4d975ed2e

SHA256
01102fa1bba2b951f124770b0e73a4c6a44359e78b2de7daadddd08f5182b83c

SHA512
d481ea697a2aa0f4cacc1f603ede7246eae4e7d10ec2685b1718377c7c764eadf7050a09fba2c2d83ed4be7f1ebf323f78b5e694288c305e077fad66d3f6cee0

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
163KB

MD5
e7974c41f827a26372bef67785431f05

SHA1
3fe211969c3099216dbfadd2f9079decac79a5b0

SHA256
0f6ddc1e5ab141ef001ef14f3f1e08fd97059c46dd4d8bd398ce8e99b42ddcf1

SHA512
9e563100996a011752e49663758a43da790a20588d411fdc5b55181e46d22eefdeaf411ff1ba5c8c46692a68ac7454c20993a4464c0ef543c38b0aa5b96ba548

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
163KB

MD5
2e12e053b45e53afdbda86cecfe51bed

SHA1
a0cc37975edeb3ad2462efd1e14fd6a15b052dc7

SHA256
650afc57d5b3d4d27ee95063204828be79be40e37b857bea26bfecada9c323c3

SHA512
9c43cf0b72445f9b0a6524e7925d57a4ac2df4e2478b4e960676dd5bb32febba6e29ba8c8ff30332711445cc47e40b96e174b08197e872237b0fcc3b75b72450

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
163KB

MD5
67bc1155af85c0d5c93a838a8ff30b09

SHA1
4e2b5342aaceb84edcb36650f0ea0489219b1ce9

SHA256
91d844e91032948f8958e66d49e81d0a5ac7be063ee3338d3731312a96d28fac

SHA512
a96337fab5c4416d555f8211ad023a4078ff239efd9c45b959f46e15ffa61e754a1200e36c61f2c443c071ee6881aad5be6fe6d697dd30aa0519d0c7f00dc6ca

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
163KB

MD5
f8ae9a3103de6212ee1e7c8c0fd894ca

SHA1
b08e2e15f0e11e8443df9e75e5d70e4bc34f87a5

SHA256
130dd105b37d54af4d1eca18edb13b75d7f16781c9dd887dea130575cad88230

SHA512
87a0e92d86de98b4e4499a47c88cc20c742280a3404e25a9f1a036b72bbee77721c848f702ef874cd91c338deed0ebf5de0da64b73aef7486fd1c0d25185c6d8

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
163KB

MD5
4b64b259d3a3a74d589ebe8bb6b38775

SHA1
1dd8731ca810dcd2379146f3226665138bce19ff

SHA256
2e9fc9230c116441e52d8780e06112b8ea2c296a8c5ea84b3633cb724178d3c4

SHA512
3a9fd5ef5e898bc5b15f4b0c5c98c5bb9b95e8dfbef7d2c2ddcdf6459e59e4f140283caa686b22789dca9b4b8b5211c1900cc6e16b79e1438a764a4a51c364aa

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
163KB

MD5
4030b049651bede3b28fa8c4db7b45bb

SHA1
37eb3ff03ebf6292baa51deb7f7840f239cc72fb

SHA256
b9c321b0f604cb69372b8a89a6e86ea5650b58a721c1208b06a1e9dda6067859

SHA512
60757092a6c0a94f44b384d737cec8e11a822ea1296dda55c9b6c816bb889d669619904f5c2796706be995a8489fc56bc386e60a65ebacae13175dd83a31b1ef

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
163KB

MD5
2a90b59a4c2f3e30d91d0fe97e26628c

SHA1
566b828bd1023abffdbcdd439975d92d3aa2ec36

SHA256
2ad43297c54c0006f61325e9d3ced33cac78c80a50d5c4116e540ad28ba6fd86

SHA512
f147037df53dd83a467501e11056c5a51a4c3ca16edd12b8e9356e052c97850269f08ed53aa24f476c3197171611d117c76425835ebda344f612d7f7cc75a85e

Download Submit
memory/64-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/212-298-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/216-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/216-564-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/224-557-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/224-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/228-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/376-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/404-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/404-584-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/524-199-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/552-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/900-406-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1044-322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1224-571-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1224-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1244-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1320-496-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1328-591-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1404-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-513-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1476-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1480-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1564-458-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1632-551-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1820-215-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1868-531-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1944-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-424-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1984-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2032-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2136-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2160-525-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2192-597-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2192-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2268-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2276-394-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2320-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2452-304-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2528-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2628-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2656-196-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2728-544-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-388-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2808-262-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2812-448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2836-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2864-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2864-537-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2864-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2884-382-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3024-274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3044-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3292-478-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3300-763-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3420-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3440-490-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3452-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3452-577-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3484-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3488-835-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3488-418-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3604-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3700-519-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3728-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3728-590-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3944-400-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3972-268-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4016-125-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4048-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4056-598-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4148-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4424-506-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4428-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4464-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4468-565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4500-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4500-604-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4504-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4516-436-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4596-484-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4656-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4664-442-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4676-460-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4716-578-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4756-412-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4804-538-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4848-472-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4872-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4880-466-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4908-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4908-550-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4988-558-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5012-352-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads